Map azureAD roles or groups with elasticsearch roles

Elastic Stack Elasticsearch
1

We deploy ES 8.8.1 with ECK on kubernetes. We connect it to azureAD, login works fine.

I would like to map azureAD roles or groups with elasticsearch roles, I have no idea how to start.

Our config is:

 xpack.security.authc.realms.oidc.azuread:
    order: 1
    rp.client_id: {{ .auth.azureAD.clientID }}
    rp.response_type: code
    rp.requested_scopes: [openid, email, profile]
    rp.redirect_uri: "https://kibana.tools.XXXXX/api/security/oidc/callback"
    op.issuer: "https://login.microsoftonline.com/{{ .auth.azureAD.tenantID }}/v2.0"
    op.authorization_endpoint: "https://login.microsoftonline.com/{{ .auth.azureAD.tenantID }}/oauth2/v2.0/authorize"
    op.token_endpoint: "https://login.microsoftonline.com/{{ .auth.azureAD.tenantID }}/oauth2/v2.0/token"
    op.userinfo_endpoint: "https://graph.microsoft.com/oidc/userinfo"
    op.endsession_endpoint: "https://login.microsoftonline.com/{{ .auth.azureAD.tenantID }}/oauth2/v2.0/logout"
    rp.post_logout_redirect_uri: "https://kibana.tools.XXXXX/logged_out"
    op.jwkset_path: "https://login.microsoftonline.com/{{ .auth.azureAD.tenantID }}/discovery/v2.0/keys"
    claims.principal: sub
    claims.groups: groups
    claims.roles: roles

I give superuser for all user so I can "login" and see my profile:

Capture d’écran, le 2023-10-25 à 21.09.44
Capture d’écran, le 2023-10-25 à 21.09.442072×778 57.2 KB

Also, how can I get fill "Full name" and "Email" fields?

2

I would like to map azureAD roles or groups with elasticsearch roles, I have no idea how to start.

Also, how can I get fill "Full name" and "Email" fields?

The path I would recommend is:

  1. Login via AzureAD into Kibana using a user that is a representative example of how your users are setup
  2. In the Kibana left hand menu, select Dev Tools (in the Management section at the bottom), and open the Console tab (default)
  3. Run GET /_security/_authenticate
  4. The response will contain a metadata object with a bunch of oidc(some_name_here) fields. Those fields contain the OpenId Connect claim fields that were received from AzureAD.
  5. Find the names of claims that give you the groups/roles, full name, and email from AzureAD. Since you have the profile and email scopes set you should have a " name" and "email" claim. (If they're not there, then you will need to change something in AzureAD to provide those claims).
  6. Then set claims.name and claims.mail to the claim names you found above. You've already set claims.groups to "groups". If that doesn't match what you saw in Dev Console, then change it to the correct claim.
  7. Restart your Elasticsearch node, and then login again.
  8. Your name & email should now be populated.
  9. To assign ES roles from your AzureAD groups, you can follow the example here: Configuring single sign-on to the Elastic Stack using OpenID Connect | Elasticsearch Guide [8.7] | Elastic
1 Like
3

Fantastic!! Exactly what I was looking for, many thanks Tim.

This was really straigthaway after:

Capture d’écran, le 2023-10-26 à 08.29.22
Capture d’écran, le 2023-10-26 à 08.29.221304×556 32.7 KB

Capture d’écran, le 2023-10-26 à 08.27.20
Capture d’écran, le 2023-10-26 à 08.27.20812×120 10.6 KB

Cherry on the cake --> Claim for photo is missing ^^ Configuring single sign-on to the Elastic Stack using OpenID Connect | Elasticsearch Guide [8.10] | Elastic

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.