Map azureAD roles or groups with elasticsearch roles

TimV · October 26, 2023, 5:49am

I would like to map azureAD roles or groups with elasticsearch roles, I have no idea how to start.

Also, how can I get fill "Full name" and "Email" fields?

The path I would recommend is:

Login via AzureAD into Kibana using a user that is a representative example of how your users are setup
In the Kibana left hand menu, select Dev Tools (in the Management section at the bottom), and open the Console tab (default)
Run GET /_security/_authenticate
The response will contain a metadata object with a bunch of oidc(some_name_here) fields. Those fields contain the OpenId Connect claim fields that were received from AzureAD.
Find the names of claims that give you the groups/roles, full name, and email from AzureAD. Since you have the profile and email scopes set you should have a " name" and "email" claim. (If they're not there, then you will need to change something in AzureAD to provide those claims).
Then set claims.name and claims.mail to the claim names you found above. You've already set claims.groups to "groups". If that doesn't match what you saw in Dev Console, then change it to the correct claim.
Restart your Elasticsearch node, and then login again.
Your name & email should now be populated.
To assign ES roles from your AzureAD groups, you can follow the example here: Configuring single sign-on to the Elastic Stack using OpenID Connect | Elasticsearch Guide [8.7] | Elastic

Topic		Replies	Views
Configure Open ID connect using Azure AD roles Kibana elastic-stack-security	3	479	June 3, 2021
Configure permissions to AD groups in Elasticsearch Elasticsearch elastic-stack-security , docker	3	638	January 26, 2020
Elastic Role Mapping from IdP Role/Group Kibana elastic-stack-security	4	1453	March 14, 2021
Azure AD with groups in kibana and role mappings Kibana elastic-stack-security	2	371	October 4, 2022
Kibana SAML integration with Azure Kibana elastic-stack-security	7	757	March 18, 2020