Map / grant roles defined in keycloak to elasticsearch


We've setup the Keycloak Single Sing On (OIDC) integration with Elasticsearch cloud deployment and users are able sign in to the kibana using Keycloak as an authenticator.

The problem is that once user is authenticated s(he) does not have any permissions, even though Keycloak is sending groups and roles information for the user.

The workaround we've found is to use Elasticsearch role mapping API (by distinguishing user group names and assign specific roles), but whole idea of the Keycloak is to manage principals in the same place rather than use both Elasticsearch role mapping API and Keycloak.

It would be helpful if you clear the situation:

  1. whether is it possible?
  2. if possible, how Elasticsearch should know about roles which are sent from the Keycloak and use them per user without role mapping API?

This is not a workaround, but rather how it is designed to work. Groups are just names (strings). They bear no meaning unless you define them. Role mapping is where you define them. Without it, elasticsearch simply has no way to interpret this string.

This is not a problem unique to Elasticsearch. You manage user identity (including the credentials and group assignments) centrally in Keycloak. But it's up to each application to define the actual meaning of those assignments. If your user is in a group called "power_user" in keycloak, what this "power_user" can do is totally differently in different applications, e.g. Elasticsearch, MySQL, MongoDB or some other custom applications. Some level of "role mapping" is always needed.

1 Like

Thanks @Yang_Wang for the explanation. So just to quickly sum up:

If I create role in elasticsearch or let's say "superuser" role and then I create same role named "superuser" in Keycloak, there is no way to "sync" the role to the user into the Elasticsearch once user signs in to the Elasticsearch?

i.e. and since it can not "sync" the attached roles for user from keycloak to elasticsearch then I should use role mapping API which allows me to attach SSOed user predefined roles based on the group name(s)?

Yes. You are not limited to group names. The role mapping API supports many other attributes. If you really want to give all users the same level of access, mapping with realm name is a quick path.

This exact scenario is described in the Role Mapping API docs.

See this paragraph:

However, in rare cases the names of your groups may be an exact match for the names of your Elasticsearch roles. This can be the case when your SAML Identity Provider includes its own "group mapping" feature and can be configured to release Elasticsearch role names in the user’s SAML attributes.

Thanks @TimV! this is exactly what we needed, my bad didn't took a look on samples section.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.