Multi Tenancy Single Sign on with Microsoft Entra

Elastic Stack Elasticsearch
1

HI Folks, we are using Elastic Cloud, and would like to set up Single Sign on using Microsoft Entra, with the addition of using multiple (any) Microsoft Azure Tenants. I would like to achieve this without needing to register Entra Applications on each tenant.

I can use Set up SAML with Microsoft Entra ID | Elastic to get this working for our tenant, but have not been able to convert it to work multi tenant.

Our Entra App Registration is configured for multi tenant, yet I haven't quite figured out the elasticsearch.yml config to get this working.

Here is our elasticsearch.yml

xpack:
  security:
    authc:
      realms:
        saml:
          kibana-realm:
            order: 2
            attributes.principal: "nameid"
            attributes.groups: "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"
            idp.metadata.path: "https://login.microsoftonline.com/common/federationmetadata/2007-06/federationmetadata.xml?appid=<our app ID>"
            idp.entity_id: "https://sts.windows.net/<our tenant ID>"
            sp.entity_id: "https://<our proxied URL>/"
            sp.acs: "https://<our proxied URL>/api/security/saml/callback"
            sp.logout: "https://<our proxied URL>/logout"

You will note in idp.metadata.path I swapped our tenant id for common. I also tried organizations.

I also note that the url reccomended by the guide for attributes.groups does not resolve properly.

Current error message is when trying to log in is:

Error: [security_exception
	Root causes:
		security_exception: Cannot get role descriptors [type/name={urn:oasis:names:tc:SAML:2.0:metadata}IDPSSODescriptor] because the metadata [location=https://login.microsoftonline.com/common/federationmetadata/2007-06/federationmetadata.xml?appid=<our app ID>] for SAML entity [id=https://sts.windows.net/<our tenant ID>] could not be resolved]: Cannot get role descriptors [type/name={urn:oasis:names:tc:SAML:2.0:metadata}IDPSSODescriptor] because the metadata [location=https://login.microsoftonline.com/common/federationmetadata/2007-06/federationmetadata.xml?appid=XXXXX] for SAML entity [id=https://sts.windows.net/<our tenant ID>] could not be resolved
    at login_form_LoginForm.loginWithSelector (https://<our proxied URL>/8aa0b59da12c/bundles/plugin/security/1.0.0/security.chunk.6.js:3:29606)

Any help would be much appreciated. Happy to send logs, but currently none are showing on the cloud 'Logs and Metrics' page.

2

Removed #elastic-cloud