Native azure integration with Azure AD SSO failures

samjpv · August 22, 2022, 11:37pm

I've been working to set up SSO with Azure AD on a native Azure integrated elasticsearch cluster following this guide: How to set up OpenID Connect on Elastic Cloud (with Azure, Google, Okta) | Elastic Blog. As far as I can tell, the actual authentication with Azure upon login works, but after that, I get this:

My current elastic user settings are identical to the tutorial's, with kibana endpoint, app registration tenant/app id, claim_patterns.principal email regex all positively correct. The fact that I'm getting this error now rather than a "failed to authenticate with azure" or something like that leads me to believe that the issue resides somewhere in my role mapping rules, which are as follows:

{ 
    "enabled": true, 
    "roles": [ "superuser" ],  
    "rules" : { 
      "all" : [ 
        { 
          "field" : { 
            "realm.name" : "oidc1" 
          } 
        }, 
        { 
          "field" : { 
            "username" :  "*"
          } 
        } 
      ] 
    }, 
    "metadata": { "version": 1 } 
}

This is also pretty much identical to the tutorial, except not restricted on username. Kibana user settings are also identical to the tutorial's.
Like I mentioned, I'm not thinking this is an issue with my Azure app registration, though I haven't ruled it out.

Is there a good way to debug why this isn't working or an obvious reason for the failure? Any info would be greatly appreciated.

Yang_Wang · August 23, 2022, 1:11am

If you don't need username restriction, you can just simplify the role mapping rule to

{
  "enabled": true,
  "roles": [
    "superuser"
  ],
  "rules": {
    "field": {
      "realm.name": "oidc1"
    }
  }
}

Please double check that the realm is actually named as oidc1.

Is there a good way to debug why this isn't working or an obvious reason for the failure?

You can enable trace logging on Elasticsearch and it should output detailed messages on how roles are resolved/mapped during log in time.

PUT _cluster/settings
{
  "transient": {
    "logger.org.elasticsearch.xpack.security.authc": "trace"
  }
}

samjpv · August 23, 2022, 3:08pm

This inexplicably started working after a few hours with nothing changed. I'm guessing I needed to wait a few minutes to re-login on the account I was testing SSO with to actually have permissions applied. Thanks for the tip on mapping, and I'll keep in mind trace logging if I run into any similar issues in the future.

Yang_Wang · August 23, 2022, 11:44pm

Role mapping changes do not apply to your SSO user's existing kibana sessions. So yes you probably just needed re-login.

system · September 20, 2022, 11:44pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Azure AD with groups in kibana and role mappings Kibana elastic-stack-security	2	326	October 4, 2022
OIDC with Azure not logged in on Kibana Kibana elastic-stack-security	4	229	October 25, 2023
Azure AD authentication to Kibana Elasticsearch elastic-stack-security	8	4242	June 30, 2020
ElasticSearch Error When Integrating with Azure AD for SSO Capabilities Elasticsearch elastic-stack-security	13	1631	April 18, 2019
Configure Open ID connect using Azure AD roles Kibana elastic-stack-security	3	426	June 3, 2021

Native azure integration with Azure AD SSO failures

Related topics