I've been working to set up SSO with Azure AD on a native Azure integrated elasticsearch cluster following this guide: How to set up OpenID Connect on Elastic Cloud (with Azure, Google, Okta) | Elastic Blog. As far as I can tell, the actual authentication with Azure upon login works, but after that, I get this:
My current elastic user settings are identical to the tutorial's, with kibana endpoint, app registration tenant/app id, claim_patterns.principal email regex all positively correct. The fact that I'm getting this error now rather than a "failed to authenticate with azure" or something like that leads me to believe that the issue resides somewhere in my role mapping rules, which are as follows:
{
"enabled": true,
"roles": [ "superuser" ],
"rules" : {
"all" : [
{
"field" : {
"realm.name" : "oidc1"
}
},
{
"field" : {
"username" : "*"
}
}
]
},
"metadata": { "version": 1 }
}
This is also pretty much identical to the tutorial, except not restricted on username. Kibana user settings are also identical to the tutorial's.
Like I mentioned, I'm not thinking this is an issue with my Azure app registration, though I haven't ruled it out.
Is there a good way to debug why this isn't working or an obvious reason for the failure? Any info would be greatly appreciated.