Native azure integration with Azure AD SSO failures

samjpv · August 22, 2022, 11:37pm

I've been working to set up SSO with Azure AD on a native Azure integrated elasticsearch cluster following this guide: How to set up OpenID Connect on Elastic Cloud (with Azure, Google, Okta) | Elastic Blog. As far as I can tell, the actual authentication with Azure upon login works, but after that, I get this:

My current elastic user settings are identical to the tutorial's, with kibana endpoint, app registration tenant/app id, claim_patterns.principal email regex all positively correct. The fact that I'm getting this error now rather than a "failed to authenticate with azure" or something like that leads me to believe that the issue resides somewhere in my role mapping rules, which are as follows:

{ 
    "enabled": true, 
    "roles": [ "superuser" ],  
    "rules" : { 
      "all" : [ 
        { 
          "field" : { 
            "realm.name" : "oidc1" 
          } 
        }, 
        { 
          "field" : { 
            "username" :  "*"
          } 
        } 
      ] 
    }, 
    "metadata": { "version": 1 } 
}

This is also pretty much identical to the tutorial, except not restricted on username. Kibana user settings are also identical to the tutorial's.
Like I mentioned, I'm not thinking this is an issue with my Azure app registration, though I haven't ruled it out.

Is there a good way to debug why this isn't working or an obvious reason for the failure? Any info would be greatly appreciated.

Yang_Wang · August 23, 2022, 1:11am

If you don't need username restriction, you can just simplify the role mapping rule to

{
  "enabled": true,
  "roles": [
    "superuser"
  ],
  "rules": {
    "field": {
      "realm.name": "oidc1"
    }
  }
}

Please double check that the realm is actually named as oidc1.

Is there a good way to debug why this isn't working or an obvious reason for the failure?

You can enable trace logging on Elasticsearch and it should output detailed messages on how roles are resolved/mapped during log in time.

PUT _cluster/settings
{
  "transient": {
    "logger.org.elasticsearch.xpack.security.authc": "trace"
  }
}

samjpv · August 23, 2022, 3:08pm

This inexplicably started working after a few hours with nothing changed. I'm guessing I needed to wait a few minutes to re-login on the account I was testing SSO with to actually have permissions applied. Thanks for the tip on mapping, and I'll keep in mind trace logging if I run into any similar issues in the future.

Yang_Wang · August 23, 2022, 11:44pm

Role mapping changes do not apply to your SSO user's existing kibana sessions. So yes you probably just needed re-login.

system · September 20, 2022, 11:44pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.