Hi Oliver. Thanks for your feedback. If you'd b so kind as to point out the documentation parts with conflicting advice, we'll do our best to make sure they are fixed so that they align and not create confusion.
Now to your question, have you read : Configure Elasticsearch for OpenID Connect authentication | Elasticsearch Guide [master] | Elastic ? It says :
claims.groups: "http://example.info/claims/groups" : Similarly, this instructs Elasticsearch to look for the claim with the name http://example.info/claims/groups (note that this is a URI - an identifier, treated as a string and not a URL pointing to a location that will be retrieved) either in the ID Token or in the UserInfo response, and map the value(s) of it to the user property groups in Elasticsearch. There is no standard claim in the specification that is used for expressing roles or group memberships of the authenticated user in the OP, so the name of the claim that should be mapped here, will vary greatly between providers. Consult your OP documentation for more details.
The name for the claim that your OP uses to express group membership is groups as seen in your
{
"aud": "removed",
"iss": "https://login.microsoftonline.com/removed/v2.0",
"iat": numbers,
"nbf": numbers,
"exp": numbers,
"groups": [
"2192a737-0000-48c4-0000-d93baa330c48",
"8e4742de-0000-4248-0000-b1a13ab1d822"
],
}
so the correct configuration in elasticsearch should be
claims.groups: groups
Now you'll see that your role mapping
PUT /_security/role_mapping/oidc-kibana
{
"roles": [ "kibana_user" ],
"enabled": true,
"rules": {
"field": { "realm.name": "oidc1" }
"field": { "groups": "2192a737-0000-48c4-0000-d93baa330c48" }
}
}
will work. As in , it will assign the role kibana_user to any user logging in that has 2192a737-0000-48c4-0000-d93baa330c48 as one of the values in their groups claim in the ID Token.
Hope this helps