Recommendation for custom authentication

We are using zuul api gateway to authenticate our users. We terminate SSL at that point. We'd like to avoid creating users in the native realm. We'd like to identify our users by their DN and assign them roles based on attributes we know about them when we auth them at the gateway. What is your recommendation? We are experimenting with a custom realm now and have investigated a SAML solution. We haven't figured out how to implement the IdP portion of the SAML solution. Do you have recommendations?

A bit more info:
We are trying to follow the example here: https://github.com/elastic/elasticsearch/tree/7.5/x-pack/qa/security-example-spi-extension

To experiment I created a custom role and a user via the native realm before creating the custom realm. My custom role set read on some indices and all on others. I also set custom space privileges with dashboard read and none for all others on one space and just read on another space. When using the native realm and logging in as that user things work as I would have expected. However, when enabling the custom realm things do not work as expected. My user has all the icons on the left and has edit permissions on the dashboards. I can verify that my user only has my custom role.

Hello @kbohnenberger @Rhonda_Gregory,

We are using zuul api gateway to authenticate our users. [...] We'd like to identify our users by their DN and assign them roles based on attributes we know about them when we auth them at the gateway. What is your recommendation?

It's probably simplest to implement a Custom Realm. It could probably be done via SAML, but it involves more work because the API gateway must call Elasticsearch APIs.

We haven't figured out how to implement the IdP portion of the SAML solution. Do you have recommendations?

If you're going with a Custom Realm, this is not required. If you're going with SAML, the IdP is probably another service not the Gateway itself, i.e. you should NOT implement SAML IdP.

Overall the flow is that the gateway does the authentication, serializes it as an HTTP header, with a keyed MAC of some sort, and then the Custom Realm reads the header and the MAC, validates the MAC, and creates a user while assigning it role names.

However, when enabling the custom realm things do not work as expected. My user has all the icons on the left and has edit permissions on the dashboards. I can verify that my user only has my custom role.

The differences between the native-realm user and the custom-realm user most likely spring from role differences (one user has extra roles). You can use the _authenticate API to debug

Thanks for the response. I verified that my native-realm user and my custom-realm user have the exact same role. When using the custom-realm the role seems to work as designed as far as the index privileges go but not the space privileges. Is there any kibana.yml or elasticsearch.yml magic that I might be missing? Do you have any example kibana.yml and elasticsearch.yml that have a custom realm enabled that I could follow? Following https://github.com/elastic/elasticsearch/tree/7.5/x-pack/qa/security-example-spi-extension can you get a custom realm to work including space privileges?