Role Mapping via App Role in Azure SSO

Zesty_Lemon · October 5, 2022, 1:33am

Hi,

New to Elastic here; seeking information on how to use a App Role on the Enterprise Application for Elastic SSO to assign a user to a particular role mapping;

We are using instructions;

I can see in the SAML response my role information is present however my role mapping rule:

user field: group
type: text
value: <>

user field: realm.name
type: text
value: <>

Doesn't seem to be assigning the user to the role in Elastic. I'm unsure what I'm missing here or if perhaps I am missing some information on the Attributes & Claims side in the Azure app ?

Regards,

Yang_Wang · October 5, 2022, 2:57am

It would be helpful if you could share more details, such as the SAML response, the actual role mapping etc. Please also format any code-like blocks with triple backticks.

Zesty_Lemon · October 5, 2022, 3:59am

Hi Yang,

Thanks for the response, the attributes in my SAML response are;

			<Attribute Name="http://schemas.microsoft.com/identity/claims/tenantid">
				<AttributeValue>*********</AttributeValue>
			</Attribute>
			<Attribute Name="http://schemas.microsoft.com/identity/claims/objectidentifier">
				<AttributeValue>7f46d0d0-49f1-4a74-87da-39661ea817f2</AttributeValue>
			</Attribute>
			<Attribute Name="http://schemas.microsoft.com/identity/claims/displayname">
				<AttributeValue>********/AttributeValue>
			</Attribute>
			<Attribute Name="http://schemas.microsoft.com/identity/claims/identityprovider">
				<AttributeValue>https://sts.windows.net/*********/</AttributeValue>
			</Attribute>
			<Attribute Name="http://schemas.microsoft.com/claims/authnmethodsreferences">
				<AttributeValue>http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password</AttributeValue>
				<AttributeValue>http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/windows</AttributeValue>
				<AttributeValue>http://schemas.microsoft.com/claims/multipleauthn</AttributeValue>
			</Attribute>
			<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname">
				<AttributeValue>********</AttributeValue>
			</Attribute>
			<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname">
				<AttributeValue>********</AttributeValue>
			</Attribute>
			<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
				<AttributeValue>***********</AttributeValue>
			</Attribute>
			<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">
				<AttributeValue>************</AttributeValue>
			</Attribute>
			<Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/role">
				<AttributeValue>elastic_pt_powerusers</AttributeValue>
			</Attribute>
		</AttributeStatement>~~~

Attached is a picture of the role mapping
![role mapping elastic|690x297](upload://tMEhFehCxYMRfpSL66vhOB9l2IK.png)

Yang_Wang · October 5, 2022, 5:35am

Thanks. Could you please fix the role mapping link?

system · November 2, 2022, 5:36am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.