Role mappings will not be applied to any users

I'm getting the following message in the Role Mappings page of Kibana:

No compatible realms are enabled in Elasticsearch
Role mappings will not be applied to any users. Contact your system administrator and refer to the docs for more information.

The link takes me to the Role Mappings documentation page but it doesn't seem to describe what could be causing that error. Does anybody know what it means? The confusing thing is authentication and authoisation seem to be working, so maybe this is a false alarm?

We're using SAML authentication with Okta.

You're likely on a Platinum license then? I would suggest you hit up the Support team :slight_smile:

It'd be helpful if you could show some screenshots of what you are doing as well.

Hi Mark

We do have a platinum licence so a support case is an option. I was just looking around this site for a solution so thought I'd ask here in case somebody else has seen the same issue. We're still running version 7.9 on this cluster and we're about to upgrade to 7.12 so I'll do that first and maybe it will resolve the issue. If not I'll raise a support case.

This is a screenshot of the problem:


That's just a warning, to alert people to the fact that they don't want to be on that page if none of their configured realms need role mapping. So, it shouldn't prevent you from getting stuff done.

However, if it's coming up then either

  1. there's a bug in that version of Kibana
  2. you really don't have realms configured.

My guess is that your elected master node doesn't have the SAML realms configured.
The Kibana code is looking at an API that only reports the security state on the master node of the cluster, so if it doesn't have any applicable realms, then you'll see this message.

Thanks Tim. You're right, it does seem to be working so it could be just a warning. I don't have realms configured on the master servers. I'm running ES as a coordinating node on the Kibana server and in elasticsearch.yml I have a native realm and a saml realm configured there. Should the realms configuration be on the master nodes instead of the coordinating node or as well as on the coordinating node?

This is my realms configuration on the coordinating node:
        enabled: true
                enabled: true
                order: 0
                enabled: true
                order: 2
                attributes.principal: "principal"
                attributes.groups: "groups"
                idp.metadata.path: "/etc/path/to/idp-metadata.xml"
                idp.entity_id: "<redacted>"
                sp.entity_id:  "https://<kibana_host>:5601/"
                sp.acs: "https://<kibana_host>:5601/api/security/v1/saml"
                sp.logout: "https://<kibana_host>:5601/logout"

This is resolved now. As Tim said, Kibana is checking for realms information on the master server only. Realms functionality is not affected because realms are configured in Elasticsearch, not Kibana. So the message in Kibana is just a warning to advise that Kibana can't find the realms information.

I copied the Okta realms configuration to my 3 master elegible nodes, restarted ES on the master nodes, and the warning has now gone.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.