SAML attributes.groups has multiple groups, role mapping does not work

I have the following saml response:

<?xml version="1.0" encoding="UTF-8"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" >
   <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://postprod.ams.hhs.gov/</saml:Issuer>
...
      <saml:AuthnStatement AuthnInstant="2021-10-07T16:24:49Z" SessionIndex="id-iThZONsBYRpxNv6Pm6hlUHk6b6aJrLBPjcjRB2rx" SessionNotOnOrAfter="2021-10-07T17:25:20Z">
         <saml:AuthnContext>
            <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
         </saml:AuthnContext>
      </saml:AuthnStatement>
      <saml:AttributeStatement>
         <saml:Attribute Name="roles" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
            <saml:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema" xsi:type="xsd:string">role1,role2,role3....</saml:AttributeValue>
         </saml:Attribute>
      </saml:AttributeStatement>
   </saml:Assertion>
</samlp:Response>

SAML definition is:
attributes.groups: "roles"

if the roles has only one value it work. When it is like "role1,role2.." role mapping does not work. (role1 or role2 etc. has its own role mapping)
Any advice?

Thanks

I have used:

attribute_patterns.groups: "(role\\w*)"

This extract 1 role and works.
Anyway groups can have multiple roles?

Is this in relation to the Security functionality in Elasticsearch?

Yeah. This is related to ELK single sing on.

Convince your identity provider to use multi-valued SAML attributes?

SAML supports having multiple values for a single attribute. Perhaps there's a configuration option in your IdP to get it behave more politely and send the separate roles as separate values.

1 Like