SAML error with ELK Stack

ikakavas · February 26, 2019, 2:31pm

No. You need to create specific roles that have the privileges that are required for the given space. See our documentation

Can you clarify what you mean by this?

vapetri:

this is the role mapping i try to use:

PUT /_xpack/security/role_mapping/Role.AT
{
"roles": [ "Role.AT"],
"enabled": true,
"rules": { "all": [
{ "field": { "realm.name": "saml1" } },
{ "field": { "groups": "Role.AT" } },
{ "field": { "role": "Role.AT" } }
] }
}

You cannot use role as a field in role mapping rules ( this part: { "field": { "role": "Role.AT" } }). Role mapping rules assign roles to users based on some other properties, if the user had the role already, you wouldn't need a role mapping rule to assign the role to the user. Please read through our documentation here and here again, I'm certain it will be beneficial for you.

Yes.

I can only assume that because your role mapping or the SAML attribute mapping is wrong, the user doesn't get the necessary roles when logging in via SAML.

What is the value for attributes.groups: in your configuration?
Does the user belong to the group Role.AT in your SAML IDP or the underlying LDAP?
Please enable trace logging for the SAML Realm as described in our troubleshooting docs and review the logs. We are printing out helpful information for debugging there. If you still can't make sense of it, please share the relevant parts here so that we can take a look

Hope this helps

vapetri · February 26, 2019, 2:51pm

Hi
Thanks for the answer.
attribute.groups from SAML is "role" as my idp is sending me in SAML token the role:
look here SAML token:

<saml:Attribute Name="role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xsi:type="xs:string"
>Role.AT</saml:AttributeValue> </saml:Attribute>

Still my question,
can i create a second dashboard user role? I tried to add it to Kibana Advanced Setting and according to document but still i see entire applications list not only dashboard.

What i want to achieve is that SAML users have a dashboard only role on one specific Space. Can i force in the role mapping api for saml realm to force what space to be used?
The kibana dashboard only user has access to all spaces and cannot be modified.
If i manually create a clone of it, with the same .kibana* index, the users who have it doesnt act the same.

Thank you,
Victor

ikakavas · February 26, 2019, 3:17pm

I see. You still need to remove { "field": { "role": "Role.AT" } } from your role mapping,

PUT /_xpack/security/role_mapping/Role.AT
{
  "roles": [ "Role.AT"],
  "enabled": true,
  "rules": { "all": [
    { "field": { "realm.name": "saml1" } },
    { "field": { "groups": "Role.AT" } },
  ] }
}

should work fine for you.

kibana_dashboard_only_user role is not compatible with spaces in the way you try to use it. See this answer from @Brandon_Kobel explaining why and what you can do instead

vapetri · February 26, 2019, 5:42pm

Hi,
thanks for fast reply.
I have removed the field "role" entry.
How can i add a second role, on that dashboard only advanced setting as i can write any string there and is not verified.I have added with comas , in the advances setting dashboard only setting Role A Role B and if i set to some user Role A or B i still have all the applications.
Also, i've set this Rola.AT to space "Engineer". If i enter with Role AT use via SAML i am redirected to default space. If i enter with a local user i am redirect to Engineer space but with all the applications, not only Dashboard.

Can i "clone" kibana dashboard only user to another role and use that instead for my dashboard only users?
Thank you,
Victor

ikakavas · February 26, 2019, 5:57pm

you can add comma separated role names

Please share all the steps you have done with the relevant output. Without this, it's very hard for anyone in the forums to meaningfully assist you.

Have you created the custom role as instructed in the link I shared above? Is that role name Role.AT ? If so , how did you go about creating it? Did you also follow all the subsequent steps that are described there?

Please share details. How did you do this? Share the API calls you executed or describe how you did this in the UI.

vapetri · February 26, 2019, 6:44pm

Hi,
So step by step.
The role definition:

 GET /_xpack/security/role/Role.AT

 {
   "Role.AT" : {
     "cluster" : [ ],
     "indices" : [
       {
         "names" : [
           "index1-*",
           "index2-*",
           "index3-*"
         ],
         "privileges" : [
           "all"
         ],
         "field_security" : {
           "grant" : [
             "*"
           ]
         },
         "query" : """{"match": {"providedAttributes.user.countryCode": "AT"}}"""
       }
     ],
     "applications" : [
       {
         "application" : "kibana-.kibana",
         "privileges" : [
           "space_read"
         ],
         "resources" : [
           "space:engineer"
         ]
       }
     ],
     "run_as" : [ ],
     "metadata" : { },
     "transient_metadata" : {
       "enabled" : true
     }
   }

The Role Mapping for saml1 realm:

        GET /_xpack/security/role_mapping/Role.AT
{
  "Role.AT" : {
    "enabled" : true,
    "roles" : [
      "Role.AT"
    ],
    "rules" : {
      "all" : [
        {
          "field" : {
            "realm.name" : "saml1"
          }
        },
        {
          "field" : {
            "groups" : "Role.AT"
          }
        }
      ]
    },
    "metadata" : { }
  }
}

The SAML part of elasticsearch yml:

              nameid_format: "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
              attributes.principal: "nameid"
              attributes.groups: "role"

As my IdP send the Role in the SAML Role attribute as seen in another post above.

I have added the role as is Brandon example:

curl -k -H "kbn-xsrf:true" -H "content-type:application/json" -u elastic:changeme -X PUT https://localhost:5601/elk/api/security/role/Role_AT_Dashboard_Only -d '
{
  "kibana": {
    "space": {
      "engineer": ["read"]
    }
  }
}
'

When i enter with the use i still have all the applications and not just the dashboard application.
This is the role when i GET it:

{
  "Role_AT_Dashboard_Only" : {
    "cluster" : [ ],
    "indices" : [ ],
    "applications" : [
      {
        "application" : "kibana-.kibana",
        "privileges" : [
          "space_read"
        ],
        "resources" : [
          "space:engineer"
        ]
      }
    ],
    "run_as" : [ ],
    "metadata" : { },
    "transient_metadata" : {
      "enabled" : true
    }
  }
}

I have replaced on dashboard only advanced setting the default role with my new role and still all the applications are shown.

if i enter with a local user: i enter in my engineer space.
if i enter with a saml user, he is going by default to default space.

If i have an user with a role A for indexes A and B and space X and in the same time a role B witch is dashboard only role, is the user be able to see only the dashboards for A and B indexes on space X?

ikakavas · February 26, 2019, 9:11pm

We will take a look at first opportunity but in the meantime please use the </> button and/or triple backquotes like

```
preformatted text here
```

to format your text in order for it to be readable. You can use the preview window in the right to make sure it looks fine !

vapetri · February 27, 2019, 8:32am

Hi Ioannis,
The only thing which i have now is the dashboard only roles, which are not working as they should.
I made the steps as in Brandon blog page and still not working for me.
I replaced the dashboard only role in the Kibana Advanced Setting page, didn't work.
I have created more roles and add them coma separated to Kibana Advanced Setting page and still didn't work.

What i need is that i have 4 roles and each role goes to his designated space and in dashboard only.
Somebody did configured this way?

Thank you,
Victor

ikakavas · February 27, 2019, 8:45am

Can you please format your previous post as it is really hard to go through this now?

ikakavas · February 27, 2019, 9:32am

Your role mapping gives your user the role Role.AT but your dashboard only role is Role_AT_Dashboard_Only.

Change your role mapping to give the Role_AT_Dashboard_Only instead of the Role.AT role.

vapetri · February 27, 2019, 10:03am

Hi,
i will do that.
What about with a local user.
Cause i have the same error.
Meaning with a dashboard only role i see all the apps not only dashboard.
For me looks like dashboard only roles in Kibana advanced settings is not working:
Role.AT:

{
  "Role.AT" : {
    "cluster" : [ ],
    "indices" : [
      {
        "names" : [
          ".kibana*"
        ],
        "privileges" : [
          "read",
          "view_index_metadata"
        ],
        "field_security" : {
          "grant" : [
            "*"
          ]
        }
      }
    ],
    "applications" : [
      {
        "application" : "kibana-.kibana",
        "privileges" : [
          "space_read"
        ],
        "resources" : [
          "space:engineer"
        ]
      }
    ],
    "run_as" : [ ],
    "metadata" : { },
    "transient_metadata" : {
      "enabled" : true
    }
  }
}

Dashboard advanced setting:
pic1-img
Local User page:
pic2-img
Local User after login see all apps:
pic3-img

ikakavas · February 27, 2019, 11:07am

There is nothing different for the local user. This is about the role, no matter if you add the role to the user manually, or if they get it from a role mapping. As said before, the Role.AT has more permissions than a dashboard only role needs. ( For example read access to the .kibana index )

Don't use Role.AT or change Role.AT to a role definition that has only the necessary permissions and not more. See also our docs

vapetri · February 27, 2019, 11:27am

Hi,
I have successfully understood how is the space - role inheritance in Kibana:

So, the kibana dashboard advanced setting is different stored for each space.
So if you need different dashbaord only users and roles in different spaces, this must be set in the dashboard advanced setting inside each space. Maybe should be written more explicit in the documentation, i believe.

Thank you for the help and effort,
Victor

ikakavas · February 27, 2019, 11:30am

We would really appreciate it if you can open a relevant issue in the GitHub - elastic/kibana: Your window into the Elastic Stack repository and describe exactly what your issues were and where documentation was not as clear as it could be, so that we can address it !

Glad you got this working in the end

vapetri · February 27, 2019, 2:24pm

Hi,
Thank you, i will make an account and write on github the Space-Role-Kibana Advanced Mapping Dashboard Only Inheritance.
One more thing here.
for SAML Attibute mapping, can the country attribute be part of the mapping?
According to documentation i have only 5 attributes: principal, groups, name, mail, dn.

Meaning, if in elasticsearch.yml i can set like this:

attributes.principal: "nameid"
attributes.groups: "role"
attributes.c: "c"

where c is the iso country code, which i am receiving via SAML.
I want to use this country code in a granted document query match like:

{"match": {"providedAttributes.user.countryCode": "user.c"}}

where the user.c should be received via SAML from IdP. In this way i can create a "dynamic role" based on a SAML attribute received from IdP.
Thank you,
Victor

ikakavas · February 27, 2019, 2:43pm

Hi

Great !

Yes, and it looks similar to what you are describing. All the SAML Attributes that your IDP sends become available as user metadata and can be used in role mapping rules and templated role queries .

Assuming that the name of the country code is countryCode, i.e. something like

<saml:Attribute Name="role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> 
  <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">GB</saml:AttributeValue>
</saml:Attribute>

this will be available in the metadata of the user as saml(countryCode). So an example templated role query for DLS that would give read access to the documents in my_index that have the same country code as the user ( assuming your documents have an country_code field) would look like

{
  "indices" : [
    {
      "names" : [ "my_index" ],
      "privileges" : [ "read" ],
      "query" : {
        "template" : {
          "source" : {
            "term" : { "country_code" : "{{_user.metadata.saml(countryCode)}}" }
          }
        }
      }
    }
  ]
}

vapetri · February 27, 2019, 3:01pm

Hi,
Thank you for answer:

<saml:Attribute Name="c"
                            NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
                            > <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                     xsi:type="xs:string"
                                     >AT</saml:AttributeValue> </saml:Attribute>

This is how we have it.
Also should not be add this c attribute to the role mapping in Kibana?.

ikakavas · February 27, 2019, 3:15pm

ok, then it's metadata.saml(c), nothing much changes.

No. You don't want different roles depending on the country code. You want one role that gives access to different documents depending on the country code. It should be part of the role definition only, no the role mapping.

vapetri · February 27, 2019, 3:20pm

Hi,
I tried but was not working,
What about if i set it in attribute.mail based on elasticsearch.yml.
How ca i set it in the document query?

"term" : { "country_code" : "{{_user.mail}}" }

Thank you,
Victor

ikakavas · February 27, 2019, 3:55pm

This is not helpful. What did you try, how , and how did it not work.

There is not reason to do this