I would like to do the SAML role Mapping for all the users in the group ELK_Group to have superuser privileges. However, the below role_mapping is not working.
I have changed that to groups, still there is no progress. Basically, it is not mapping properly as the return gives a list and mapping is matching with a string "ELK_Group", there should be a mechanism to search through the list provided [SamlAttributes(null)[null]{[nameid:persistent=[[username@email.com](mailto:username@email.com)], http://schemas.xmlsoap.org/claims/Group=[Domain Users, APP1_Group, APP2_Group, ELK_Group, APP4_Group]]}]"
and then pick the ELK_Group. If he is part of any ELK group, then I should do the role mapping.
Came across role_templates:
POST /_security/role_mapping/adfs_role_owner
{
"role_templates": [
{
"template": { "source": "{\"query\":{\"match\":{\"title\":\"{{query_string}}\"}}}"
"{{#tojson}}http:\/\/schemas.xmlsoap.org\/claims\/Group{{/tojson}}" },
"format" : "json"
}
],
"rules": { all: [
{ "field": { "realm.name" : "saml1" } },
{ "field": { "Group": "ELK_Group" } }
]
},
"enabled": true
}```
However, this is not solving as well. Any idea???
Thanks & Regards
Ram
In your SAML realm configuration I see that the attribute name is different than the list of SAML attributes that are parsed from the token.
From elasticsearch.yml: attributes.groups: "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"
and from the log message ""
It looks like you have a misconfiguration here. nameid:persistent=[[username@email.com](mailto:username@email.com)]
This means that you have configured ADFS to release a SAML attribute with the name nameid:persistent. That works, but it's always a bad idea.
In Elasticsearch nameid:persistent is a magic value that means Don't read the value from a SAML attribute, read it from the <NameID> (but only if the nameid is persistent).
Naming an attribute nameid:persistent is just asking for trouble.
You need to tell us exactly what you changed, so please share your updated configuration.
Also , you shouldn't need to user role templates for your use case. If I understand this correctly, you need all users that are members of the ELK_Group to get the superuser role, correct ?
Thanks for your reply. I have added your changes and I think it is matching the values now. However, the TRACE/DEBUG error messages are not informing me a lot. Would you mind looking at it once please? I have also added changes which was mentioned by Yogesh.
[SamlToken{3c73616d--------------2049443d225f63306433383232352d393961622d343939302d396562392d63353230393735316634393622205665727369...}] to attributes [SamlAttributes(NameId(null)=username@email.com) {[_3f3a807d-----4810-84d0-1ecd5faa62b4]{[http://schemas.xmlsoap.org/claims/Group=[Domain Users, APP1_Group, APP2_Group, ELK_Group, APP4_Group]]}]"
And also the browser display a error messages, where the realm is switched back to basic
{"statusCode":401,"error":"Unauthorized","message":"[security_exception] unable to authenticate user [] for action [cluster:admin/xpack/security/saml/authenticate], with { header={ WWW-Authenticate={ 0="Bearer realm=\"security\"" & 1="ApiKey" & 2="Basic realm=\"security\" charset=\"UTF-8\"" } } }"}
Thanks Ioannis, I have changed that configuration and I am receiving the below error
{"type": "server", "timestamp": "2019-10-29T11:54:48,095+0000", "level": "WARN", "component": "o.e.x.s.a.AuthenticationService", "cluster.name": "elasticsearch", "node.name": "elasticsearch-master-2", "cluster.uuid": "DNY-13o", "node.id": "NP5gGFycRZ-3rXew6H_GmA", "message": "Authentication to realm saml1 failed - SAML Attribute [nameid:persistent] for [xpack.security.authc.realms.saml.saml1.attributes.principal] not found in saml attributes[http://schemas.xmlsoap.org/claims/Group=[Domain Users, APP1_Group, APP2_Group, ELK_Group, APP4_Group]]}]"
Let's take a step back. Many of us chimed in to help and it might got confusing, apologies. The latest error you get now isn't related to the changes I suggested, but to the changes you did due to what Tim was suggesting, which unfortunately weren't enough to address his points.
It doesn't. What you have done now is configure ADFS to release a NameID without a format. This is again almost always wrong. You don't have to use a NameID, but if you do, you need to configure it correctly. We can't help you much with your ADFS configuration, but you need to
either figure out how to release a NameID with persistent format ( based on the value of some attribute ) and configure elasticsearch to map this to the principal property
or use any other attribute to map to the principal property. I.e. UPN
The possibilities for correct configuration are many and there isn't a better/simple/only one I can suggest. So I'll suggest one that works and feel free to alter this to your liking.
Configure ADFS to release a persistent NameID. There's enough ADFS related documentation around this, i.e. see Name Identifiers in SAML assertions | Microsoft Learn and check the section with subtitle " Persistent name identifier". You need to select which value AD you would pass as the value of the NameID ( == what you should select for `Incoming claim type" in the screenshot ), UPN is a good candidate.
Change nameid_format: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified to nameid_format: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent in your configuration.
The reason I made it nameid_format: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified because the SAML Response was giving the invalidNameIDPolicy
{"type": "server", "timestamp": "2019-10-29T14:46:03,856+0000", "level": "WARN", "component": "o.e.x.s.a.AuthenticationService", "cluster.name": "elasticsearch", "node.name": "elasticsearch-master-1", "cluster.uuid": "DNY-13ojQOKW5ex36jzTJw", "node.id": "Ngh6YsWIQQ2TfRZkkoeetA", "message": "Authentication to realm saml1 failed - Provided SAML response is not valid for realm saml/saml1 (Caused by ElasticsearchSecurityException[SAML Response is not a 'success' response: The SAML IdP did not grant the request. It indicated that the Elastic Stack side sent something invalid (urn:oasis:names:tc:SAML:2.0:status:Requester). Specific status code which might indicate what the issue is: [urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy]])" }
Yes I have reverted the configuration and I get the previous error {"type": "server", "timestamp": "2019-10-29T11:54:48,095+0000", "level": "WARN", "component": "o.e.x.s.a.AuthenticationService", "cluster.name": "elasticsearch", "node.name": "elasticsearch-master-2", "cluster.uuid": "DNY-13o", "node.id": "NP5gGFycRZ-3rXew6H_GmA", "message": "Authentication to realm saml1 failed - SAML Attribute [nameid:persistent] for [xpack.security.authc.realms.saml.saml1.attributes.principal] not found in saml attributes[http://schemas.xmlsoap.org/claims/Group=[Domain Users, APP1_Group, APP2_Group, ELK_Group, APP4_Group]]}]"
You don't assign role mappings to users. You create role mappings that assign roles to users. The role mappings contain logic that dictates which roles users will get depending on some of their attributes in AD.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.