Hi
I am trying to map groups from my IDP. I can see in the SAML attributes that the group is provided see the json bellow
<saml2p:Response Destination="https://cc3412ce750740298512d2c9624fd110.ece.domain.com:9243/api/security/v1/saml"
ID="Response_d235f939b3b408ebd8b3bdf2a8d74061dbdcbf32"
InResponseTo="_634594a4437229e41496c1e69dfbd083dbe6bef8"
IssueInstant="2020-03-26T08:02:54.381Z"
Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
>
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://sso-int.domain.com/SAML2/SSO</saml2:Issuer>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</saml2p:Status>
<saml2:Assertion ID="Assertion_f246e08f4bc497ecbf3d005f126c312d1770778c"
IssueInstant="2020-03-26T08:02:54.379Z"
Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
>
<saml2:Issuer>https://sso-int.domain.com/SAML2/SSO</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#Assertion_f246e08f4bc497ecbf3d005f126c312d1770778c">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="xs"
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>GiystWr16cAOMoT5O7Vy6UFfYBs=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>IpQz6bHRtty/GtwDjs+xegzlvn68af1VnsvRZZ1li+wldoBVS4SAEIV4i0PuEgwkJGDSjx+K8S9YvE+rwlU5kJK17QyMI4OgWxdjF8Mzl56L/4lAWlIDicH9ormvG8/Q461i7YBWQAOyISRs26lXQMnAlS73OnbP983dPInL+MRKpALAxuMIcnWE5szE5+eFGNM3KIlCVKy1cdkaFWeT7jATLS3tavnSXPhvII2mLDN+2i+nH5Oang2xwfLKIf7OtWcB8CILJnX/nMhALPSnfgFQNerFxgnsOKIrzHveunnrma+NmQ+pgtGtjmJY3fwgCt1bFBDMutRMiKZTpHD/wg==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509SKI>3Gp+XkmU8vgCb0QU+BN6XGnS72s=</ds:X509SKI>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">pera01</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData NotOnOrAfter="2020-03-26T08:03:04.381Z"
Recipient="https://cc3412ce750740298512d2c9624fd110.ece.domain.com:9243/api/security/v1/saml"
/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2020-03-26T08:02:54.379Z"
NotOnOrAfter="2020-03-26T08:03:54.379Z"
/>
<saml2:AuthnStatement AuthnInstant="2020-03-26T08:02:54.379Z">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:nevis:level:1</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute Name="Username">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>pera01</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="groups">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>CN=udspzzzp01_role_platform,OU=roles</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2p:Response>
In my elastic config :
samlint:
order: 2
attributes.principal: "nameid"
attributes.groups: "groups"
I added the mapping from the API :
{
"enabled": true,
"roles": [ " superuser" ],
"rules": { "all": [
{ "field": { "realm.name": "samlint" } },
{ "field": { "groups": "CN=udspzzzp01_role_platform,OU=roles" } }
] }
}
What am I missing ?
Thanks a lot