SAML group mapping

Hi
I am trying to map groups from my IDP. I can see in the SAML attributes that the group is provided see the json bellow

<saml2p:Response Destination="https://cc3412ce750740298512d2c9624fd110.ece.domain.com:9243/api/security/v1/saml"
                 ID="Response_d235f939b3b408ebd8b3bdf2a8d74061dbdcbf32"
                 InResponseTo="_634594a4437229e41496c1e69dfbd083dbe6bef8"
                 IssueInstant="2020-03-26T08:02:54.381Z"
                 Version="2.0"
                 xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
                 >
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://sso-int.domain.com/SAML2/SSO</saml2:Issuer>
    <saml2p:Status>
        <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </saml2p:Status>
    <saml2:Assertion ID="Assertion_f246e08f4bc497ecbf3d005f126c312d1770778c"
                     IssueInstant="2020-03-26T08:02:54.379Z"
                     Version="2.0"
                     xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
                     xmlns:xs="http://www.w3.org/2001/XMLSchema"
                     >
        <saml2:Issuer>https://sso-int.domain.com/SAML2/SSO</saml2:Issuer>
        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo>
                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
                <ds:Reference URI="#Assertion_f246e08f4bc497ecbf3d005f126c312d1770778c">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                            <ec:InclusiveNamespaces PrefixList="xs"
                                                    xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
                                                    />
                        </ds:Transform>
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                    <ds:DigestValue>GiystWr16cAOMoT5O7Vy6UFfYBs=</ds:DigestValue>
                </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>IpQz6bHRtty/GtwDjs+xegzlvn68af1VnsvRZZ1li+wldoBVS4SAEIV4i0PuEgwkJGDSjx+K8S9YvE+rwlU5kJK17QyMI4OgWxdjF8Mzl56L/4lAWlIDicH9ormvG8/Q461i7YBWQAOyISRs26lXQMnAlS73OnbP983dPInL+MRKpALAxuMIcnWE5szE5+eFGNM3KIlCVKy1cdkaFWeT7jATLS3tavnSXPhvII2mLDN+2i+nH5Oang2xwfLKIf7OtWcB8CILJnX/nMhALPSnfgFQNerFxgnsOKIrzHveunnrma+NmQ+pgtGtjmJY3fwgCt1bFBDMutRMiKZTpHD/wg==</ds:SignatureValue>
            <ds:KeyInfo>
                <ds:X509Data>
                    <ds:X509SKI>3Gp+XkmU8vgCb0QU+BN6XGnS72s=</ds:X509SKI>
                </ds:X509Data>
            </ds:KeyInfo>
        </ds:Signature>
        <saml2:Subject>
            <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">pera01</saml2:NameID>
            <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml2:SubjectConfirmationData NotOnOrAfter="2020-03-26T08:03:04.381Z"
                                               Recipient="https://cc3412ce750740298512d2c9624fd110.ece.domain.com:9243/api/security/v1/saml"
                                               />
            </saml2:SubjectConfirmation>
        </saml2:Subject>
        <saml2:Conditions NotBefore="2020-03-26T08:02:54.379Z"
                          NotOnOrAfter="2020-03-26T08:03:54.379Z"
                          />
        <saml2:AuthnStatement AuthnInstant="2020-03-26T08:02:54.379Z">
            <saml2:AuthnContext>
                <saml2:AuthnContextClassRef>urn:nevis:level:1</saml2:AuthnContextClassRef>
            </saml2:AuthnContext>
        </saml2:AuthnStatement>
        <saml2:AttributeStatement>
            <saml2:Attribute Name="Username">
                <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                      xsi:type="xs:string"
                                      >pera01</saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute Name="groups">
                <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                      xsi:type="xs:string"
                                      >CN=udspzzzp01_role_platform,OU=roles</saml2:AttributeValue>
            </saml2:Attribute>
        </saml2:AttributeStatement>
    </saml2:Assertion>
</saml2p:Response>

In my elastic config :

samlint:
order: 2
attributes.principal: "nameid"
attributes.groups: "groups"

I added the mapping from the API :

{
"enabled": true,
"roles": [ " superuser" ],
"rules": { "all": [
{ "field": { "realm.name": "samlint" } },
{ "field": { "groups": "CN=udspzzzp01_role_platform,OU=roles" } }
] }
}

What am I missing ?

Thanks a lot

Please don't post images of text as they are hard to read, may not display correctly for everyone, and are not searchable.

Instead, paste the text and format it with </> icon or pairs of triple backticks (```), and check the preview window to make sure it's properly formatted before posting it. This makes it more likely that your question will receive a useful answer.

It would be great if you could update your post to solve this.

It depends. What are you trying to do ? What do you expect to happen ? What happens instead ?

I tried to map the member of the group "CN=udspzzzp01_role_platform,OU=roles" with the role superuser.
The users are able to connect but I am not allowed to check the users/roles from the kibana GUI.

superuser is an elasticsearch role. You also need to give your users a role that gives them access to the Kibana interface, try kibana-admin ( see here for more details )

I'd like to stress out that it is strongly suggested that you create the roles that give access to your users to exactly the data in elasticsearch and the features in kibana that you need and do not rely on coarse-grained built-in users such as superuser and kibana-admin as these allow far more things than your users need.

Thanks, I agree. The thing is at first I want to see that the mapping actually works. And then I'll actually focus on the "real" rights

Ok I got it figured out.

I had more than one mapping. Removing them all and just adding the one with the group solved it.

Is there a way to have a mapping for all users that don't match a group to have default access ?

Thanks.

This is a role engineering problem not a SAML or elasticsearch specific one I would say. I would go about creating 2 roles :

  • A base one that gives your users "default access" , mind you have to define what "default access" is for your case, there is no such concept in the Elastic Stack
  • A more privileged one to give the members of the group.

Then create two role mappings , one to give all that login via SAML ( only a { "field": { "realm.name": "samlint" } }, rule that is ) the base role, and one such the one you already have ( if they login via saml and are in the group to get the more privileged role )

It is all good, it all works as expected. Thanks a lot