SAML role mapping with wildcard

raphperrin · May 18, 2020, 12:54pm

Hi

I am configuring role mapping on my cluster. As the user has multiple roles/groupes, I am trying to map the role with wildcard. How should I do it ?

From the API :

POST /_xpack/security/role_mapping/plateform-admin
{
"roles": [ "superuser" ],
"enabled": true,
"rules": { "all": [
{ "field": { "realm.name": "samlprod" } },
{ "field": { "roles": "*CN=udspzzzp01_role_platform*" } }
] }
}

The complete roles list :
CN=udspzzzp01_pki_admin,OU=resources,OU=udspzzzp01,OU=tenants,DC=msad,DC=udsp,DC=ch,CN=udspzzzp01_zenoss_admin,CN=udspzzzp01_role_platform,OU=roles,1

Thanks a lot
Raphael

ikakavas · May 18, 2020, 4:07pm

Do you want for a user with all these roles in your IDP to get the superuser role in Elasticsearch, or a user with any of these roles in your IDP to get the superuser role in Elasticsearch?

raphperrin · May 18, 2020, 7:11pm

Hi
In my case, I want user with the IDP role :
CN=udspzzzp01_role_platform

To have superuser role in Elastic.

Thanks

ikakavas · May 18, 2020, 8:56pm

You need to
a) Figure out what SAML attribute is the SAML IDP using to send that group/role in the SAML Response message. You can ask your IDP administrator or you can enable TRACE logging for SAML ( see how here on the bottom of the page ) and look at your elasticsearch logs.

b) Figure out the actual value that this group/role has. CN=udspzzzp01_role_platform is not a complete DN so it's not likely that this is the value that the IDP is sending. Again, you can ask your IDP administrator or you can enable TRACE logging for SAML in elasticsearch.

c) Let's say you figured out that the IDP is sending this information in an attribute named TheRoleAttribute and the value of the group is CN=udspzzzp01_role_platform,OU=resources,OU=udspzzzp01,OU=tenants,DC=msad,DC=udsp,DC=ch
In your elasticsearch.yml, you need to set

attributes.groups: TheRoleAttribute

and the role mapping should become

{
  "roles": [ "superuser" ],
  "enabled": true,
  "rules": { "all": [
    { "field": { "realm.name": "samlprod" } },
    { "field": { "groups": "CN=udspzzzp01_role_platform,OU=resources,OU=udspzzzp01,OU=tenants,DC=msad,DC=udsp,DC=ch" } }
  ]}
}

This is also explained in much more detail in our docs, please see here https://www.elastic.co/guide/en/elasticsearch/reference/master/saml-guide-authentication.html#saml-attribute-mapping and https://www.elastic.co/guide/en/elasticsearch/reference/master/saml-role-mapping.html

HTH

raphperrin · May 19, 2020, 6:18am

Hello
Thanks a lot, what I was doing wrong was the field name in the mapping. I put the same as the RoleAttribute instead of "groups".

It does work now.

Thank you, best regards
Raphael

system · June 16, 2020, 6:18am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.