SAML SSO - Associate the roles to the user (not groups)


I have set up a IdP ( with a User with the following attributes:

  • 'email' => ''
  • 'User.fullname' => 'User 1'
  • 'User.roles' => array('admin')

And have setup elasticsearch's SAML setting:

  • attributes.principal:"email"
  • attributes.groups:"User.roles"

However, as far as I understood, I still have to create a role mapping that will map, for example, the group admin to the role superuser (<elasticsearch-host-and-port>/_xpack/security/role_mapping/)

How can I avoid this step?

More context: The roles and permissions are managed externally (we use custom realms for this purpose). I just need that Elasticsearch resolves the permissions using the roles defined in the IdP without the need to have the association Group -> Role for each role possble.


Apologies, but can you clarify what you want to achieve ?

Yes, this is the usual step to get the SAML attributes that the IDP sends mapped to Elasticsearch roles.

If you don't want to do this via the Role Mapping API, how will your user get the Roles? Is that via a custom Role Provider ? And if so, is that already in place and working or is it something that you plan on building?


We have a:

  • Custom Realm that delegates authentication to our system which returns the user and its roles.
  • Custom Roles Provider that given a user's roles (retrieved in our customs authentication Realm) retrieves from our system the set of roles and their permissions and tells if the user is authorized to access a Elastic stack resource.

I am testing replacing this custom realm with a SAML IdP however this SAML realm returns the groups and not the roles which led me to the roles mapping endpoint. My goal and question is for the SAML realm to create a model of the user when authenticating that already includes the roles from the SAML attributes (inside User.roles)

Can't the SAML Realm automatically retrieve the User.roles attribute and map it to a Elasticsearch role (instead of group)?

No, unfortunately this is not possible. Elasticsearch is authoritative for its own Authorization logic so you can't just pass it the Elasticsearch Role names via SAML.
You don't need to map it to groups per se, but you would still need to statically create 1 role mapping per IDP role as

PUT _xpack/security/role_mapping/role_1
  "roles" : [ "role_1" ],
  "rules" : { "field" : { "metadata.saml(User.roles )" : "role_1" } },
  "enabled": true

Then you could keep on using your existing Custom Role Provider to resolve role_1 to permissions.

1 Like

Thank you for your feedback! This step is a bit cumbersome in my use-case but I understand the limitation.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.