However, as far as I understood, I still have to create a role mapping that will map, for example, the group admin to the role superuser (<elasticsearch-host-and-port>/_xpack/security/role_mapping/)
How can I avoid this step?
More context: The roles and permissions are managed externally (we use custom realms for this purpose). I just need that Elasticsearch resolves the permissions using the roles defined in the IdP without the need to have the association Group -> Role for each role possble.
Apologies, but can you clarify what you want to achieve ?
Yes, this is the usual step to get the SAML attributes that the IDP sends mapped to Elasticsearch roles.
If you don't want to do this via the Role Mapping API, how will your user get the Roles? Is that via a custom Role Provider ? And if so, is that already in place and working or is it something that you plan on building?
Custom Realm that delegates authentication to our system which returns the user and its roles.
Custom Roles Provider that given a user's roles (retrieved in our customs authentication Realm) retrieves from our system the set of roles and their permissions and tells if the user is authorized to access a Elastic stack resource.
I am testing replacing this custom realm with a SAML IdP however this SAML realm returns the groups and not the roles which led me to the roles mapping endpoint. My goal and question is for the SAML realm to create a model of the user when authenticating that already includes the roles from the SAML attributes (inside User.roles)
No, unfortunately this is not possible. Elasticsearch is authoritative for its own Authorization logic so you can't just pass it the Elasticsearch Role names via SAML.
You don't need to map it to groups per se, but you would still need to statically create 1 role mapping per IDP role as