SAML with Azure AD

I wanted to share my SAML configuration with Azure AD
No documentation I found is 100% correct
In a hot-warm deployment you must configure both elasticsearch instances

Elasticsearch config

order: 2
attributes.principal: ""
attributes.groups: ""
idp.metadata.path: ""
idp.entity_id: ""
sp.entity_id: ""
sp.acs: ""
sp.logout: ""

Kibana config [ "saml", "basic" ]
server.xsrf.whitelist: [ "/api/security/v1/saml" ]
protocol: "https"
hostname: ""
port: 9243


Really appreciate this, thanks!

What were the docs that were wrong? Was is just that you had to do it in 2 places for hot-warm (the need to do everything under all topologies is something we're addressing soon)

type: saml -> does not work with newer versions of elasticsearch

attributes.principal: "nameid:persistent" -> that does not work with Azure AD, even if you set nameid persistent in the Azure config

This is true because the realm configuration syntax changed slightly in 7.0 for Elasticsearch and it is not very easy to document for Elastic Cloud as it supports multiple versions of Elasticsearch. We are working on it and we will update the documentation accordingly.

Can you please share with us what "does not work" meant in your case ? By the way, if you refer to the docs in Secure your clusters with SAML | Elasticsearch Service Documentation | Elastic, we - attempt to - clearly state that nameid:persistent is only used as an example of how attributes.principal can be configured and we point to the relevant docs explaining the options you have.

Defines the SAML attribute that is going to be mapped to the principal (username) of the authenticated user in Kibana. In this example, nameid:persistent maps the NameID with the urn:oasis:names:tc:SAML:2.0:nameid-format:persistent format from the Subject of the SAML Assertion. See the attribute mapping documentation for details and available options

We'd be more than happy to get your feedback regarding whether you still found this unclear and why.

@hmayer This may help in determining what claims are supported by Azure Active Directory, by default:

For me it was not clear that I could not use
attributes.principal: "nameid:persistent" with Azure AD

The mapping "nameid:persistent" does not work with Azure AD

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.