Seprating groups from SAML response

Indisol · August 29, 2018, 9:01am

Dear Team,

I am trying to setup SAML integration for Kibana access.
my login works but i am facing a challenge to assign roles to the user.

on enabling Debug tracing i see that all the groups that user is member of in User repository is mapped as one string e.g.

[2018-08-29T10:03:41,585][DEBUG][o.e.x.s.a.s.m.NativeRoleMappingStore] [fvn010107] Mapping user [UserData{username:GOO03803; dn:null; groups:[CN=E1 contr. doc OPS ,OU=Groups,OU=ENO,OU=services,o=ed, CN=E1 system administration,OU=Groups,OU=ENO,OU=services,o=ed, CN=E1 contr. doc OPS acc&cust,OU=Groups,OU=ENO,OU=services,o=ed, CN=E1 PCC control,OU=Groups,OU=ENO,OU=services,o=ed, CN=E1 rep. doc CRM C&MB,OU=Groups,OU=ENO,OU=services,o=ed, CN=EO System Administrator LU,OU=Groups,OU=ENO,OU=services,o=ed, CN=E1 rep. doc OPS ,OU=Groups,OU=ENO,OU=services,o=ed, CN=E1 rep. doc OPS acc&cust,OU=Groups,OU=ENO,OU=services,o=ed, CN=E1 PCC Servicedesk create,OU=Groups,OU=ENO,OU=services,o=ed];

every entry from CN=E1 contr. doc OPS ,OU=Groups,OU=ENO,OU=services,o=ed till here, is one group.
And i am trying to map it to one role.

I feel if i can i specify a separator character and tell ES to make use of it to map to roles.

can you please guide how this can be achieved.

regards,
indi

TimV · August 30, 2018, 2:16am

That's probably not the case. The debug logging is ambiguous, but this looks like it is actually a list.

groups:[CN=E1 contr. doc OPS ,OU=Groups,OU=ENO,OU=services,o=ed, CN=E1 system administration,OU=Groups,OU=ENO,OU=services,o=ed, CN=E1 contr. doc OPS acc&cust,OU=Groups,OU=ENO,OU=services,o=ed, CN=E1 PCC control,OU=Groups,OU=ENO,OU=services,o=ed, CN=E1 rep. doc CRM C&MB,OU=Groups,OU=ENO,OU=services,o=ed, CN=EO System Administrator LU,OU=Groups,OU=ENO,OU=services,o=ed, CN=E1 rep. doc OPS ,OU=Groups,OU=ENO,OU=services,o=ed, CN=E1 rep. doc OPS acc&cust,OU=Groups,OU=ENO,OU=services,o=ed, CN=E1 PCC Servicedesk create,OU=Groups,OU=ENO,OU=services,o=ed]

Is probably actually this, but the log representation doesn't make that clear.

CN=E1 contr. doc OPS ,OU=Groups,OU=ENO,OU=services,o=ed
CN=E1 system administration,OU=Groups,OU=ENO,OU=services,o=ed
CN=E1 contr. doc OPS acc&cust,OU=Groups,OU=ENO,OU=services,o=ed
CN=E1 PCC control,OU=Groups,OU=ENO,OU=services,o=ed
CN=E1 rep. doc CRM C&MB,OU=Groups,OU=ENO,OU=services,o=ed
CN=EO System Administrator LU,OU=Groups,OU=ENO,OU=services,o=ed
CN=E1 rep. doc OPS ,OU=Groups,OU=ENO,OU=services,o=ed
CN=E1 rep. doc OPS acc&cust,OU=Groups,OU=ENO,OU=services,o=ed
CN=E1 PCC Servicedesk create,OU=Groups,OU=ENO,OU=services,o=ed

Where there is a ", ", then that's (probably) due to the way the log entry formats the list entries.

Indisol · September 3, 2018, 10:11am

thanks for the response Tim,

i modified the SAML response so instead of returning CN=E1 contr. doc OPS ,OU=Groups,OU=ENO,OU=services,o=ed
It now returns only E1 contr. doc OPS
that way now i have a comma seprated list of groups.

I was able to map them to roles defined in role_mapping.yml via API command
POST /_xpack/security/role_mapping/

regards,
Indi

system · October 1, 2018, 10:11am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.