Super user Role not working for SAML users

(HanRem) #1

We are in the process of setting up SAML authentication with ELK. From Elastic Search, we are integrating with OneLogin, The integreation is successful and I am able to login with SAML user. I have given the role of superuser to the SAML user (by logging as elastic).

When I login as the saml user, I am able to access all the menus in the "Management" tab except the Users and Roles for which I am getting

Permission denied

You do not have permission to manage users.

Kindly let me know how this can be resolved

(Tim Vernum) #2

What do you mean by this?
That your OneLogin user is called elastic?
That doesn't make them a superuser. Users are contained entirely within their own realms, so the builtin elastic user is not the same as a saml elastic user.
The only way to make a SAML user a superuser is to grant them that role through the role-mapping API in Elasticsearch.

(HanRem) #3

No, My onelogin user name is not elastic. What I meant is, I provided super user role to my saml user by logging in to Kibana and adding roles through the management tab.

I tried setting up the role through Role Mapping API and it worked :slight_smile:

Wonder why its not working when setting it up through Kibana Management menu

(Tim Vernum) #4

This is the same reason as above - when you assign roles in the Kibana Management UI, you were acting on a user in the "native" realm, not the saml realm.
It short, the "hanciv" user in that UI is unrelated to a "hanciv" user that authenticates via SAML.

(HanRem) #5

Thanks, got it. So i dont have to provision the users locally in Kibana if they are coming through saml realm..

(system) #6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.