Hello @elasticcommunity
Our use case is to giver external users access to specific spaces, dashboards and indices in an on-prem Elastic cluster. We are using OpenID Connect authorization and Keycloak as provider.
We have configed Keycloack, Elasticsearch and Kibana as well as created a role_mapping based on groups, see attachments. In Kibana we have configured specific roles and spaces. If a user login in with basic authentication the user is granted access to the specific space, daskboards and indices. So this part of the configuration is correct.
The redirect from Kibana to Keycloak works, the users are authenticated in Keycloak, but Kibana rejects access with an HTTP 403.
No errors are found in the Elasticsearch log or in the Kibana log as well as the Kibana audit log. When running Kibana in debug or trance mode Kibana accepts the authorization, find the spaces ect, but rejects access to the specific space. We are wounding if the role_mapping is wrong or we are missing some mapping of claims.
Any suggestions are much appreciated.
Kibana rejection:
Authorization response from Keycloak, remark "star" returned in the groups array
The very simple role_mapping
We can provide snippes from the Kibana debug log as well the 403 reported i Google tools.
Best regards
@fgjensen