AD SAML Authentication Group Mapping Issue

Hello,

I am attempting to make group mapping work correctly with AD FS SAML within Kibana/ElasticSearch.

SAML works fine, but anything I put in the roles is ignored. I am mapping the Group attribute to the AD attribute of “Token-Groups - Unqualified Names”. This results in a returned authentication debug message of:

setting JWT claims: {
  "user": "TestUser1@ad.test.biz",
  "groups": [],
  "x-ror-origin": "saml_adfs",
  "assertion": {
    "issuer": "http://lc-demo-01.ad.test.biz/adfs/services/trust",
    "sessionIndex": "_9c6a15dc-1cb8-45d5-9463-c31d39ec143e",
    "nameID": "TestUser1@ad.test.biz",
    "nameIDFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress": "TestUser1@ad.test.biz",
    "http://schemas.xmlsoap.org/claims/Group": ["Domain Users", "KibanaAdmins"],
    "user": "TestUser1@ad.test.biz"
  }
}

As you can see, I am getting ["Domain Users","KibanaAdmins"] returned. Within the readonlyrest.yml file within ElasticSearch config, I have it set as so:

- name: "ADFS Users - Admin"
  kibana_access: "admin"
  ror_kbn_auth:
    name: "kbn1"
    roles: ["KibanaAdmins"]
 
- name: "ADFS Users - Standard"
  kibana_access: "rw"
  ror_kbn_auth:
    name: "kbn1"

In the kibana.yml config file, I am mapping the groupsParameter to'group' which appears to work based on the debugging messages.

readonlyrest_kbn.auth.saml_adfs.usernameParameter: 'nameID'
readonlyrest_kbn.auth.saml_adfs.groupsParameter: 'group'

The user TestUser1 who is in the KibanaAdmins AD group, always ends up with rw access and not admin though. It appears that the roles is not being applied, or I have a misconfiguration. I have poured through every piece of documentation and tried many variations, but there is very little information on exactly how the roles attribute is mapped to the groupsParameter attribute. Any assistance is greatly appreciated.

-Adam

“readonlyrest_kbn.auth.saml_adfs.groupsParameter” should be “http://schemas.xmlsoap.org/claims/Group

Thank you very much, that was indeed it. Since it didn’t require doing that for the nameID parameter, I didn’t expect it to need that for the group parameter. Thankfully that worked!

1 Like