Hello,
I am attempting to make group mapping work correctly with AD FS SAML within Kibana/ElasticSearch.
SAML works fine, but anything I put in the roles is ignored. I am mapping the Group attribute to the AD attribute of “Token-Groups - Unqualified Names”. This results in a returned authentication debug message of:
setting JWT claims: {
"user": "TestUser1@ad.test.biz",
"groups": [],
"x-ror-origin": "saml_adfs",
"assertion": {
"issuer": "http://lc-demo-01.ad.test.biz/adfs/services/trust",
"sessionIndex": "_9c6a15dc-1cb8-45d5-9463-c31d39ec143e",
"nameID": "TestUser1@ad.test.biz",
"nameIDFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress": "TestUser1@ad.test.biz",
"http://schemas.xmlsoap.org/claims/Group": ["Domain Users", "KibanaAdmins"],
"user": "TestUser1@ad.test.biz"
}
}
As you can see, I am getting ["Domain Users","KibanaAdmins"]
returned. Within the readonlyrest.yml
file within ElasticSearch config, I have it set as so:
- name: "ADFS Users - Admin"
kibana_access: "admin"
ror_kbn_auth:
name: "kbn1"
roles: ["KibanaAdmins"]
- name: "ADFS Users - Standard"
kibana_access: "rw"
ror_kbn_auth:
name: "kbn1"
In the kibana.yml
config file, I am mapping the groupsParameter
to'group'
which appears to work based on the debugging messages.
readonlyrest_kbn.auth.saml_adfs.usernameParameter: 'nameID'
readonlyrest_kbn.auth.saml_adfs.groupsParameter: 'group'
The user TestUser1
who is in the KibanaAdmins
AD group, always ends up with rw
access and not admin
though. It appears that the roles
is not being applied, or I have a misconfiguration. I have poured through every piece of documentation and tried many variations, but there is very little information on exactly how the roles
attribute is mapped to the groupsParameter
attribute. Any assistance is greatly appreciated.
-Adam