ROR Enterprise: Tenancy selector missing for SAML/SSO users

ES & Kibana versions: 6.3.0

We’ve had Enterprise ROR configured for a long time using LDAP, with multiple blocks of rules for different groups of users. When a user logs in, they can see the tenancy selector in the top left, showing all of the groups that they matched.
image

We recently successfully configured SAML for authentication and are using groups_provider_authorization for groups/authorization
We are are using it like so:

- name: "Enterprise Kibana SSO"
  kibana_access: admin
  ror_kbn_auth:
    name: "kbn1" #this is the working SAML provider
  groups_provider_authorization:
    user_groups_provider: "GroupsService"
    groups: ["Apps-Kibana-Admins"]

- name: "Kibana SSO Logs Access"
  ror_kbn_auth:
    name: "kbn1" #this is the working SAML provider
  kibana_access: ro
  indices: [".kibana", "machine-logs-*"]
  groups_provider_authorization:
    user_groups_provider: "GroupsService"
    groups: ["Apps-Kibana-AggLog"]

We’d expect a user that belongs to both groups (Apps-Kibana-Admins and Apps-Kibana-AggLog) to see 2 tenancy’s in the dropdown when they log in via SAML.
However the tenancy selector is always missing and they always only have access to the first ACL they match.

image

Is this a bug, or expected behavior?

@bradvido It’s expected behaviour. “groups” fields inside “groups_provider_authorization” should be interpreted as allowed groups. The list of groups you see in the selector is an intersection between these allowed groups and groups returned by service.

Maybe your groups provider rule should look like this:


groups_provider_authorization:
    user_groups_provider: "GroupsService"
    groups: ["Apps-Kibana-Admins", "Apps-Kibana-AggLog"]

@coutoPL I am a meber of both of these groups (I have verified so in the group provider data), but I still don’t see the tenancy selector.

I have also tried updating the config like so for both rules:

And I still don’t see the selector.

Is there some problem with the tenancy selector when you use a groups provider?

@coutoPL could this be linked to RORDEV-85?

@sscarduzio yes, it’s the same.
@bradvido we’ve figured out what it a problem with current solution and will try to fix it soon

We will update this topic when ready :slight_smile:

Hi, @sscarduzio and @coutoPL

I’m curious if any progress has been made on this.

Thanks!

Hi @bradvido,
Yes, we have a fix. Not released yet, but you can test it using this build:

https://readonlyrest-data.s3-eu-west-1.amazonaws.com/build/1.18.5-pre16/readonlyrest-1.18.5-pre16_es6.3.0.zip?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIA5SJIWBO54AGBERLX/20190904/eu-west-1/s3/aws4_request&X-Amz-Date=20190904T171433Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=a166884d5541219def484edd1cf3f4d47a2281508458d51cbdc9aa463523e646

Thanks, I’d love to test, but the download from your link seems to be an invalid zip file. The plugin install failed and I also can’t open it with 7zip.

Retrieving metadata from plugin archive
Plugin installation was unsuccessful due to error “No kibana plugins found in archive”

Could you provide another link?

please try this one:

https://readonlyrest-data.s3-eu-west-1.amazonaws.com/build/1.18.5-pre16/readonlyrest-1.18.5-pre16_es6.3.0.zip?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIA5SJIWBO54AGBERLX/20190905/eu-west-1/s3/aws4_request&X-Amz-Date=20190905T170341Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=d911f948b00afd7aaa2bd8af5f55dded6bcad21d6c4a98ac53af260d7bba05ad

oh, this is elasticsearch part of ROR plugin.

@coutoPL we’ve upgraded to 6.8.3.
Could I get a patched plugin for that version so I can test this fix?

sent with private message

1 Like