We’ve had Enterprise ROR configured for a long time using LDAP, with multiple blocks of rules for different groups of users. When a user logs in, they can see the tenancy selector in the top left, showing all of the groups that they matched.
We recently successfully configured SAML for authentication and are using groups_provider_authorization for groups/authorization
We are are using it like so:
- name: "Enterprise Kibana SSO"
kibana_access: admin
ror_kbn_auth:
name: "kbn1" #this is the working SAML provider
groups_provider_authorization:
user_groups_provider: "GroupsService"
groups: ["Apps-Kibana-Admins"]
- name: "Kibana SSO Logs Access"
ror_kbn_auth:
name: "kbn1" #this is the working SAML provider
kibana_access: ro
indices: [".kibana", "machine-logs-*"]
groups_provider_authorization:
user_groups_provider: "GroupsService"
groups: ["Apps-Kibana-AggLog"]
We’d expect a user that belongs to both groups (Apps-Kibana-Admins and Apps-Kibana-AggLog) to see 2 tenancy’s in the dropdown when they log in via SAML.
However the tenancy selector is always missing and they always only have access to the first ACL they match.
@bradvido It’s expected behaviour. “groups” fields inside “groups_provider_authorization” should be interpreted as allowed groups. The list of groups you see in the selector is an intersection between these allowed groups and groups returned by service.
Maybe your groups provider rule should look like this:
Thanks, I’d love to test, but the download from your link seems to be an invalid zip file. The plugin install failed and I also can’t open it with 7zip.
Retrieving metadata from plugin archive
Plugin installation was unsuccessful due to error “No kibana plugins found in archive”