ES & Kibana versions: 6.3.0
We’ve had Enterprise ROR configured for a long time using LDAP, with multiple blocks of rules for different groups of users. When a user logs in, they can see the tenancy selector in the top left, showing all of the groups that they matched.
We recently successfully configured SAML for authentication and are using
groups_provider_authorization for groups/authorization
We are are using it like so:
- name: "Enterprise Kibana SSO" kibana_access: admin ror_kbn_auth: name: "kbn1" #this is the working SAML provider groups_provider_authorization: user_groups_provider: "GroupsService" groups: ["Apps-Kibana-Admins"] - name: "Kibana SSO Logs Access" ror_kbn_auth: name: "kbn1" #this is the working SAML provider kibana_access: ro indices: [".kibana", "machine-logs-*"] groups_provider_authorization: user_groups_provider: "GroupsService" groups: ["Apps-Kibana-AggLog"]
We’d expect a user that belongs to both groups (
Apps-Kibana-AggLog) to see 2 tenancy’s in the dropdown when they log in via SAML.
However the tenancy selector is always missing and they always only have access to the first ACL they match.
Is this a bug, or expected behavior?