ROR Enterprise: Tenancy selector missing for SAML/SSO users

ES & Kibana versions: 6.3.0

We’ve had Enterprise ROR configured for a long time using LDAP, with multiple blocks of rules for different groups of users. When a user logs in, they can see the tenancy selector in the top left, showing all of the groups that they matched.
image

We recently successfully configured SAML for authentication and are using groups_provider_authorization for groups/authorization
We are are using it like so:

- name: "Enterprise Kibana SSO"
  kibana_access: admin
  ror_kbn_auth:
    name: "kbn1" #this is the working SAML provider
  groups_provider_authorization:
    user_groups_provider: "GroupsService"
    groups: ["Apps-Kibana-Admins"]

- name: "Kibana SSO Logs Access"
  ror_kbn_auth:
    name: "kbn1" #this is the working SAML provider
  kibana_access: ro
  indices: [".kibana", "machine-logs-*"]
  groups_provider_authorization:
    user_groups_provider: "GroupsService"
    groups: ["Apps-Kibana-AggLog"]

We’d expect a user that belongs to both groups (Apps-Kibana-Admins and Apps-Kibana-AggLog) to see 2 tenancy’s in the dropdown when they log in via SAML.
However the tenancy selector is always missing and they always only have access to the first ACL they match.

image

Is this a bug, or expected behavior?

@bradvido It’s expected behaviour. “groups” fields inside “groups_provider_authorization” should be interpreted as allowed groups. The list of groups you see in the selector is an intersection between these allowed groups and groups returned by service.

Maybe your groups provider rule should look like this:


groups_provider_authorization:
    user_groups_provider: "GroupsService"
    groups: ["Apps-Kibana-Admins", "Apps-Kibana-AggLog"]

@coutoPL I am a meber of both of these groups (I have verified so in the group provider data), but I still don’t see the tenancy selector.

I have also tried updating the config like so for both rules:

And I still don’t see the selector.

Is there some problem with the tenancy selector when you use a groups provider?

@coutoPL could this be linked to RORDEV-85?

@sscarduzio yes, it’s the same.
@bradvido we’ve figured out what it a problem with current solution and will try to fix it soon

We will update this topic when ready :slight_smile: