Configuring role mappings
editConfiguring role mappings
editWhen a user authenticates using SAML, they are identified to the Elastic Stack, but this does not automatically grant them access to perform any actions or access any data.
Your SAML users cannot do anything until they are assigned roles which can be done through the add role mapping API.
You cannot use role mapping files to grant roles to users authenticating via SAML.
This is an example of a simple role mapping that grants the kibana_user
role
to any user who authenticates against the saml1
realm:
PUT /_xpack/security/role_mapping/saml-kibana { "roles": [ "kibana_user" ], "enabled": true, "rules": { "field": { "realm.name": "saml1" } } }
The attributes that are mapped via the realm configuration are used to process role mapping rules, and these rules determine which roles a user is granted.
The user fields that are provided to the role mapping are derived from the SAML attributes as follows:
-
username
: Theprincipal
attribute -
dn
: Thedn
attribute -
groups
: Thegroups
attribute -
metadata
: See User metadata
For more information, see Mapping users and groups to roles and role mapping APIs.
If your IdP has the ability to provide groups or roles to Service Providers,
then you should map this SAML attribute to the attributes.groups
setting in
the Elasticsearch realm, and then make use of it in a role mapping as per the example
below.
This mapping grants the Elasticsearch finance_data
role, to any users who authenticate
via the saml1
realm with the finance-team
group.
PUT /_xpack/security/role_mapping/saml-finance { "roles": [ "finance_data" ], "enabled": true, "rules": { "all": [ { "field": { "realm.name": "saml1" } }, { "field": { "groups": "finance-team" } } ] } }