Configuring Role Mappings

edit

When a user authenticates using SAML, they are identified to the Elastic Stack, but this does not automatically grant them access to perform any actions or access any data.

Your SAML users cannot do anything until they are mapped to X-Pack Security roles. This mapping is performed through the role-mapping API

This is an example of a simple role mapping that grants the kibana_user role to any user who authenticates against the saml1 realm:

PUT /_xpack/security/role_mapping/saml-kibana
{
  "roles": [ "kibana_user" ],
  "enabled": true,
  "rules": {
    "field": { "realm.name": "saml1" }
  }
}

The attributes that are mapped via the realm configuration are used to process role mapping rules, and these rules determine which roles a user is granted.

The user fields that are provided to the role mapping are derived from the SAML attributes as follows:

  • username: The principal attribute
  • dn: The dn attribute
  • groups: The groups attribute
  • metadata: See User Metadata

For more information, see Mapping Users and Groups to Roles and Role Mapping APIs.

If your IdP has the ability to provide groups or roles to Service Providers, then you should map this SAML attribute to the attributes.groups setting in the Elasticsearch realm, and then make use of it in a role mapping as per the example below.

This mapping grants the Elasticsearch finance_data role, to any users who authenticate via the saml1 realm with the finance-team group.

PUT /_xpack/security/role_mapping/saml-finance
{
  "roles": [ "finance_data" ],
  "enabled": true,
  "rules": { "all": [
        { "field": { "realm.name": "saml1" } },
        { "field": { "groups": "finance-team" } }
  ] }
}