Saml, AzureAD and roles

[Adelbertt]

Hi,

We've deployed OD, we confirmed we can Authenticate and manage roles inside Kibana's GUI. We tried to assigne user according to roles/group they are part inside our AzureAD but we were unsuccessful. To us it seems we need to configure the authz sections but since we are using Azure we do not know how we can configure OD to retrieve the roles/group. Everything we do ends up having the user get Missing Tenant error.

SAML responde w/ Claim

</Signature>
      <Subject>
         <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">someone@something.com</NameID>
         <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <SubjectConfirmationData InResponseTo="ONELOGIN_242fa5b0-6835-4083-8f54-83a4f8182032" NotOnOrAfter="2019-11-19T16:37:33.620Z" Recipient="https://ki.something.com/_opendistro/_security/saml/acs"/>
         </SubjectConfirmation>
      </Subject>
      <Conditions NotBefore="2019-11-19T15:32:33.620Z" NotOnOrAfter="2019-11-19T16:37:33.620Z">
         <AudienceRestriction>
            <Audience>elasticid</Audience>
         </AudienceRestriction>
      </Conditions>
      <AttributeStatement>
         <Attribute Name="http://schemas.microsoft.com/identity/claims/tenantid">
            <AttributeValue>TENANTID</AttributeValue>
         </Attribute>
         <Attribute Name="http://schemas.microsoft.com/identity/claims/objectidentifier">
            <AttributeValue>1b07ebbd-80f0-4abb-9e50-27bbe7b42db0</AttributeValue>
         </Attribute>
         <Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/role">
            <AttributeValue>3bcfa085-15b3-4d8e-a39b-cddb7983d496</AttributeValue>
            <AttributeValue>9228f068-5369-40e6-b621-674352cd46fd</AttributeValue>
            <AttributeValue>d135bf4c-4858-4a7f-ba3c-545f1afbf516</AttributeValue>
            <AttributeValue>ddb302f5-d240-4b29-bf5d-3c2fcb49fadb</AttributeValue>
            <AttributeValue>106debfc-3017-41d8-b689-0983264bcc1e</AttributeValue>
            <AttributeValue>cd691cbe-76bf-46b0-998d-181707b91be6</AttributeValue>
            <AttributeValue>5ac8d8a4-76d2-4200-93f8-b5ce1efc52ec</AttributeValue>
            <AttributeValue>0685b95e-e7b3-4615-9b5b-7a78765ae116</AttributeValue>
            <AttributeValue>99972c68-bf81-42fe-a30f-59a49424d237</AttributeValue>
            <AttributeValue>0494f86a-fab8-4ea9-9a63-32587a4ba96e</AttributeValue>
            <AttributeValue>1608f37a-4444-41b1-ae7a-2708ff4e3afe</AttributeValue>
         </Attribute>
         <Attribute Name="http://schemas.microsoft.com/identity/claims/identityprovider">
            <AttributeValue>https://sts.windows.net/737c6905-f186-4bcf-afb3-43e349ee23a3/</AttributeValue>
         </Attribute>
         <Attribute Name="http://schemas.microsoft.com/claims/authnmethodsreferences">
            <AttributeValue>http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password</AttributeValue>
         </Attribute>
         <Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/roles">
            <AttributeValue>admin</AttributeValue>
         </Attribute>
      </AttributeStatement>
      <AuthnStatement AuthnInstant="2019-11-18T13:25:56.625Z" SessionIndex="_3f05d72c-bd52-43a2-8cf4-ad8802d79d00">
         <AuthnContext>
            <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>
         </AuthnContext>
      </AuthnStatement>
   </Assertion>
</samlp:Response>

    _meta:
      type: "config"
      config_version: 2

    config:
      dynamic:
        # Set filtered_alias_mode to 'disallow' to forbid more than 2 filtered aliases per index
        # Set filtered_alias_mode to 'warn' to allow more than 2 filtered aliases per index but warns about it (default)
        # Set filtered_alias_mode to 'nowarn' to allow more than 2 filtered aliases per index silently
        #filtered_alias_mode: warn
        do_not_fail_on_forbidden: true
        kibana:
        # Kibana multitenancy
          multitenancy_enabled: true
          server_username: kibanaserver
          index: '.kibana'
        http:
          anonymous_auth_enabled: false
          xff:
            enabled: false
            internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern
            #internalProxies: '.*' # trust all internal proxies, regex pattern
            remoteIpHeader:  'x-forwarded-for'
            ###### see https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html for regex help
            ###### more information about XFF https://en.wikipedia.org/wiki/X-Forwarded-For
            ###### and here https://tools.ietf.org/html/rfc7239
            ###### and https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Valve
        authc:
          saml_auth_domain:
            http_enabled: true
            transport_enabled: false
            order: 0
            http_authenticator:
              type: saml
              challenge: true
              config:
                role_keys: ["roles","roles","groups","group","Group ID"]
                idp:
                  metadata_url: "https://login.microsoftonline.com/TENANTID/federationmetadata/2007-06/federationmetadata.xml?appid=812da130-9f99-44e4-b403-7db135979c96"
                  entity_id: "https://sts.windows.net/TENANTID/"
                sp:
                  entity_id: "elasticid"
                kibana_url: "https://ki.something.com"
                exchange_key: ANEXCHANGEKEY
            authentication_backend:
              type: noop
        authz:
          roles_from_myldap:
            description: "Authorize via LDAP or Active Directory"
            http_enabled: false
            transport_enabled: false
            authorization_backend:
              # LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
              type: ldap
              config:
                # enable ldaps
                enable_ssl: false
                # enable start tls, enable_ssl should be false
                enable_start_tls: false
                # send client certificate
                enable_ssl_client_auth: false
                # verify ldap hostname
                verify_hostnames: true
                hosts:
                - localhost:8389
                bind_dn: null
                password: null
                rolebase: 'ou=groups,dc=example,dc=com'
                # Filter to search for roles (currently in the whole subtree beneath rolebase)
                # {0} is substituted with the DN of the user
                # {1} is substituted with the username
                # {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
                rolesearch: '(member={0})'
                # Specify the name of the attribute which value should be substituted with {2} above
                userroleattribute: null
                # Roles as an attribute of the user entry
                userrolename: disabled
                #userrolename: memberOf
                # The attribute in a role entry containing the name of that role, Default is "name".
                # Can also be "dn" to use the full DN as rolename.
                rolename: cn
                # Resolve nested roles transitive (roles which are members of other roles and so on ...)
                resolve_nested_roles: true
                userbase: 'ou=people,dc=example,dc=com'
                # Filter to search for users (currently in the whole subtree beneath userbase)
                # {0} is substituted with the username
                usersearch: '(uid={0})'
                # Skip users matching a user name, a wildcard or a regex pattern
                #skip_users:
                #  - 'cn=Michael Jackson,ou*people,o=TEST'
                #  - '/\S*/'

[francisco-hoo]

Hi @Adelbertt, when you said "...we confirmed we can Authenticate..." are you talking about Basic Auth or SAML Auth?
To retrieve roles from a SAML response you need to map the XML Tag <Attribute>. For example like on Open Distro SAML Configuration. Looking to your SAML response you have 6 roles and you can map them like this:

roles_key: [
    http://schemas.microsoft.com/identity/claims/tenantid,
    http://schemas.microsoft.com/identity/claims/objectidentifier,
    http://schemas.microsoft.com/ws/2008/06/identity/claims/role,
    http://schemas.microsoft.com/identity/claims/identityprovider,
    http://schemas.microsoft.com/claims/authnmethodsreferences,
    http://schemas.microsoft.com/ws/2008/06/identity/claims/roles
]

[Adelbertt]

Hi @Adelbertt, when you said "...we confirmed we can Authenticate..." are you talking about Basic Auth or SAML Auth?

SAML

For the roles im still testing, seems we can't define roles_key containing : so im trying something like schemas.microsoft.com/identity/claims/tenantid,

User is still getting missing tenant, The roles name should be a backend role in the roles mapping right?

[Adelbertt]

We see the roles we attributed to the user in the SAML response, but i think our problem is that we aren't sure how we can map the role inside the plugin to allow a tenant and such.

Thanks

[Adelbertt]

So apparently this would be one of the problem...

Failed to get roles from JWT claims with roles_key 'roles'. Check if this key is correct and available in the JWT payload.

[francisco-hoo]

@Adelbertt this happens because your SAML response doens't have this roles attribute.

For the roles im still testing, seems we can't define roles_key containing : so im trying something like schemas.microsoft.com/identity/claims/tenantid

You need to add http:// to your roles_key like this: http://schemas.microsoft.com/identity/claims/tenantid

The roles name should be a backend role in the roles mapping right?

Yeah, the roles you retrieve from roles_key will be mapped on backend_role of the user. So you need to previously configure a Mapping Role to map your backend_role to a specific role.

[Adelbertt]

So inspecting the JWT ...
we get this ...
"roles": null

[Adelbertt]

So i changed the syntax on the roles_keys and now we are retrieving the roles in the JWT.

config:
  role_keys: "roles"

After that we were able to assign the backend_role to a roles_mapping and everything works !