Search code examples
amazon-web-servicessaml-2.0oktaaws-elasticsearchidp

How to map a SAML Attribute from your IdP to an AWS Elastic Search Role?

The recently added SAML support for AWS Elastic Search solution: https://aws.amazon.com/about-aws/whats-new/2020/10/amazon-elasticsearch-service-adds-native-saml-authentication-kibana/

Lists in its documentation that backend roles are supported: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/saml.html

In Okta, for example, you might have a user, jdoe, who belongs to the group admins. If you add jdoe to the SAML master username field, only that user receives full permissions. If you add admins to the SAML master backend role field, any user who belongs to the admins group receives full permissions.

If you want to use backend roles (recommended), specify an attribute from the assertion in the Role key field, such as role or group. This is another situation in which tools like SAML-tracer can help.

But some users have problems finalizing the configuration once they are done with the AWS Console.

Solution

  • The answer lies beyond the AWS Console and must be completed within the Elastic Search cluster with the Master User that you created either within the cluster as an Internal User, via an IAM role or by using the Master User field in the SAML configuration section of the Modify Authentication Wizard in the AWS console for Elastic Search. You must:

    1. Create a Backend role that matches your SAML attribute value
    2. Create a Mapping between the new backend role and an actual Elastic Search Role

    After you're done configuring your IdP by creating a custom Attribute/Claim like roles or groups and after you've configure SAML authentication integration in the Elastic search cluster.

    1.-Log into Kibana using your master user 2.-Go to OpenDistro -> Security -> Roles -> The Role you want to grant access to, i.e. readall 3.-Go to the Mapped Users tab under the role screen 4.-On the Backend Roles field type the VALUE of the Azure Claim you created by following these steps: https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-enterprise-app-role-management For reference the claim value is: user.assignedroles. The claim key is whatever you configure your Azure Enterprise application as. You'll have a key value pair of "Your chosen Claim Name": user.assignedroles 5.-Save the Mapping in Kibana

    Using the Azure IdP log into Kibana using users with different Azure Claim assigned to them. The Open Distro Security plugin will parse the SAML token attribute find the field for user.assignedroles and map that as a Kibana Backend Role to the actual Elastic Search roles.