Mapping FusionAuth roles to elasticsearch

@dan Sorry forgot to update here. Yes, the integration fixed using OpenID, it works.

I have another question. By creating role mapping on the elastic side, all the user logins will have same role.

How is to mapping the FusionAuth role/group to the elastic role? I want my user on FusionAuth login based on their roles.

I am playing on claims.principal and claims.groups, but not really get it.

If your OP has the ability to provide groups or roles to RPs via tha use of an OpenID Claim, then you should map this claim to the claims.groups setting in the Elasticsearch realm (see Mapping claims to user properties), and then make use of it in a role mapping as per the example below.

Reference: https://www.elastic.co/guide/en/elasticsearch/reference/7.9/oidc-role-mapping.html
Referen

@dan Yap, I am the same person asking about that. I am asking on the elastic forum about the OIDC.

Currently, still having a problem integrating it. (I'll update on here also if finding the solution).

Got it.

So, currently it's only support urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress from FusionAuth side, right?

@robotdan said in Integrate FusionAuth with Elastic Cloud:

NameIdPolicy

By referring to this documentation https://www.elastic.co/guide/en/elasticsearch/reference/master/saml-guide-authentication.html#saml-attribute-mapping,

It's only mentioned nameid, nameid:persistent and friendlyName.

Hi Everyone,

I am trying to integrate FusionAuth(v1.23.2) as Identity Provider to my Elastic Cloud(v7.10.2).

I configure the Application (SAML) on the FusionAuth side and adding some config changes to my elastic cloud (creating realm with name saml1):

elasticsearch.yaml

xpack: 
  security: 
    authc: 
      realms: 
        saml: 
          saml1: 
            attributes.principal: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
            attributes.groups: "roles"
            idp.entity_id: "xxx"
            idp.metadata.path: "xxx"
            order: 2
            sp.acs: "xxx/api/security/v1/saml"
            sp.entity_id: "xxx/"
            sp.logout: "xxx/logout"

kibana.yaml

xpack.security.authc.providers:
  saml.saml1:
    order: 0
    realm: saml1
    description: "Log in with SAML" 
  basic.basic1:
    order: 1

The login via SAML failed and give me this error on Kibana side

{"statusCode":401,"error":"Unauthorized","message":"[security_exception] unable to authenticate user [<unauthenticated-saml-user>] for action [cluster:admin/xpack/security/saml/authenticate], with { header={ WWW-Authenticate={ 0=\"Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\" & 1=\"Bearer realm=\\\"security\\\"\" & 2=\"ApiKey\" } } }"}

And, I'm finding the error on the FusionAuth side related to the NameID

The SAML AuthnRequest was invalid and/or did not pass validation. The error code is [InvalidNameIDPolicy] and the error message is [The AuthnRequest contained an invalid NameId policy. FusionAuth only supports the [urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress] or [urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified] policy]

Is there anyone facing some problem?