SAML, Azure AD and roles

Hi,

We’ve deployed OD, we confirmed we can Authenticate and manage roles inside Kibana’s GUI. We tried to assigne user according to roles/group they are part inside our AzureAD but we were unsuccessful. To us it seems we need to configure the authz sections but since we are using Azure we do not know how we can configure OD to retrieve the roles/group. Everything we do ends up having the user get Missing Tenant error.

SAML responde w/ Claim

</Signature>
  <Subject>
     <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">someone@something.com</NameID>
     <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <SubjectConfirmationData InResponseTo="ONELOGIN_242fa5b0-6835-4083-8f54-83a4f8182032" NotOnOrAfter="2019-11-19T16:37:33.620Z" Recipient="https://ki.something.com/_opendistro/_security/saml/acs"/>
     </SubjectConfirmation>
  </Subject>
  <Conditions NotBefore="2019-11-19T15:32:33.620Z" NotOnOrAfter="2019-11-19T16:37:33.620Z">
     <AudienceRestriction>
        <Audience>elasticid</Audience>
     </AudienceRestriction>
  </Conditions>
  <AttributeStatement>
     <Attribute Name="http://schemas.microsoft.com/identity/claims/tenantid">
        <AttributeValue>TENANTID</AttributeValue>
     </Attribute>
     <Attribute Name="http://schemas.microsoft.com/identity/claims/objectidentifier">
        <AttributeValue>1b07ebbd-80f0-4abb-9e50-27bbe7b42db0</AttributeValue>
     </Attribute>
     <Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/role">
        <AttributeValue>3bcfa085-15b3-4d8e-a39b-cddb7983d496</AttributeValue>
        <AttributeValue>9228f068-5369-40e6-b621-674352cd46fd</AttributeValue>
        <AttributeValue>d135bf4c-4858-4a7f-ba3c-545f1afbf516</AttributeValue>
        <AttributeValue>ddb302f5-d240-4b29-bf5d-3c2fcb49fadb</AttributeValue>
        <AttributeValue>106debfc-3017-41d8-b689-0983264bcc1e</AttributeValue>
        <AttributeValue>cd691cbe-76bf-46b0-998d-181707b91be6</AttributeValue>
        <AttributeValue>5ac8d8a4-76d2-4200-93f8-b5ce1efc52ec</AttributeValue>
        <AttributeValue>0685b95e-e7b3-4615-9b5b-7a78765ae116</AttributeValue>
        <AttributeValue>99972c68-bf81-42fe-a30f-59a49424d237</AttributeValue>
        <AttributeValue>0494f86a-fab8-4ea9-9a63-32587a4ba96e</AttributeValue>
        <AttributeValue>1608f37a-4444-41b1-ae7a-2708ff4e3afe</AttributeValue>
     </Attribute>
     <Attribute Name="http://schemas.microsoft.com/identity/claims/identityprovider">
        <AttributeValue>https://sts.windows.net/737c6905-f186-4bcf-afb3-43e349ee23a3/</AttributeValue>
     </Attribute>
     <Attribute Name="http://schemas.microsoft.com/claims/authnmethodsreferences">
        <AttributeValue>http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password</AttributeValue>
     </Attribute>
     <Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/roles">
        <AttributeValue>admin</AttributeValue>
     </Attribute>
  </AttributeStatement>
  <AuthnStatement AuthnInstant="2019-11-18T13:25:56.625Z" SessionIndex="_3f05d72c-bd52-43a2-8cf4-ad8802d79d00">
     <AuthnContext>
        <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>
     </AuthnContext>
  </AuthnStatement>
_meta:
  type: "config"
  config_version: 2

config:
  dynamic:
    # Set filtered_alias_mode to 'disallow' to forbid more than 2 filtered aliases per index
    # Set filtered_alias_mode to 'warn' to allow more than 2 filtered aliases per index but warns about it (default)
    # Set filtered_alias_mode to 'nowarn' to allow more than 2 filtered aliases per index silently
    #filtered_alias_mode: warn
    do_not_fail_on_forbidden: true
    kibana:
    # Kibana multitenancy
      multitenancy_enabled: true
      server_username: kibanaserver
      index: '.kibana'
    http:
      anonymous_auth_enabled: false
      xff:
        enabled: false
        internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern
        #internalProxies: '.*' # trust all internal proxies, regex pattern
        remoteIpHeader:  'x-forwarded-for'
        ###### see https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html for regex help
        ###### more information about XFF https://en.wikipedia.org/wiki/X-Forwarded-For
        ###### and here https://tools.ietf.org/html/rfc7239
        ###### and https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Valve
    authc:
      saml_auth_domain:
        http_enabled: true
        transport_enabled: false
        order: 0
        http_authenticator:
          type: saml
          challenge: true
          config:
            role_keys: ["roles","roles","groups","group","Group ID"]
            idp:
              metadata_url: "https://login.microsoftonline.com/TENANTID/federationmetadata/2007-06/federationmetadata.xml?appid=812da130-9f99-44e4-b403-7db135979c96"
              entity_id: "https://sts.windows.net/TENANTID/"
            sp:
              entity_id: "elasticid"
            kibana_url: "https://ki.something.com"
            exchange_key: ANEXCHANGEKEY
        authentication_backend:
          type: noop
    authz:
      roles_from_myldap:
        description: "Authorize via LDAP or Active Directory"
        http_enabled: false
        transport_enabled: false
        authorization_backend:
          # LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
          type: ldap
          config:
            # enable ldaps
            enable_ssl: false
            # enable start tls, enable_ssl should be false
            enable_start_tls: false
            # send client certificate
            enable_ssl_client_auth: false
            # verify ldap hostname
            verify_hostnames: true
            hosts:
            - localhost:8389
            bind_dn: null
            password: null
            rolebase: 'ou=groups,dc=example,dc=com'
            # Filter to search for roles (currently in the whole subtree beneath rolebase)
            # {0} is substituted with the DN of the user
            # {1} is substituted with the username
            # {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
            rolesearch: '(member={0})'
            # Specify the name of the attribute which value should be substituted with {2} above
            userroleattribute: null
            # Roles as an attribute of the user entry
            userrolename: disabled
            #userrolename: memberOf
            # The attribute in a role entry containing the name of that role, Default is "name".
            # Can also be "dn" to use the full DN as rolename.
            rolename: cn
            # Resolve nested roles transitive (roles which are members of other roles and so on ...)
            resolve_nested_roles: true
            userbase: 'ou=people,dc=example,dc=com'
            # Filter to search for users (currently in the whole subtree beneath userbase)
            # {0} is substituted with the username
            usersearch: '(uid={0})'
            # Skip users matching a user name, a wildcard or a regex pattern
            #skip_users:
            #  - 'cn=Michael Jackson,ou*people,o=TEST'
            #  - '/\S*/'

@rbonnette Did you get this resolved? If not which odfe version are you using?

oh my ! i totally forgot about that! yes we were able to fix our problem, it was a configuration issue on our side. I can’t remember which one tho …