Add SAML role to SearchGuard role

Hello,

I need to known if I can map a SAML role (included on IdP response at ‘ACL’ field) with the “SGS_ALL_ACCESS” built-in role to use my SAML user like an admin.

I think sg_config.yml is configured correctly with the parameter ‘roles_key’ with the value ACL.

saml_auth_domain:
          http_enabled: true
          transport_enabled: true
          order: 1
          http_authenticator:
            type: saml
            challenge: true
            config:
              idp.metadata_file: my-idp-metadata.xml
              idp.entity_id: https://my-idp-url
              sp.entity_id: kibanasaml
              roles_key: ACL
              sp.signature_algorithm: 'http://www.w3.org/2000/09/xmldsig#rsa-sha1;'
              kibana_url: http://my-kibana-url
              #sp.forceAuthn: true
              exchange_key: 'qCgXzvG.......'
          authentication_backend:
            type: noop

The SAML response for the ACL field is something like this:

"cn=ADMIN,ou=Perfs,ou=ADBSADMIN,ou=App,o=imi"

So, I map this value at file sg_roles_mapping.yml:

 SGS_ALL_ACCESS:
  reserved: true
  backend_roles:
  - "admin"
  - "cn=ADMIN,ou=Perfs,ou=ADBSADMIN,ou=App,o=imi"
  description: "Maps admin to SGS_ALL_ACCESS"

I load with sgadmin these configuration, but when I try to login with SAML I can´t:

image

Can you check the log files of Elasticsearch and Kibana for error messages which appear roughly at the time when you try to login at Kibana?

Elasticsearch logs have no errors, maybe I have to configure debug logging. Kibana shows these messages:

{"type":"log","@timestamp":"2021-02-23T16:59:15Z","tags":["error","elasticsearch","data"],"pid":7,"message":"[ResponseError]: Response Error"}
{"type":"log","@timestamp":"2021-02-23T16:59:15Z","tags":["error","plugins","searchguard","searchguard-multitenancy"],"pid":7,"message":"Multitenancy: Could not get authinfo AuthenticationError: Response Error"}
{"type":"response","@timestamp":"2021-02-23T16:59:15Z","tags":[],"pid":7,"method":"get","statusCode":302,"req":{"url":"/","method":"get","headers":{"host":"my-kibana-url","x-request-id":"7caae32007248ac2af47362113bbce3b","x-real-ip":"X.X.X.X","x-forwarded-for":"X.X.X.X","x-forwarded-host":"my-kibana-url","x-forwarded-port":"80","x-forwarded-proto":"http","x-original-uri":"/","x-scheme":"http","upgrade-insecure-requests":"1","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36 Edg/88.0.705.74","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9","accept-encoding":"gzip, deflate","accept-language":"es,es-ES;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6"},"remoteAddress":"10.1.64.202","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36 Edg/88.0.705.74"},"res":{"statusCode":302,"responseTime":37,"contentLength":9},"message":"GET / 302 37ms - 9.0B"}
{"type":"log","@timestamp":"2021-02-23T16:59:15Z","tags":["error","elasticsearch","data"],"pid":7,"message":"[ResponseError]: Response Error"}
{"type":"response","@timestamp":"2021-02-23T16:59:15Z","tags":[],"pid":7,"method":"get","statusCode":302,"req":{"url":"/auth/saml/login?nextUrl=%2F","method":"get","headers":{"host":"my-kibana-url","x-request-id":"41c7ad6acf5f90d94d511e8a9515c427","x-real-ip":"X.X.X.X","x-forwarded-for":"X.X.X.X","x-forwarded-host":"my-kibana-url","x-forwarded-port":"80","x-forwarded-proto":"http","x-original-uri":"/auth/saml/login?nextUrl=%2F","x-scheme":"http","upgrade-insecure-requests":"1","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36 Edg/88.0.705.74","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9","accept-encoding":"gzip, deflate","accept-language":"es,es-ES;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6"},"remoteAddress":"10.1.64.202","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36 Edg/88.0.705.74"},"res":{"statusCode":302,"responseTime":15,"contentLength":9},"message":"GET /auth/saml/login?nextUrl=%2F 302 15ms - 9.0B"}
{"type":"log","@timestamp":"2021-02-23T17:00:50Z","tags":["error","elasticsearch","data"],"pid":7,"message":"[ResponseError]: Response Error"}
{"type":"log","@timestamp":"2021-02-23T17:00:50Z","tags":["error","plugins","searchguard","searchguard-multitenancy"],"pid":7,"message":"Multitenancy: Could not get authinfo AuthenticationError: Response Error"}
{"type":"response","@timestamp":"2021-02-23T17:00:50Z","tags":[],"pid":7,"method":"get","statusCode":302,"req":{"url":"/app/kibana","method":"get","headers":{"host":"my-kibana-url","x-request-id":"5706c672d5e6c4f623f0320a503121af","x-real-ip":"X.X.X.X","x-forwarded-for":"X.X.X.X","x-forwarded-host":"my-kibana-url","x-forwarded-port":"80","x-forwarded-proto":"http","x-original-uri":"/app/kibana","x-scheme":"http","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8","accept-language":"es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3","accept-encoding":"gzip, deflate","upgrade-insecure-requests":"1"},"remoteAddress":"10.1.64.202","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0"},"res":{"statusCode":302,"responseTime":17,"contentLength":9},"message":"GET /app/kibana 302 17ms - 9.0B"}
{"type":"log","@timestamp":"2021-02-23T17:00:50Z","tags":["error","elasticsearch","data"],"pid":7,"message":"[ResponseError]: Response Error"}
{"type":"response","@timestamp":"2021-02-23T17:00:50Z","tags":[],"pid":7,"method":"get","statusCode":302,"req":{"url":"/auth/saml/login?nextUrl=%2Fapp%2Fkibana","method":"get","headers":{"host":"my-kibana-url","x-request-id":"fff80ae5695b7051d15bb335b1e8c849","x-real-ip":"X.X.X.X","x-forwarded-for":"X.X.X.X","x-forwarded-host":"my-kibana-url","x-forwarded-port":"80","x-forwarded-proto":"http","x-original-uri":"/auth/saml/login?nextUrl=%2Fapp%2Fkibana","x-scheme":"http","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8","accept-language":"es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3","accept-encoding":"gzip, deflate","upgrade-insecure-requests":"1"},"remoteAddress":"10.1.64.202","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0"},"res":{"statusCode":302,"responseTime":55,"contentLength":9},"message":"GET /auth/saml/login?nextUrl=%2Fapp%2Fkibana 302 55ms - 9.0B"}
{"type":"log","@timestamp":"2021-02-23T17:00:54Z","tags":["error","plugins","searchguard","searchguard-auth"],"pid":7,"message":"SAML auth, failed to authorize: Error: The session cookie is absent.\n    at router.post (/usr/share/kibana/plugins/searchguard/server/applications/searchguard/auth/types/saml/routes.js:131:17)\n    at process._tickCallback (internal/process/next_tick.js:68:7)"}
{"type":"response","@timestamp":"2021-02-23T17:00:54Z","tags":[],"pid":7,"method":"post","statusCode":302,"req":{"url":"/searchguard/saml/acs","method":"post","headers":{"host":"my-kibana-url","x-request-id":"cc4c4f7769af90d63630bff7961ddbf5","x-real-ip":"X.X.X.X","x-forwarded-for":"X.X.X.X","x-forwarded-host":"my-kibana-url","x-forwarded-port":"80","x-forwarded-proto":"http","x-original-uri":"/searchguard/saml/acs","x-scheme":"http","content-length":"9795","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8","accept-language":"es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3","accept-encoding":"gzip, deflate","content-type":"application/x-www-form-urlencoded","origin":"null","upgrade-insecure-requests":"1"},"remoteAddress":"10.1.64.202","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0"},"res":{"statusCode":302,"responseTime":43,"contentLength":9},"message":"POST /searchguard/saml/acs 302 43ms - 9.0B"}
{"type":"response","@timestamp":"2021-02-23T17:00:54Z","tags":[],"pid":7,"method":"get","statusCode":200,"req":{"url":"/customerror?type=samlAuthError","method":"get","headers":{"host":"my-kibana-url","x-request-id":"e49216fe8a4f52bffc9c6757eeab38ec","x-real-ip":"X.X.X.X","x-forwarded-for":"X.X.X.X","x-forwarded-host":"my-kibana-url","x-forwarded-port":"80","x-forwarded-proto":"http","x-original-uri":"/customerror?type=samlAuthError","x-scheme":"http","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8","accept-language":"es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3","accept-encoding":"gzip, deflate","upgrade-insecure-requests":"1"},"remoteAddress":"10.1.64.202","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0"},"res":{"statusCode":200,"responseTime":161,"contentLength":9},"message":"GET /customerror?type=samlAuthError 200 161ms - 9.0B"}

Errors should show up without modifying the logging level. Can you please also check the Elasticsearch logs for errors which appear during startup or while re-applying the configuration using sgadmin?

I`ve re-applied the configuration and no errors appears at sgadmin output or elasticsearch logs. Perhaps this note from SearchGuard clarify the problem:

Based on that note, I can’t modify the SGS_ALL_ACCESS role because it is static.

How can I configure manually an admin role with the same perms than SGS_ALL_ACCESS?

@adminunix you can create a new role that has SGS_ALL_ACCESS permissions. Then create a mapping for it.

The SGS_ALL_ACCESS permissions are

{
  "description": "Allow full access to all indices and all cluster APIs",
  "cluster_permissions": [
    "*"
  ],
  "index_permissions": [
    {
      "allowed_actions": [
        "*"
      ],
      "index_patterns": [
        "*"
      ],
      "fls": [],
      "masked_fields": []
    }
  ],
  "tenant_permissions": [
    {
      "allowed_actions": [
        "*"
      ],
      "tenant_patterns": [
        "*"
      ]
    }
  ],
  "exclude_cluster_permissions": [],
  "exclude_index_permissions": []
}

You can create the role in sg_roles.yml, via REST API or do it in UI by cloning SGS_ALL_ACCESS.