Cannot retrieve roles for User [name=me@example.com]

nils · February 15, 2021, 3:15pm

I think, I slightly lost the overview here, sorry!

So, it is about these roles SG_ADMIN and SG_USER you mentioned earlier, right?

Also, if I understand it correctly, the user is authenticated via SAML.

This means that the roles probably come from the assertions in the SAML response. These roles are called backend roles, referring to the IdP as authcz backend.

To give these roles an actual meaning, they need to be specified in the roles mapping configuration. In the roles mapping, which you have provided earlier, I however can’t spot these backend roles.

There are however a couple of env variables which might contain the names of the backend roles:

So, you would need to check:

Is the IdP providing SAML supposed to send the roles SG_USER and SG_ADMIN?
If no, what roles should the IdP provide instead?
If yes, make sure that the backend roles SG_USER and SG_ADMIN are mapped to Search Guard roles in the roles mapping configuration.

Topic		Replies	Views
Authentication finally failed exception. Search Guard	1	2942	February 14, 2018
Mapping LDAP Roles Search Guard	7	1016	June 3, 2020
ElasticsearchSecurityException[user not found] Search Guard	1	586	April 20, 2017
Ldap Security Roles Search Guard	6	455	March 11, 2021
[search-guard group] java security exception when running ldap module Search Guard	0	459	March 24, 2017

Cannot retrieve roles for User [name=me@example.com]

Related topics