It is actually the other way around. The mapping is always:
backend role -> Search Guard role
Where backend role means any role that is returned by the configured authentication domain. This could be LDAP groups, claims in JSON web tokens or, in your case, an IdP response.
So if you are using the demo configuration and our demo roles, and you want to assign users to the sg_all_access and sg_readall Search Guard role, the roles returned from the IdP would be readall and admin.
But mind you, this is just a demo configuration. You can map any existing backend role in your IdP to any Search Guard role. This is where the roles_mapping.yml comes into play:
On Thursday, July 19, 2018 at 3:11:07 PM UTC+2, erik clark wrote:
I have two roles that I want to apply to my users. One is:
sg_all_access, and the other is sg_readall. However, these map to backend roles of admin and readall. Just what exactly is supposed to be returned by our IdP for a role to use these two? Admin and readall? Or sg_all_access and sg_readall? Thanks!
When asking questions, please provide the following information:
- Search Guard and Elasticsearch version
- Installed and used enterprise modules, if any
- JVM version and operating system version
- Search Guard configuration files
- Elasticsearch log messages on debug level
- Other installed Elasticsearch or Kibana plugins, if any