search

elastic / elasticsearch

Free and Open Source, Distributed, RESTful Search Engine
https://www.elastic.co/products/elasticsearch
Other
69.71k stars 24.67k forks source link

Kibana oidc (azure) role assignment not working (too many groups) #105058

Open rafi0101 opened 8 months ago

rafi0101 commented 8 months ago

Elasticsearch Version

8.8.1

Installed Plugins

No response

Java Version

/usr/share/elasticsearch/jdk/bin/java --version = 20.0.1

OS Version

Debian 11 5.10.205-2

Problem Description

I am using Kibana/Elasticsearch with Oidc (Microsoft Azure) for authentication. Currently I have the problem that not all defined role mappings are working correctly. We are using Azure groups in role mappings to assign users to specific Kibana roles.

9 out of 10 users can log in and work without any problems. However, user 10 is problematic. Some users in our organization are in many AD groups >250

And then the JWT token in the groups section is empty and points to another endpoint to retrieve all groups this user is assigned to.

Microsoft Entra ID limits the number of groups that it will emit in a token to 150 for SAML assertions and 200 for JWT. If a user is a member of a larger number of groups, the groups are omitted. A link to the Microsoft Graph endpoint to obtain group information is included instead. https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-fed-group-claims#options-for-applications-to-consume-group-information

And I think Kibana does nothing with this information and thinks this user is not a member of any group.

I have also addressed this as a support case but almost a year later nothing happenend: #01312479 (5008X00002J8locQAB) and here: https://discuss.elastic.co/t/kibana-oidc-azure-role-assignment-not-working-too-many-groups/350568

Steps to Reproduce

xpack.security.authc.realms.oidc.oidc1:
  order: 2
  rp.client_id: "{{ client_id }}"
  rp.response_type: "code"
  rp.requested_scopes: ["openid", "email"]
  rp.redirect_uri: "https://{{ kibana_url }}/api/security/oidc/callback"
  op.issuer: "https://login.microsoftonline.com/{{ tenant }}/v2.0"
  op.authorization_endpoint: "https://login.microsoftonline.com/{{ tenant }}/oauth2/v2.0/authorize"
  op.token_endpoint: "https://login.microsoftonline.com/{{ tenant }}/oauth2/v2.0/token"
  op.userinfo_endpoint: "https://graph.microsoft.com/oidc/userinfo"
  op.endsession_endpoint: "https://login.microsoftonline.com/{{ tenant }}/oauth2/v2.0/logout"
  rp.post_logout_redirect_uri: "https://{{ kibana_url }}/security/logged_out"
  op.jwkset_path: "https://login.microsoftonline.com/{{ tenant }}/discovery/v2.0/keys"
  claims.principal: email
  claims.groups: groups

Logs (if relevant)

No response

elasticsearchmachine commented 8 months ago

Pinging @elastic/es-security (Team:Security)

benganellison commented 5 months ago

We are hit hard by this, we have now limited the ad-groups to security groups in azure ad, but there is still a lot of users that can not access Kibana. I'm one of them and it is forcing us look for alternatives.

sgaybhup commented 5 months ago

We are facing this issue as well, It would be nice get solution to this