Serverless mock IDP should rely on the file-based SAML role mappings

azasypkin commented 1 month ago

Summary

Today, we use mock SAML IDP in Serverless for local development and running tests on CI with SAML-authenticated users to be as close to the production setup as possible. To assign a specific role to a SAML-authenticated user on the fly, we need a role mapping. Currently, we create the mapping using the ES role mapping API. The problem is that this API is disabled in Serverless, and we have to manually re-enable it just to support mock IDP, which isn't ideal. Instead, we should rely on a file definition of the mapping in the settings.json file:

{
  "metadata": {
    "version": "%s",
    "compatibility": "8.4.0"
  },
  "state": {
    "role_mappings": {
      "mock-idp-mapping": {
        "enabled": true,
        "role_templates": [
          {
            "format": "json",
            "template": "{\"source\":\"{{#tojson}}groups{{/tojson}}\"}"
          }
        ],
        "rules": {
          "all": [
            {
              "field": {
                "realm.name": "cloud-saml-kibana"
              }
            }
          ]
        }
      }
    }
  }
}

This file should be mounted to ES container at config/operator/settings.json path.

elasticmachine commented 1 month ago

Pinging @elastic/kibana-operations (Team:Operations)

elasticmachine commented 1 month ago

Pinging @elastic/kibana-security (Team:Security)

elastic / kibana

Serverless mock IDP should rely on the file-based SAML role mappings #184524

Summary