OpenDistro Security Plugin and Azure OpenID Connect

arunkumarsingh · May 21, 2021, 2:02pm

Hi All,

I have recently integrated OpenDistro Security with Azure AD using OpenID Connect following the documentation. When I map my user email with the specific role in role binding, everything works fine.

My problem is, I need to provide number of users to access Kibana and Elasticsearch using OIDC. Mapping individual users with specific role via role mapping does not seem very healthy approach. User information in case of Azure AD is mapped with graph URL. Is it any way possible we can map access using Azure AD groups. I am not able to find any documentation specific to this scenerio. Please anyone can help.

Thanks

Anthony · May 24, 2021, 9:00am

@arunkumarsingh
In AzureAD you should be able to assign groups to the users using “App roles”, this can then be extracted from JWT using below config.yml settings:

openid:
  ...
  config:
    openid_connect_url: ...
    subject_key: "preferred_username"
    roles_key: "roles"

These extracted roles will act as backend roles and need to be mapped to the correct roles in odfe using roles_mapping.yml file

Hope this helps

arunkumarsingh · May 28, 2021, 3:59pm

Thanks @Anthony. It really helps.

Topic		Replies	Views
Is it possible map the Roles for Azure-AD-groups Security configure , feature-request	5	709	November 11, 2022
Alternative Admin Role not mapping as expected Security	1	429	March 16, 2021
Create user with opendistro_security_roles - not creating any rolemapping Security	2	393	April 13, 2021
AD user admin role Security	3	1877	August 2, 2019
Index security (permissions) Security	2	2492	February 26, 2021

OpenDistro Security Plugin and Azure OpenID Connect

Related Topics