OIDC clarifications and tip for Azure added #3498
Conversation
deploy-manage/users-roles/cluster-or-deployment-auth/openid-connect.md
Outdated
Show resolved
Hide resolved
deploy-manage/users-roles/cluster-or-deployment-auth/openid-connect.md
Outdated
Show resolved
Hide resolved
deploy-manage/users-roles/cluster-or-deployment-auth/oidc-examples.md
Outdated
Show resolved
Hide resolved
deploy-manage/users-roles/cluster-or-deployment-auth/oidc-examples.md
Outdated
Show resolved
Hide resolved
Co-authored-by: shainaraskas <[email protected]>
|
Thanks @shainaraskas, we would need someone from security devs to review if these changes make sense. And validate the troubleshooting suggestion that I'd prefer to add in a separate PR. |
|
Asking in es-security for a quick review, per Ioannis' suggestion ;) |
There was a problem hiding this comment.
Possibly out of scope for this change, but we have a very similar page explaining how to configure the SAML Realm for Entra ID that would benefit from a similar note about group overage.
https://www.elastic.co/docs/deploy-manage/users-roles/cluster-or-deployment-auth/saml-entra
Also FYI, we have a plugin that uses Microsoft Graph to work around this exact issue. We'd prefer customers configured the list of groups as you've described here, but we had a customer who insisted that wasn't a reasonable option for them, so we built this plugin.
https://www.elastic.co/docs/reference/elasticsearch/plugins/ms-graph-authz
| * `YOUR_DOMAIN` and `TLD` in the `claim_patterns.principal` regular expression are your organization email domain and top level domain. | ||
|
|
||
| ::::{tip} for organizations with many group memberships | ||
| If you use [`claims.groups`](/deploy-manage/users-roles/cluster-or-deployment-auth/openid-connect.md#oidc-user-properties) to map the list of Azure AD groups included in the ID token, users with a large number of group memberships might exceed the token size limit. |
There was a problem hiding this comment.
I wonder if there's a different way to phrase the first part of this - all claims.groups does is tells Elasticsearch which JWT field contains the list of groups (in this case, it's just groups)
We may want to clarify that "exceed the token size limit" means "the groups claim will be omitted"
|
|
||
| To avoid this, enable the **Groups assigned to the application** option in Azure Entra (**App registrations > Token configuration > Edit groups claim**). This limits the groups included in the ID token to those assigned to the application. | ||
|
|
||
| For more details, refer to [Configure group claims and app roles in tokens](https://learn.microsoft.com/en-us/security/zero-trust/develop/configure-tokens-group-claims-app-roles) in the Microsoft Security documentation. |
There was a problem hiding this comment.
We could link directly to the relevant subsection https://learn.microsoft.com/en-us/security/zero-trust/develop/configure-tokens-group-claims-app-roles#group-overages
|
@richard-dennehy , million thanks for your feedback and comments! I'll work something out, trying to:
Again, thanks for taking time on this! |
3 participants
A user shared some interesting suggestions in https://github.com/elastic/platform-docs-team/issues/553 (internal issue)
I've addressed two of them in this PR:
claims.nameandclaims.mail.The following hasn't been included as I'm not sure where we could put this information, although it looks interesting also:
I haven't found a dedicated troubleshooting doc for security realms.
@jkakavas , would you review if the addings here are technically accurate and make sense to be added to the docs? or let us know if we should ping someone else to review this small change.
Closes https://github.com/elastic/platform-docs-team/issues/553 (internal issue)