Skip to content

NameID mapping and Single Logout #47288

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Oct 4, 2019
Merged

NameID mapping and Single Logout #47288

Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
d22c308
NameID mapping and Single Logout
jkakavas Sep 30, 2019
3ef9cc4
remove incorrect statement
jkakavas Oct 4, 2019
8c3c252
Merge remote-tracking branch 'origin/master' into saml_logout_nameid
jkakavas Oct 4, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions x-pack/docs/en/security/authentication/saml-guide.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -308,6 +308,10 @@ principal:: _(Required)_
against this realm.
The `principal` appears in places such as the {es} audit logs.

NOTE: You can select to map the SAML `NamedID` value or any other SAML attribute value to the `principal` user
property. Keep in mind, however, that if a SAML attribute is mapped, the <<saml-logout, Single Logout>> functionality is
not available.

Copy link
Contributor

@tvernum tvernum Oct 4, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this true? It shouldn't be.
We need to receive a NameID from the IdP, but I don't think we need to map it to principal.

Copy link
Contributor Author

@jkakavas jkakavas Oct 4, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You're right, I jumped the gun on this without looking at the code closely

groups:: _(Recommended)_
If you wish to use your IdP's concept of groups or roles as the basis for a
user's {es} privileges, you should map them with this attribute.
Expand Down Expand Up @@ -402,6 +406,7 @@ services it offers.
By default the Elastic Stack will support SAML SLO if the following are true:

- Your IdP metadata specifies that the IdP offers a SLO service
- Your IdP releases a NameID in the subject of the SAML assertion that it issues for your users
- You configure `sp.logout`
- The setting `idp.use_single_logout` is not `false`

Expand Down