From eee6a260a5408a566a7badfa27caa5255484ad2f Mon Sep 17 00:00:00 2001 From: shainaraskas Date: Wed, 10 Sep 2025 14:40:21 -0400 Subject: [PATCH 1/4] role mapping verification --- .../configure-saml-authentication.md | 24 ++++++++++++++++--- 1 file changed, 21 insertions(+), 3 deletions(-) diff --git a/deploy-manage/users-roles/cloud-organization/configure-saml-authentication.md b/deploy-manage/users-roles/cloud-organization/configure-saml-authentication.md index 6a541e5d59..9b884fe5c7 100644 --- a/deploy-manage/users-roles/cloud-organization/configure-saml-authentication.md +++ b/deploy-manage/users-roles/cloud-organization/configure-saml-authentication.md @@ -51,9 +51,14 @@ Before you configure SAML SSO, familiarize yourself with the following risks and * Actions taken on the IdP are not automatically reflected in {{ecloud}}. For example, if you remove a user from your IdP, they are not removed from the {{ecloud}} organization and their active sessions are not invalidated. - To immediately revoke a user’s active sessions, an organization owner must [remove the user from the {{ecloud}} organization](https://cloud.elastic.co/account/members) or remove their assigned roles. + To immediately revoke a user’s active sessions, an [Organization owner](/deploy-manage/users-roles/cloud-organization/user-roles.md#ec_organization_level_roles) must [remove the user from the {{ecloud}} organization](https://cloud.elastic.co/account/members) or remove their assigned roles. * If you enforce SSO authentication, you can be locked out of {{ecloud}} if your IdP is unavailable or misconfigured. You might need to work with Elastic Support to regain access to your account. To avoid being locked out, you should maintain and store an [{{ecloud}} API key](../../api-keys/elastic-cloud-api-keys.md#ec-api-keys) with organization owner level privileges so that an administrator can disable enforcement in an emergency. + + :::{note} + To further ensure continuous access to and control over your organization settings, {{ecloud}} [verifies](#role-mapping-verification) that organization owner access is maintained when a role mapping is created, edited, or deleted. + ::: + * If you do not enforce SSO authentication, users can still log in without authenticating with your IdP. You need to manage these users in {{ecloud}}. * {{ecloud}} passwords are invalidated each time a user logs in using SSO. If a user needs sign in with their email and password again, they need to [change their password](../../../cloud-account/change-your-password.md). * Role mappings only take effect when your organization’s members authenticate using SSO. If SSO authentication is not enforced, users might have roles that are inconsistent with the role mapping when they log in using other methods. @@ -157,6 +162,8 @@ After you register the IdP in {{ecloud}} and configure your IdP, you can test au Users who are not a member of the {{ecloud}} organization can authenticate with your IdP to automatically create an {{ecloud}} account provided that their email matches the claimed domain. +To guarantee ongoing access to the organization, you can also run a [role mapping verification](#role-mapping-verification) when you add, edit, or delete role mappings that impact the organization owner role. + ## Enforce SSO [enforce-sso] @@ -203,13 +210,14 @@ curl -XPUT \ To automate [role](user-roles.md) assignments to your {{ecloud}} organization’s members, you can use role mappings. Role mappings map groups returned by your IdP in the `groups` SAML attribute to one or more {{ecloud}} roles. The mapping will be evaluated and the applicable roles will be assigned each time your organization’s members log into {{ecloud}} using SSO. +To ensure continuous access and control over your organization settings, the first role mapping of your SAML SSO configuration must include the **Organization owner** role. + ::::{note} * If [SSO enforcement](#enforce-sso) is not enabled, user roles might not be consistent with your role mapping and additional manual role assignment might be needed. Roles manually assigned using the {{ecloud}} Console are overwritten by the role mapping when the user logs in using SSO. * If the `groups` attribute is not included in the SAML response, the user will keep whatever groups they were last assigned by the IdP. If you want to remove all groups for a user as part of an offboarding process, instead unassign the user from the {{ecloud}} application. :::: - -To configure role mappings: +### Create a role mapping 1. Open your organization’s [**Security**](https://cloud.elastic.co/account/idp) tab. 2. In the **Role mappings** section, click **Create role mapping**. @@ -221,8 +229,18 @@ To configure role mappings: 2. Add group name or names that the member must have in their SAML assertion to be assigned the role. Use the wildcard character `*` to specify group name patterns. Wildcards will match 0 or more characters. +6. If your role mapping contains the Organization owner role, then click **Run test** to run role mapping verification. +7. Click **Save** to save the role mapping. + +### Role mapping verification + +To ensure continuous access to and control over your organization settings, a user must always be granted the Organization owner role through a valid role mapping. + +To validate that access is maintained, each time a role mapping that impacts the Organization owner role is created, edited, or deleted, {{ecloud}} verifies that the current user's IdP groups map them to the Organization owner role. +If you're logged in to {{ecloud}} through a method other than SAML SSO, then you're prompted to log in through their IdP as part of the verification process. +This verification does not validate the role mapping. It only validates that you, as the currently logged in user, will continue to belong to the Organization owner role after the change is made. ## Disable SSO [ec_disable_sso] From fd22ecf2c54b3810ade5fb17ded23538048cde1f Mon Sep 17 00:00:00 2001 From: shainaraskas Date: Wed, 10 Sep 2025 14:40:48 -0400 Subject: [PATCH 2/4] role mapping verification --- .../cloud-organization/configure-saml-authentication.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy-manage/users-roles/cloud-organization/configure-saml-authentication.md b/deploy-manage/users-roles/cloud-organization/configure-saml-authentication.md index 9b884fe5c7..22bd65be90 100644 --- a/deploy-manage/users-roles/cloud-organization/configure-saml-authentication.md +++ b/deploy-manage/users-roles/cloud-organization/configure-saml-authentication.md @@ -162,7 +162,7 @@ After you register the IdP in {{ecloud}} and configure your IdP, you can test au Users who are not a member of the {{ecloud}} organization can authenticate with your IdP to automatically create an {{ecloud}} account provided that their email matches the claimed domain. -To guarantee ongoing access to the organization, you can also run a [role mapping verification](#role-mapping-verification) when you add, edit, or delete role mappings that impact the organization owner role. +To guarantee ongoing access to the organization, you can also run a [role mapping verification](#role-mapping-verification) when you add, edit, or delete [role mappings](#role-mappings) that impact the organization owner role. ## Enforce SSO [enforce-sso] From c6f26cbae8b327b801e898bbc0cd58bd24d5fe66 Mon Sep 17 00:00:00 2001 From: shainaraskas Date: Wed, 10 Sep 2025 15:16:51 -0400 Subject: [PATCH 3/4] self edit --- .../configure-saml-authentication.md | 22 ++++++++++++++----- 1 file changed, 17 insertions(+), 5 deletions(-) diff --git a/deploy-manage/users-roles/cloud-organization/configure-saml-authentication.md b/deploy-manage/users-roles/cloud-organization/configure-saml-authentication.md index 22bd65be90..e90403d257 100644 --- a/deploy-manage/users-roles/cloud-organization/configure-saml-authentication.md +++ b/deploy-manage/users-roles/cloud-organization/configure-saml-authentication.md @@ -232,15 +232,27 @@ To ensure continuous access and control over your organization settings, the fir 6. If your role mapping contains the Organization owner role, then click **Run test** to run role mapping verification. 7. Click **Save** to save the role mapping. -### Role mapping verification +### Verify Organization owner access [role-mapping-verification] -To ensure continuous access to and control over your organization settings, a user must always be granted the Organization owner role through a valid role mapping. +To maintain uninterrupted control over your organization settings, at least one user must always be granted the Organization owner role through a valid role mapping. -To validate that access is maintained, each time a role mapping that impacts the Organization owner role is created, edited, or deleted, {{ecloud}} verifies that the current user's IdP groups map them to the Organization owner role. +Whenever a role mapping that affects the Organization owner role is created, updated, or deleted, {{ecloud}} verifies whether your current IdP groups will still grant you the Organization owner role after the change. -If you're logged in to {{ecloud}} through a method other than SAML SSO, then you're prompted to log in through their IdP as part of the verification process. +This verification does not confirm that the role mapping is correct. It only confirms that you, as the currently logged in user, will continue to belong to the Organization owner role after the change. -This verification does not validate the role mapping. It only validates that you, as the currently logged in user, will continue to belong to the Organization owner role after the change is made. +* **When creating or editing a role mapping:** + + Click **Run test** to verify your access. A success or failure message appears, showing the SAML response and your currently mapped roles. If verification succeeds, you can save the role mapping. + +* **When deleting a role mapping:** + + Your currently mapped roles are verified after you click **Delete**. If verification succeeds, the role mapping is deleted. If verification fails, a failure message is shown that includes the SAML response and your currently mapped roles, and the mapping is not deleted. + +If you're logged in to {{ecloud}} through a method other than SAML SSO, then you're prompted to sign in through your IdP as part of the verification process. + +:::{{note}} +{{ecloud}} runs this check against your IdP groups because you are already an Organization owner and making the change. However, to maintain access, the requirement is that at least one Organization owner is assigned the role through a valid role mapping at all times. +::: ## Disable SSO [ec_disable_sso] From 5ae860c4a1d71fe4544662ecfce5cde82126f927 Mon Sep 17 00:00:00 2001 From: shainaraskas Date: Thu, 11 Sep 2025 10:44:57 -0400 Subject: [PATCH 4/4] dev feedback --- .../cloud-organization/configure-saml-authentication.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/deploy-manage/users-roles/cloud-organization/configure-saml-authentication.md b/deploy-manage/users-roles/cloud-organization/configure-saml-authentication.md index e90403d257..56f30b7918 100644 --- a/deploy-manage/users-roles/cloud-organization/configure-saml-authentication.md +++ b/deploy-manage/users-roles/cloud-organization/configure-saml-authentication.md @@ -212,6 +212,8 @@ To automate [role](user-roles.md) assignments to your {{ecloud}} organization’ To ensure continuous access and control over your organization settings, the first role mapping of your SAML SSO configuration must include the **Organization owner** role. +To allow for role mapping verification, SSO must be configured and enabled for you to create role mappings. + ::::{note} * If [SSO enforcement](#enforce-sso) is not enabled, user roles might not be consistent with your role mapping and additional manual role assignment might be needed. Roles manually assigned using the {{ecloud}} Console are overwritten by the role mapping when the user logs in using SSO. * If the `groups` attribute is not included in the SAML response, the user will keep whatever groups they were last assigned by the IdP. If you want to remove all groups for a user as part of an offboarding process, instead unassign the user from the {{ecloud}} application.