Wazuh SSO Admin and Readonly Group
Amin
The admin group is working so far, but I am having a lot of problems with the read-only group. I followed the instructions and did the following (I have a Kubernetes environment).
I registered the Azure app and created the following roles: “wazuh_admin” and “wazuh_readonly.” I configured SAML (which works) and as roles claim Roles -> user.assignedroles.
Created a dashboard config map with the following content
#######################################################
opensearch_security.auth.type: “saml”server.xsrf.allowlist: [“/_opendistro/_security/saml/acs”, “/_opendistro/_security/saml/logout”, “/_opendistro/_security/saml/acs/idpinitiated”]
#######################################################
config.yml adjusted (indexer security config via securityadmin.sh) with the following content:
#######################################################
authc:
saml_auth_domain:
http_enabled: true
transport_enabled: false
order: 1
http_authenticator:
type: saml
challenge: true
config:
idp:
metadata_url: “https://login.microsoftonline.com/<tenant-id>/federationmetadata/2007-06/federationmetadata.xml?appid=<app-id>”
entity_id: “https://sts.windows.net/<tenant-id>/”
sp:
entity_id: “wazuh-saml”
kibana_url: “https://wazuhfqdn.tld”
roles_key: “Roles”
exchange_key: “<random-key>”
authentication_backend:
type: noop
#######################################################
and roles_mapping.yml created (indexer via securityadmin.sh or API) with the following content:
#######################################################
all_access:
backend_roles:
- “admin”
- “wazuh_admin” # Azure App Role VALUE
kibana_user:
backend_roles:
- “wazuh_admin”
- “wazuh_readonly”
readall:
backend_roles:
- “wazuh_readonly”
#######################################################
And in server Management -> Security -> Roles mapping -> Mapping for readonly backend_roles FIND wazuh_readonly -> Role readonly
The problem is that users in the read-only group have full access. Someone a good idea?
Thanks a lot!
Amin
musbau....@wazuh.com
I’ve reviewed the configuration, and the issue is not with SAML authentication itself as you've shown it works fine, but with role mapping and permission inheritance in OpenSearch used by Wazuh.
The read-only users are unintentionally inheriting full access due to overlapping role mappings.
You currently have this setup
all_access:
backend_roles:
- admin
- wazuh_admin
backend_roles:
- wazuh_admin
- wazuh_readonly
kibana_user is a highly permissive base role, not a read-only role. In Wazuh Dashboards, this role allows significantly more than read-only access. When combined with Wazuh’s internal dashboard permissions, kibana_user + readall effectively results in admin-like UI access. Even though wazuh_readonly is mapped to a read-only role, the same users are also mapped to kibana_user, which grants broader permissions.
In OpenSearch, roles are additive and there is no deny or override mechanism, meaning a user’s effective permissions are the union of all roles assigned to them. As a result, the most permissive role always takes precedence, and if a user has even a single role that allows write access, they will be able to perform write actions. This is why users assigned to the read-only group can still end up with full access.
I will advise that you remove kibana_user from read-only users. Do not map kibana_user to wazuh_readonly.
Update roles_mapping.yml to:
all_access:
backend_roles:
- wazuh_admin
readall:
backend_roles:
- wazuh_readonly
You should also review and confirm Wazuh’s built-in read-only dashboard role. In Wazuh server Management → Security → Roles, confirm that a readonly role exists with read-only index permissions, no write or management permissions
Then map:
readonly:
backend_roles:
- wazuh_readonly
Please also confirm the following on the Azure side that users are assigned only one App Role:
wazuh_admin or
wazuh_readonly
No group nesting that assigns both roles. The App Role value (not the display name) matches exactly:
wazuh_admin
wazuh_readonly
Once kibana_user is removed from the read-only mappings, the excessive permissions should be resolved.
Kind regards,