Skip to content

Support LimitedRole in idp role resolution#140536

Merged
tvernum merged 8 commits intoelastic:mainfrom
tvernum:idp/api-key-base-priv
Jan 16, 2026
Merged

Support LimitedRole in idp role resolution#140536
tvernum merged 8 commits intoelastic:mainfrom
tvernum:idp/api-key-base-priv

Conversation

@tvernum
Copy link
Contributor

@tvernum tvernum commented Jan 13, 2026

The identity provider relies on GetUserPrivilegesAction to inform the decision about which roles should be assigned to a user in an outgoing SAML authentication Response message.

However GetUserPrivilegesAction could not handle the LimitedRole class which is used to represent the privileges of an API Key that has directly assigned roles in additional to its implied user roles.

In order to support such API Keys in the IdP plugin, GetUserPrivilegesRequest has been modified to optionally unwrap a LimitedRole into either its directly assigned role or implied limiting role.

The IdP plugin uses the limiting role which represents the original privileges of the owning user. The information extracted from this role is then fed into the HasPrivilegesAction to accurately determine which appication privilegs the API Key actually holds, and which SSO roles should be assigned in the outgoing SAML message.

Relates: #104026
@tvernum
Support LimitedRole in idp role resolution
93a4b92 
The identity provider relies on `GetUserPrivilegesAction` to inform the
decision about which roles should be assigned to a user in an outgoing
SAML authentication `Response` message.

However `GetUserPrivilegesAction` could not handle the `LimitedRole`
class which is used to represent the privileges of an API Key that has
directly assigned roles in additional to its implied user roles.

In order to support such API Keys in the IdP plugin,
`GetUserPrivilegesRequest` has been modified to optionally unwrap a
`LimitedRole` into either its directly assigned role or implied
limiting role.

The IdP plugin uses the limiting role which represents the original
privileges of the owning user. The information extracted from this
role is then fed into the `HasPrivilegesAction` to accurately
determine which appication privilegs the API Key actually holds, and
which SSO roles should be assigned in the outgoing SAML message.

Relates: elastic#104026
@tvernum tvernum requested review from a team, ebarlas and s-nel January 13, 2026 06:34
@elasticsearchmachine elasticsearchmachine added the Team:Security Meta label for security team label Jan 13, 2026
@elasticsearchmachine
Copy link
Collaborator

elasticsearchmachine commented Jan 13, 2026

Pinging @elastic/es-security (Team:Security)
@elasticsearchmachine
Copy link
Collaborator

elasticsearchmachine commented Jan 13, 2026

Hi @tvernum, I've created a changelog YAML for you.
@tvernum tvernum added the auto-backport Automatically create backport pull requests when merged label Jan 13, 2026
@tvernum tvernum mentioned this pull request Jan 13, 2026
Closed
ebarlas
ebarlas approved these changes Jan 13, 2026
View reviewed changes
Copy link
Contributor

@ebarlas ebarlas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM with minor suggestion
@tvernum tvernum enabled auto-merge (squash) January 16, 2026 08:39
@tvernum tvernum merged commit aee453d into elastic:main Jan 16, 2026
41 checks passed
@tvernum tvernum mentioned this pull request Jan 16, 2026
Merged
tvernum added a commit to tvernum/elasticsearch that referenced this pull request Jan 16, 2026
@tvernum
Support LimitedRole in idp role resolution (elastic#140536)
7f982e1 
The identity provider relies on `GetUserPrivilegesAction` to inform the
decision about which roles should be assigned to a user in an outgoing
SAML authentication `Response` message.

However `GetUserPrivilegesAction` could not handle the `LimitedRole`
class which is used to represent the privileges of an API Key that has
directly assigned roles in additional to its implied user roles.

In order to support such API Keys in the IdP plugin,
`GetUserPrivilegesRequest` has been modified to optionally unwrap a
`LimitedRole` into either its directly assigned role or implied
limiting role.

The IdP plugin uses the limiting role which represents the original
privileges of the owning user. The information extracted from this
role is then fed into the `HasPrivilegesAction` to accurately
determine which appication privilegs the API Key actually holds, and
which SSO roles should be assigned in the outgoing SAML message.

Relates: elastic#104026
@elasticsearchmachine
Copy link
Collaborator

elasticsearchmachine commented Jan 16, 2026
edited by tvernum
Loading

💔 Backport failed

Status Branch Result
9.3
tvernum added a commit to tvernum/elasticsearch that referenced this pull request Jan 19, 2026
@tvernum
Support LimitedRole in idp role resolution
cc51c47 
The identity provider relies on `GetUserPrivilegesAction` to inform the
decision about which roles should be assigned to a user in an outgoing
SAML authentication `Response` message.

However `GetUserPrivilegesAction` could not handle the `LimitedRole`
class which is used to represent the privileges of an API Key that has
directly assigned roles in additional to its implied user roles.

In order to support such API Keys in the IdP plugin,
`GetUserPrivilegesRequest` has been modified to optionally unwrap a
`LimitedRole` into either its directly assigned role or implied
limiting role.

The IdP plugin uses the limiting role which represents the original
privileges of the owning user. The information extracted from this
role is then fed into the `HasPrivilegesAction` to accurately
determine which appication privilegs the API Key actually holds, and
which SSO roles should be assigned in the outgoing SAML message.

Backport of: elastic#140536, elastic#140816
@tvernum tvernum added v9.3.1 and removed v9.3.0 labels Jan 19, 2026
@tvernum tvernum mentioned this pull request Jan 19, 2026
Merged
elasticsearchmachine pushed a commit that referenced this pull request Jan 19, 2026
@tvernum
Support LimitedRole in idp role resolution (#140536) (#140816)
f56fbd4 
The identity provider relies on `GetUserPrivilegesAction` to inform the
decision about which roles should be assigned to a user in an outgoing
SAML authentication `Response` message.

However `GetUserPrivilegesAction` could not handle the `LimitedRole`
class which is used to represent the privileges of an API Key that has
directly assigned roles in additional to its implied user roles.

In order to support such API Keys in the IdP plugin,
`GetUserPrivilegesRequest` has been modified to optionally unwrap a
`LimitedRole` into either its directly assigned role or implied
limiting role.

The IdP plugin uses the limiting role which represents the original
privileges of the owning user. The information extracted from this
role is then fed into the `HasPrivilegesAction` to accurately
determine which appication privilegs the API Key actually holds, and
which SSO roles should be assigned in the outgoing SAML message.

Relates: #104026
tvernum added a commit to tvernum/elasticsearch that referenced this pull request Jan 19, 2026
@tvernum
Support LimitedRole in idp role resolution
55941af 
The identity provider relies on `GetUserPrivilegesAction` to inform the
decision about which roles should be assigned to a user in an outgoing
SAML authentication `Response` message.

However `GetUserPrivilegesAction` could not handle the `LimitedRole`
class which is used to represent the privileges of an API Key that has
directly assigned roles in additional to its implied user roles.

In order to support such API Keys in the IdP plugin,
`GetUserPrivilegesRequest` has been modified to optionally unwrap a
`LimitedRole` into either its directly assigned role or implied
limiting role.

The IdP plugin uses the limiting role which represents the original
privileges of the owning user. The information extracted from this
role is then fed into the `HasPrivilegesAction` to accurately
determine which appication privilegs the API Key actually holds, and
which SSO roles should be assigned in the outgoing SAML message.

Backport of: elastic#140536, elastic#140816, elastic#140871
@tvernum tvernum mentioned this pull request Jan 19, 2026
Merged
elasticsearchmachine pushed a commit that referenced this pull request Jan 21, 2026
@tvernum
Support LimitedRole in idp role resolution (#140880)
4a4aebb 
The identity provider relies on `GetUserPrivilegesAction` to inform the
decision about which roles should be assigned to a user in an outgoing
SAML authentication `Response` message.

However `GetUserPrivilegesAction` could not handle the `LimitedRole`
class which is used to represent the privileges of an API Key that has
directly assigned roles in additional to its implied user roles.

In order to support such API Keys in the IdP plugin,
`GetUserPrivilegesRequest` has been modified to optionally unwrap a
`LimitedRole` into either its directly assigned role or implied
limiting role.

The IdP plugin uses the limiting role which represents the original
privileges of the owning user. The information extracted from this
role is then fed into the `HasPrivilegesAction` to accurately
determine which appication privilegs the API Key actually holds, and
which SSO roles should be assigned in the outgoing SAML message.

Backport of: #140536, #140816, #140871
elasticsearchmachine pushed a commit that referenced this pull request Jan 21, 2026
@tvernum
Support LimitedRole in idp role resolution (#140871)
0ca7c9f 
The identity provider relies on `GetUserPrivilegesAction` to inform the
decision about which roles should be assigned to a user in an outgoing
SAML authentication `Response` message.

However `GetUserPrivilegesAction` could not handle the `LimitedRole`
class which is used to represent the privileges of an API Key that has
directly assigned roles in additional to its implied user roles.

In order to support such API Keys in the IdP plugin,
`GetUserPrivilegesRequest` has been modified to optionally unwrap a
`LimitedRole` into either its directly assigned role or implied
limiting role.

The IdP plugin uses the limiting role which represents the original
privileges of the owning user. The information extracted from this
role is then fed into the `HasPrivilegesAction` to accurately
determine which appication privilegs the API Key actually holds, and
which SSO roles should be assigned in the outgoing SAML message.

Backport of: #140536, #140816
spinscale pushed a commit to spinscale/elasticsearch that referenced this pull request Jan 21, 2026
@tvernum @spinscale
Support LimitedRole in idp role resolution (elastic#140536)
1133252 
The identity provider relies on `GetUserPrivilegesAction` to inform the
decision about which roles should be assigned to a user in an outgoing
SAML authentication `Response` message.

However `GetUserPrivilegesAction` could not handle the `LimitedRole`
class which is used to represent the privileges of an API Key that has
directly assigned roles in additional to its implied user roles.

In order to support such API Keys in the IdP plugin,
`GetUserPrivilegesRequest` has been modified to optionally unwrap a
`LimitedRole` into either its directly assigned role or implied
limiting role.

The IdP plugin uses the limiting role which represents the original
privileges of the owning user. The information extracted from this
role is then fed into the `HasPrivilegesAction` to accurately
determine which appication privilegs the API Key actually holds, and
which SSO roles should be assigned in the outgoing SAML message.

Relates: elastic#104026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

auto-backport Automatically create backport pull requests when merged >enhancement :Security/IdentityProvider Identity Provider (SSO) project in X-Pack Team:Security Meta label for security team v8.19.11 v9.2.5 v9.3.1 v9.4.0

3 participants

@tvernum @elasticsearchmachine @ebarlas