Description

Our SAML realm has a setting attribute.groups that tells the realm which SAML attribute contains the list of "groups" that the user belongs to.
(Note: "groups" here is a generic term, carried over from the LDAP realm. The SAML IdP might refer to this attribute as "roles" or "teams" or something else entirely).

Because SAML supports multi-valued attributes (example below) we assume that each group will be listed as a distinct value.

 <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="http://idp.example.org/attributes/groups" FriendlyName="groups"> <saml:AttributeValue>engineering</saml:AttributeValue> <saml:AttributeValue>elasticsearch-admins</saml:AttributeValue> <saml:AttributeValue>employees</saml:AttributeValue> </saml:Attribute> 

However, it appears some IdPs are incapable of sending the groups list as a list of values and will only ever send it as a comma separated string.

 <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="http://idp.example.org/attributes/groups" FriendlyName="groups"> <saml:AttributeValue>engineering,elasticsearch-admins,employees</saml:AttributeValue> </saml:Attribute> 

We currently require that the cluster security admin create a regex based role mapping rule to match on something like ^(.*,)?elasticsearch-admins(,.*)?$ which is non-obvious, cumbersome and error-prone.

An alternative would be to add a setting like attribute.groups_split: "," to automatically split a comma separated string into a
real list.
This would be a reflection that real world IdPs don't always do a good job of conforming with the intent of the SAML spec, and our need to work within their limitations.