OIDC and SAML clarifications for Azure

[eedugon]

A user shared some interesting suggestions in https://github.com/elastic/platform-docs-team/issues/553 (internal issue)

I've addressed two of them in this PR:

• Added extra details of the usefulness of claims.name and claims.mail.
• Added a tip for companies with large group memberships in Azure.

The following hasn't been included as I'm not sure where we could put this information, although it looks interesting also:

Debugging Best Practices:
Use Azure CLI to get an ID Token: az account get-access-token --query "accessToken" --output tsv
Decode the token and investigate the payload. The payload contains all the data that is relevant when logging in, e.g. the email as the principle id.

I haven't found a dedicated troubleshooting doc for security realms.

@jkakavas , would you review if the addings here are technically accurate and make sense to be added to the docs? or let us know if we should ping someone else to review this small change.

Closes https://github.com/elastic/platform-docs-team/issues/553 (internal issue)

[github-actions]

🔍 Preview links for changed docs

• deploy-manage/users-roles/cluster-or-deployment-auth/oidc-examples.md
• deploy-manage/users-roles/cluster-or-deployment-auth/openid-connect.md
• deploy-manage/users-roles/cluster-or-deployment-auth/saml-entra.md
• deploy-manage/users-roles/cluster-or-deployment-auth/saml.md

[shainaraskas]

couple small edits for ya

[eedugon]

Thanks @shainaraskas, we would need someone from security devs to review if these changes make sense.

And validate the troubleshooting suggestion that I'd prefer to add in a separate PR.

[eedugon]

Asking in es-security for a quick review, per Ioannis' suggestion ;)

[richard-dennehy]

Possibly out of scope for this change, but we have a very similar page explaining how to configure the SAML Realm for Entra ID that would benefit from a similar note about group overage.

https://www.elastic.co/docs/deploy-manage/users-roles/cluster-or-deployment-auth/saml-entra

Also FYI, we have a plugin that uses Microsoft Graph to work around this exact issue. We'd prefer customers configured the list of groups as you've described here, but we had a customer who insisted that wasn't a reasonable option for them, so we built this plugin.

https://www.elastic.co/docs/reference/elasticsearch/plugins/ms-graph-authz

[eedugon]

@richard-dennehy , million thanks for your feedback and comments! I'll work something out, trying to:

• Link to ms-graph-auth plugin as an alternative.
• Apply if possible something similar to https://www.elastic.co/docs/deploy-manage/users-roles/cluster-or-deployment-auth/saml-entra in this PR.
• Improve the text as you suggested.

Again, thanks for taking time on this!

[eedugon]

@richard-dennehy , I've applied all your suggestions, let us know if the text looks better now and if it's ok if we include the same admonition box in the SAML-Entra document.

Thanks a lot for your collaboration here, I think now looks much better than the original version :)