We have a SecOps instance that is part of Security Command Center Enterprise.
Google Workspace is the only identity provider used.
We are trying to create a view-only custom role that would allow certain (external) personnel to access the SecOps instance in a limited way.
We have followed this documentation:
https://docs.cloud.google.com/chronicle/docs/onboard/configure-feature-access#custom-role
The external group we want to authorize has the following roles granted at the org-level:
-
Chronicle API Viewer
-
Chronicle Service Viewer
-
Chronicle SOAR Viewer (our new custom role)
-
Security Auditor
-
Security Center Admin Viewer
Additionally, under IAM Role Mapping in the SecOps SOAR settings, the new custom role was added with:
- IAM Role: Chronicle SOAR Viewer
- Permission Groups: View-Only
- SOC Roles: Administrator
- Group Members: The external e-mail group we want to grant access to (also belonging to a Google Workspace organization)
Yet when accessing the SecOps instance (<...>.backstory.chronicle.security), personnel that are part of this group are getting this error message:
An error occurred during authentication. Please try again.
Could not find any matching group mappings for the user in SOAR. Please set up Group mapping for the IDP / User Email Groups. Instructions: Learn more
{
"aud": "<REDACTED_AUD>.siemplify-soar.com",
"email": "<REDACTED_EMAIL_ADDRESS>",
"family_name": "<REDACTED>",
"given_name": "<REDACTED>",
"idp_groups": "<REDACTED_EMAIL_ADDRESS>",
"iss": "<REDACTED_SA_MAIL_ADDRESS>",
"sub": "<REDACTED_EMAIL_ADDRESS>"
}
Obviously idp_groups looks incorrect as the jwt, I would assume, should include the groups that the personl is part of - I don’t see a way on who would be able to influence this and how though.
Any ideas?
