Azure idp SAML session expiration and how to decipher: security_authentication_saml1, security_authentication

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

Describe the issue:
Is this Azure idp SAML expiration resolved in new OS? I’m using version 2.12.0 and Azure idp SAML, with SSO session gets expired after some times and needs log in. these are my dashboard.yml:

opensearch_security.cookie.ttl: 604800000 opensearch_security.session.ttl: 604800000 opensearch_security.session.keepalive: true

and in security config.yml file for saml_auth_domain, sp section I set:
forceAuthn: false

what should I do to extend session expiration to aviod relogin?

besides that anyone can help me how to decipher security_authentication_saml1, security_authentication token (btw I do not want to use log for seeing inside token, I already did it), as far as I know OS cahnges SAML response with light weight jwt and encrypt it with the exchange_key, but I could not decipher it with follwing python script:

import hashlib
import hmac
import json

def base64_url_decode(input):

input += '=' * (4 - (len(input) % 4))
return base64.urlsafe_b64decode(input)

def decode_jwt(token, key):
 header_b64, payload_b64, signature_b64 = token.split('.')
 header = json.loads(base64_url_decode(header_b64).decode('utf-8'))
 payload = json.loads(base64_url_decode(payload_b64).decode('utf-8'))

 message = f"{header_b64}.{payload_b64}".encode('utf-8')
 expected_signature = base64_url_decode(signature_b64)
 computed_signature ='utf-8'), message, hashlib.sha256).digest()

 if not hmac.compare_digest(expected_signature, computed_signature):
   raise ValueError("Invalid token signature")

 return payload

except Exception as e:
 print("Error decoding the token:", str(e))
 return None

exchange_key = "...=="
token = "Fe26.2**c8ab634f300f834bc5db597554f904ca2117fdbff85afa1bff2bac1290ab779e*pL-KTe0QtxtJGjN5FSLbMw*X2s..."

decrypted_message = decode_jwt(token, exchange_key)
if decrypted_message:
 print("Decrypted message:", json.dumps(decrypted_message, indent=2))
 print("Failed to decode the token.")```

Hey @javad

Normally you IDP has a session token that is sent. I would look there to extend you session.

Hi @javad,

Have you checked this: Sessions expiration time · Issue #71 · opensearch-project/security-dashboards-plugin · GitHub

It would look something like:

opensearch_security.cookie.ttl: 86400000
opensearch_security.session.ttl: 86400000
opensearch_security.session.keepalive: true


Hi, yes I used that even with more expiration time.

Hi @javad,

I have done some more digging and found this: Session timeout in Kibana SAML · Issue #159 · opensearch-project/security-dashboards-plugin · GitHub

(NOTE: this didn’t make it into the 2.12.0 release, and instead will be available in 2.13.)

this is related to the fix: Fix cookie expiry issues from IDP/JWT auth methods, disables keepalive for JWT/IDP by derek-ho · Pull Request #1773 · opensearch-project/security-dashboards-plugin · GitHub

Please have a look and let me know if you have any further questions.