Azure SSO connection error with Opensearch Dashboards

Hi @sammy I am also facing 500 errors with opensearch saml integration:
could you share the working configs plse as I am facing the same issue, though followed the changes suggested in this post?

this is the error I am facing https://opensearch.int.app.xxxx.com/auth/saml/login?nextUrl=%2F&redirectHash=false
{“statusCode”:500,“error”:“Internal Server Error”,“message”:“Internal Error”}

opensearch-values.yaml:

imagePullSecrets:

- name: logging-reg-jfrog

image:

repository: zzzz

tag: 2.13.0

pullPolicy: Always

persistence:

enabled: true

storageClass: “”

size: 30Gi

image: xxx

imageTag: latest

sysctlInit:

enabled: true

image: xxx

imageTag: latest

command: [“sysctl”, “-w”, “vm.max_map_count=262144”]

securityContext:

privileged: true

extraEnvs:

- name: DISABLE_INSTALL_DEMO_CONFIG

value: “true”

- name: DISABLE_SECURITY_PLUGIN

value: “false”

- name: OPENSEARCH_INITIAL_ADMIN_PASSWORD

valueFrom:

secretKeyRef:

name: opensearch-auth-secret

key: password

- name: CLIENT_ID

valueFrom:

secretKeyRef:

name: os-client-id-secret

key: client-id

- name: CLIENT_SECRET

valueFrom:

secretKeyRef:

name: os-client-id-secret

key: client-secret

opensearchJavaOpts: “-Xms1g -Xmx1g”

securityConfig:

enabled: true

path: /usr/share/opensearch/config/opensearch-security

actionGroupsSecret: os-action-groups-secret

configSecret: os-config-secret

internalUsersSecret: os-internal-users-secret

rolesSecret: os-roles-secret

rolesMappingSecret: os-roles-mapping-secret

tenantsSecret: os-tenants-secret

extraVolumes:

- name: opensearch-tls

secret:

secretName: opensearch-tls

- name: saml-metadata

secret:

secretName: saml-metadata

extraVolumeMounts:

- name: opensearch-tls

mountPath: /usr/share/opensearch/config/certs

readOnly: true

- name: saml-metadata

mountPath: /usr/share/opensearch/config/metadata_file.xml

subPath: metadata_file.xml

readOnly: true

config:

opensearch.yml: |

plugins.security.ssl.transport.enabled: true

plugins.security.ssl.transport.pemcert_filepath: /usr/share/opensearch/config/certs/tls.crt

plugins.security.ssl.transport.pemkey_filepath: /usr/share/opensearch/config/certs/tls.key

plugins.security.ssl.transport.pemtrustedcas_filepath: /usr/share/opensearch/config/certs/ca.crt

plugins.security.ssl.transport.enforce_hostname_verification: false

plugins.security.ssl.http.enabled: true

plugins.security.ssl.http.pemcert_filepath: /usr/share/opensearch/config/certs/tls.crt

plugins.security.ssl.http.pemkey_filepath: /usr/share/opensearch/config/certs/tls.key

plugins.security.ssl.http.pemtrustedcas_filepath: /usr/share/opensearch/config/certs/ca.crt

plugins.security.nodes_dn:

- “CN=opensearch-cluster-master.logging.svc.cluster.local”

- “CN=opensearch-cluster-master”

- “CN=opensearch-cluster-master.logging”

- “CN=opensearch-cluster-master.logging.svc”

resources:

requests:

cpu: “500m”

memory: “2Gi”

limits:

cpu: “1”

memory: “4Gi”

opensearch-dashboards-values.yaml:

imagePullSecrets:

- name: logging-reg-jfrog

image:

repository:

tag: 2.13.0

pullPolicy: Always

replicaCount: 1

opensearchHosts: ””

resources:

requests:

cpu: “100m”

memory: “512Mi”

limits:

cpu: “100m”

memory: “512Mi”

service:

type: ClusterIP

port: 5601

ingress:

enabled: true

ingressClassName: nginx

annotations:

hosts:

- host: xxxx

paths:

- path: /

pathType: Prefix

backend:

service:

name: opensearch-dashboards

port:

number: 5601

tls:

- secretName: opensearch-dashboards-cert

hosts:

- xxxx

extraEnvs:

- name: OPENSEARCH_USERNAME

valueFrom:

secretKeyRef:

name: opensearch-auth-secret

key: username

- name: OPENSEARCH_PASSWORD

valueFrom:

secretKeyRef:

name: opensearch-auth-secret

key: password

- name: CLIENT_ID

valueFrom:

secretKeyRef:

name: os-client-id-secret

key: client-id

- name: CLIENT_SECRET

valueFrom:

secretKeyRef:

name: os-client-id-secret

key: client-secret

config:

opensearch_dashboards.yml: |

opensearch.ssl.verificationMode: none

opensearch.username: “${OPENSEARCH_USERNAME}”

opensearch.password: “${OPENSEARCH_PASSWORD}”

opensearch_security.auth.multiple_auth_enabled: true

opensearch_security.auth.type: [“saml”,“basicauth”]

opensearch.requestHeadersWhitelist: [“authorization”, “securitytenant”]

server.xsrf.allowlist: [“/_opendistro/_security/saml/acs/idpinitiated”, “/_opendistro/_security/saml/acs”, “/_opendistro/_security/saml/logout”]

server.rewriteBasePath: false

# opensearch_dashboards.yml: |

# server.host: “0.0.0.0”

# opensearch.hosts: [ “” ]

# opensearch.ssl.verificationMode: full

# opensearch.ssl.certificateAuthorities: [ “/usr/share/opensearch-dashboards/config/certs/ca.crt” ]

# opensearch.username: “${OPENSEARCH_USERNAME}”

# opensearch.password: “${OPENSEARCH_PASSWORD}”

# opensearch_security.auth.multiple_auth_enabled: true

# opensearch_security.auth.type: [“openid”,“basicauth”]

# opensearch.requestHeadersWhitelist: [authorization, securitytenant]

# opensearch_security.openid.base_redirect_url: “xxxx”

# opensearch_security.openid.connect_url: “xxx”

# opensearch_security.openid.client_id: ${CLIENT_ID}

# opensearch_security.openid.client_secret: ${CLIENT_SECRET}

# opensearch_security.multitenancy.enabled: true

# opensearch_security.multitenancy.tenants.enable_global: true

# opensearch_security.multitenancy.tenants.enable_private: true

# opensearch_security.multitenancy.tenants.preferred: [“Private”, “Global”]

extraVolumes:

- name: opensearch-ca-cert

secret:

secretName: opensearch-tls

extraVolumeMounts:

- name: opensearch-ca-cert

mountPath: /usr/share/opensearch-dashboards/config/certs

readOnly: true

@Everyone below is my os-config-secret, not sure what’s wrong I always getting 500 Error: failed parsing SAML config
at SecurityClient.getSamlHeader (/usr/share/opensearch-dashboards/plugins/securityDashboards/server/backend/opensearch_security_client.ts:212:15)

apiVersion: v1
kind: Secret
metadata:
name: os-config-secret
namespace: logging
type: Opaque
stringData:
config.yml: |-
_meta:
type: “config”
config_version: 2

config:
  dynamic:
    http:
      anonymous_auth_enabled: false
    authc:
      basic_internal_auth_domain:
        description: "Authenticate via HTTP Basic against internal users database"
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: basic
          challenge: false
        authentication_backend:
          type: internal

      saml_auth_domain:
        http_enabled: true
        transport_enabled: false
        order: 1
        http_authenticator:
          type: saml
          challenge: true
          config:
            idp:
              metadata_file: /usr/share/opensearch/config/metadata_file.xml
              entity_id: "https://sts.windows.net/xxxx"
            sp:
              entity_id: "opster-ad-sso"
              acs: "https://opensearch.int.app.xxxx.com/_opendistro/_security/saml/acs"
            kibana_url: "https://opensearch.int.app.xxxx.com"
            # Use forum-recommended mapping:
            roles_key: http://schemas.xmlsoap.org/ws/2008/06/identity/claims/groups
            subject_key: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
            exchange_key: "f1348xxxx"
        authentication_backend:
          type: noop

Please suggest

Hey @seshadri ,

I can help you, but please follow the forum layout and create a new topic and report your issue there, I will respond and help you from there.

Leeroy.

Hi @Leeroy Sure, Thanks Much!

Hi @Leeroy created the topic Azure SAML SSO Integration 500 Error - failed parsing SAML config - OpenSearch - OpenSearch. Please assist.
Much appreciated, thanks!