Azure SSO with openid not working OpenSearch version 3.6.0

OpenSearch
,
1

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser): 3.6.0 (dashboard & OpenSearch)

Describe the issue: We integrated our OpenSearch 3.6.0 version with azure sso using openid, however we are getting this when we try to login

It is successfully redirecting , but finally getting this error. we are not able to see much logs about this

{"statusCode":401,"error":"Unauthorized","message":"Unauthorized"}

image

Configuration:

This is the dashboard yaml.

opensearch_dashboards.yml: |
    server.host: "0.0.0.0"
    #logging.root.level: debug
    #logging.verbose: true
    opensearch.hosts: ["https://opensearch-coordinator:9200"]
    opensearch.ssl.verificationMode: none
    opensearch.username: "admin"
    opensearch.password: "admin"
    opensearch_security.auth.type: ["openid", "basicauth"]
    opensearch_security.auth.multiple_auth_enabled: true
    opensearch_security.openid.client_id: "<removed>"
    opensearch_security.openid.client_secret: "<removed>"
    opensearch_security.openid.connect_url: "https://login.microsoftonline.com/v2.0/.well-known/openid-configuration"
    opensearch_security.openid.base_redirect_url: ""
    opensearch_security.openid.scope: "openid profile email"
    opensearch_security.cookie.secure: true
    opensearch_security.cookie.password: "abfd74ybfi347rf8347tivcneircbn9348"
    server.xsrf.allowlist:
      - "/auth/openid/login"
    explore.enabled: true
    opensearch_security.openid.logout_url: "https://login.microsoftonline.com/oauth2/v2.0/logout"

We have another cluster with version 3.5 , there it is working fine and we are using similar config there. we have also tried creating different application in azure , it still gives the same error

Relevant Logs or Screenshots:

2

@Jijo.john This error could mean that OpenSearch didn’t receive any roles from Azure.
How did you assign it in Azure?

Also, please share the config.yml from OpenSearch.

3

Hi @pablo

roles are assigned as group in azure and group UID is added in role mapping

below are the config file

  config.yml: |
    ---
    _meta:
      type: "config"
      config_version: 2

    config:
      dynamic:
        # Set filtered_alias_mode to 'disallow' to forbid more than 2 filtered aliases per index
        # Set filtered_alias_mode to 'warn' to allow more than 2 filtered aliases per index but warns about it (default)
        # Set filtered_alias_mode to 'nowarn' to allow more than 2 filtered aliases per index silently
        #filtered_alias_mode: warn
        #do_not_fail_on_forbidden: false
        #kibana:
        # Kibana multitenancy
        #multitenancy_enabled: true
        #private_tenant_enabled: true
        #default_tenant: ""
        #server_username: kibanaserver
        #index: '.kibana'
        http:
          anonymous_auth_enabled: true
          xff:
            enabled: false
            internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern
            #internalProxies: '.*' # trust all internal proxies, regex pattern
            #remoteIpHeader:  'x-forwarded-for'
            ###### see https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html for regex help
            ###### more information about XFF https://en.wikipedia.org/wiki/X-Forwarded-For
            ###### and here https://tools.ietf.org/html/rfc7239
            ###### and https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Valve
        authc:
          basic_internal_auth_domain:
            description: "Authenticate via HTTP Basic against internal users database"
            http_enabled: true
            transport_enabled: true
            order: 0
            http_authenticator:
              type: basic
              challenge: false
            authentication_backend:
              type: intern
          openid_auth_domain:
            http_enabled: true
            transport_enabled: true
            order: 1
            http_authenticator:
              type: openid
              challenge: false
              config:
                subject_key: preferred_username
                roles_key: groups
                openid_connect_url: "https://login.microsoftonline.com/<removed>/v2.0/.well-known/openid-configuration"
            authentication_backend:
              type: noop

role mapping

roles_mapping.yml:
roles_mapping.yml: 
_meta:
  type: "rolesmapping"
  config_version: 2

# Define your roles mapping here

## Demo roles mapping

all_access:
  reserved: false
  backend_roles:
  - "admin"
  - "9f66bc9d-8ceb-4654-bcdg-454637g7b0d"
  description: "Maps admin to all_access"

own_index:
  reserved: false
  users:
  - "*"
  description: "Allow full access to an index named like the username"

logstash:
  reserved: false
  backend_roles:
  - "logstash"

kibana_user:
  reserved: false
  backend_roles:
  - "kibanauser"
  - "8e9fddcg-4dgh-67fg-d4fg-g4da65bdkpeb"
  description: "Maps kibanauser to kibana_user"

readall:
  reserved: false
  backend_roles:
  - "readall"
  - "8e9fddcg-4dgh-67fg-d4fg-g4da65bdkpeb"

manage_snapshots:
  reserved: false
  backend_roles:
  - "snapshotrestore"

kibana_server:
  reserved: true
  users:
  - "kibanaserver"