Hello,
i am having some troubles too, maybe you can help… i am also using azure SSO saml.
dashboard config
opensearch_security.auth.multiple_auth_enabled: "true"
opensearch_security.auth.type: |
["basicauth","saml"]
server.xsrf.allowlist: |
["/_plugins/_security/saml/acs/idpinitiated", "/_plugins/_security/saml/acs", "/_plugins/_security/saml/logout"]
config.yaml
config:
dynamic:
#kibana:
# multitenancy_enabled: true
# server_username: kibanaserver
# index: '.kibana'
do_not_fail_on_forbidden: true
http:
anonymous_auth_enabled: true
authc:
basic_internal_auth_domain:
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: internal
saml_auth_domain:
http_enabled: true
transport_enabled: false
order: 1
http_authenticator:
type: saml
challenge: true
config:
idp:
#enable_ssl: true
#verify_hostnames: true
metadata_url: https://login.microsoftonline.com/XXXXX/federationmetadata/2007-06/federationmetadata.xml?appid=XXXX
entity_id: https://sts.windows.net/XXXXX/
sp:
entity_id: opensearch-dashboards-saml
forceAuthn: true
kibana_url: http://opensearch-cluster-dashboards:5601
roles_key: http://schemas.microsoft.com/ws/2008/06/identity/claims/role
exchange_key: '12345678901234567890123456789012'
authentication_backend:
type: noop
Note that i have no idea where to get the exchange key from, so i copied the value in the 1st post.
config on the azure side
When i click on test SAML from azure, i get {"statusCode":401,"error":"Unauthorized","message":"Unauthorized"}
when i click on “login with single sing-on” in the dashboard page i get
{"statusCode":500,"error":"Internal Server Error","message":"Internal Error"}
and the opensearch dashboards logs look like this
Azure initiated test
{"type":"response","@timestamp":"2022-11-30T13:16:57Z","tags":[],"pid":1,"method":"get","statusCode":401,"req":{"url":"/_plugins/_security/saml/acs/idpinitiated","method":"get","headers":{"host":"XXXXXXXXX.com","x-request-id":"2b9cadca3e85127f7ab9ecf375e0b041","x-real-ip":"172.19.136.8","x-forwarded-for":"172.19.136.8","x-forwarded-host":"XXXXXXXXX.com","x-forwarded-port":"443","x-forwarded-proto":"https","x-forwarded-scheme":"https","x-scheme":"https","sec-ch-ua":"\"Google Chrome\";v=\"107\", \"Chromium\";v=\"107\", \"Not=A?Brand\";v=\"24\"","sec-ch-ua-mobile":"?0","sec-ch-ua-platform":"\"Windows\"","upgrade-insecure-requests":"1","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9","sec-fetch-site":"cross-site","sec-fetch-mode":"navigate","sec-fetch-dest":"document","referer":"https://account.activedirectory.windowsazure.com/","accept-encoding":"gzip, deflate, br","accept-language":"en-US,en;q=0.9,it;q=0.8,cs;q=0.7"},"remoteAddress":"10.244.4.11","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36","referer":"https://account.activedirectory.windowsazure.com/"},"res":{"statusCode":401,"responseTime":2,"contentLength":9},"message":"GET /_plugins/_security/saml/acs/idpinitiated 401 2ms - 9.0B"}
User initiated from the dashboard login page instead
{"type":"response","@timestamp":"2022-11-30T13:19:27Z","tags":[],"pid":1,"method":"get","statusCode":200,"req":{"url":"/auth/saml/captureUrlFragment?nextUrl=%2F","method":"get","headers":{"host":"xxxxxxxx.com","x-request-id":"9561700ae965e597a27d20210519b52a","x-real-ip":"10.244.4.1","x-forwarded-for":"10.244.4.1","x-forwarded-host":"xxxxxxxx.com","x-forwarded-port":"443","x-forwarded-proto":"https","x-forwarded-scheme":"https","x-scheme":"https","sec-ch-ua":"\"Google Chrome\";v=\"107\", \"Chromium\";v=\"107\", \"Not=A?Brand\";v=\"24\"","sec-ch-ua-mobile":"?0","sec-ch-ua-platform":"\"Windows\"","upgrade-insecure-requests":"1","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9","sec-fetch-site":"same-origin","sec-fetch-mode":"navigate","sec-fetch-user":"?1","sec-fetch-dest":"document","accept-encoding":"gzip, deflate, br","accept-language":"en-US,en;q=0.9,it;q=0.8,cs;q=0.7"},"remoteAddress":"10.244.4.11","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"},"res":{"statusCode":200,"responseTime":2,"contentLength":9},"message":"GET /auth/saml/captureUrlFragment?nextUrl=%2F 200 2ms - 9.0B"}
{"type":"response","@timestamp":"2022-11-30T13:19:27Z","tags":[],"pid":1,"method":"get","statusCode":200,"req":{"url":"/auth/saml/captureUrlFragment.js","method":"get","headers":{"host":"xxxxxxxx.com","x-request-id":"3c0a5f87540ae044847fd640b33e000a","x-real-ip":"10.244.4.1","x-forwarded-for":"10.244.4.1","x-forwarded-host":"xxxxxxxx.com","x-forwarded-port":"443","x-forwarded-proto":"https","x-forwarded-scheme":"https","x-scheme":"https","sec-ch-ua":"\"Google Chrome\";v=\"107\", \"Chromium\";v=\"107\", \"Not=A?Brand\";v=\"24\"","sec-ch-ua-mobile":"?0","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36","sec-ch-ua-platform":"\"Windows\"","accept":"*/*","sec-fetch-site":"same-origin","sec-fetch-mode":"no-cors","sec-fetch-dest":"script","referer":"https://xxxxxxxx.com/auth/saml/captureUrlFragment?nextUrl=%2F","accept-encoding":"gzip, deflate, br","accept-language":"en-US,en;q=0.9,it;q=0.8,cs;q=0.7"},"remoteAddress":"10.244.4.11","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36","referer":"https://xxxxxxxx.com/auth/saml/captureUrlFragment?nextUrl=%2F"},"res":{"statusCode":200,"responseTime":2,"contentLength":9},"message":"GET /auth/saml/captureUrlFragment.js 200 2ms - 9.0B"}
{"type":"log","@timestamp":"2022-11-30T13:19:27Z","tags":["error","plugins","securityDashboards"],"pid":1,"message":"Failed to get saml header: Error: Invalid SAML configuration."}
{"type":"error","@timestamp":"2022-11-30T13:19:27Z","tags":[],"pid":1,"level":"error","error":{"message":"Internal Server Error","name":"Error","stack":"Error: Internal Server Error\n at HapiResponseAdapter.toError (/usr/share/opensearch-dashboards/src/core/server/http/router/response_adapter.js:143:19)\n at HapiResponseAdapter.toHapiResponse (/usr/share/opensearch-dashboards/src/core/server/http/router/response_adapter.js:97:19)\n at HapiResponseAdapter.handle (/usr/share/opensearch-dashboards/src/core/server/http/router/response_adapter.js:92:17)\n at Router.handle (/usr/share/opensearch-dashboards/src/core/server/http/router/router.js:164:34)\n at runMicrotasks (<anonymous>)\n at processTicksAndRejections (internal/process/task_queues.js:95:5)\n at handler (/usr/share/opensearch-dashboards/src/core/server/http/router/router.js:124:50)\n at exports.Manager.execute (/usr/share/opensearch-dashboards/node_modules/@hapi/hapi/lib/toolkit.js:60:28)\n at Object.internals.handler (/usr/share/opensearch-dashboards/node_modules/@hapi/hapi/lib/handler.js:46:20)\n at exports.execute (/usr/share/opensearch-dashboards/node_modules/@hapi/hapi/lib/handler.js:31:20)\n at Request._lifecycle (/usr/share/opensearch-dashboards/node_modules/@hapi/hapi/lib/request.js:371:32)\n at Request._execute (/usr/share/opensearch-dashboards/node_modules/@hapi/hapi/lib/request.js:281:9)"},"url":"http://xxxxxxxx.com/auth/saml/login?nextUrl=%2F&redirectHash=false","message":"Internal Server Error"}
{"type":"response","@timestamp":"2022-11-30T13:19:27Z","tags":[],"pid":1,"method":"get","statusCode":500,"req":{"url":"/auth/saml/login?nextUrl=%2F&redirectHash=false","method":"get","headers":{"host":"xxxxxxxx.com","x-request-id":"c48783cc7d1aaf1aaa8d2287eff0074a","x-real-ip":"10.244.4.1","x-forwarded-for":"10.244.4.1","x-forwarded-host":"xxxxxxxx.com","x-forwarded-port":"443","x-forwarded-proto":"https","x-forwarded-scheme":"https","x-scheme":"https","sec-ch-ua":"\"Google Chrome\";v=\"107\", \"Chromium\";v=\"107\", \"Not=A?Brand\";v=\"24\"","sec-ch-ua-mobile":"?0","sec-ch-ua-platform":"\"Windows\"","upgrade-insecure-requests":"1","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9","sec-fetch-site":"same-origin","sec-fetch-mode":"navigate","sec-fetch-dest":"document","referer":"https://xxxxxxxx.com/auth/saml/captureUrlFragment?nextUrl=%2F","accept-encoding":"gzip, deflate, br","accept-language":"en-US,en;q=0.9,it;q=0.8,cs;q=0.7"},"remoteAddress":"10.244.4.11","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36","referer":"https://xxxxxxxx.com/auth/saml/captureUrlFragment?nextUrl=%2F"},"res":{"statusCode":500,"responseTime":8,"contentLength":9},"message":"GET /auth/saml/login?nextUrl=%2F&redirectHash=false 500 8ms - 9.0B"}