Azure sso with saml issue

Hello Team,
I am trying to configure azure ad SSO with opensearch using SAML.

I have done following config in opensearch_dashboard.yml
opensearch_security.auth.type: “saml”
server.xsrf.whitelist: [“/_opendistro/_security/saml/acs/idpinitiated”, “/_opendistro/_security/saml/acs”, “/_opendistro/_security/saml/logout”]
[“/_plugins/_security/saml/acs”,“/_opendistro/_security/saml/acs”,“/_plugins/_security/saml/acs/idpinitiated”,“/_opendistro/_security/saml/acs/idpinitiated”,“/_plugins/_security/saml/logout”,“/_opendistro/_security/saml/logout”]

in config.yml for ES I have done following config.

authc:
  basic_internal_auth_domain:
    http_enabled: true
    transport_enabled: true
    order: 0
    http_authenticator:
      type: basic
      challenge: false
    authentication_backend:
      type: internal
  saml_auth_domain:
    http_enabled: true
    transport_enabled: false
    order: 1
    http_authenticator:
      type: saml
      challenge: true
      config:
        idp:
          #metadata_file: /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/metadata.xml
           metadata_url: https://login.microsoftonline.com/<tenandidplaceholder>/federationmetadata/2007-06/federationmetadata.xml?appid=<appidplaceholder>
           entity_id: https://sts.windows.net/<<tenandidplaceholder>>/
        sp:
           entity_id: opensearch-dashboards-saml
           forceAuthn: true
        kibana_url: https://<url>
        roles_key: Roles
        #roles_key: ["roles","roles","groups","group","Group ID"]
        exchange_key: '12345678901234567890123456789012'
    authentication_backend:
      type: noop

while trying to hit my kibana server I am getting following error in browser.

{“statusCode”:500,“error”:“Internal Server Error”,“message”:“Internal Error”}

and while checking the logs getting following error in opensearch-dashboard log

{“type”:“log”,“@timestamp”:“2022-07-13T12:25:35Z”,“tags”:[“error”,“plugins”,“securityDashboards”],“pid”:1,“message”:“Failed to get saml header: Authentication Exception :: {"path":"/_plugins/_security/authinfo","query":{},"statusCode":401,"response":"Authentication finally failed"}”}

can you please help to resolve and make this work.
thanks for reading this, any help is appreciated.

1 Like

Hello,

I believe your issue is in roles_key.
Since you are using azure app registration as IDP try add http://schemas.microsoft.com/ws/2008/06/identity/claims/role as values to roles_key and re-deploy to see if that works. Dont forget to run securityadmin.sh

The issue basically could be that no roles are fetch from the SAML assertion , if you debug the SAML request you can see what is sent from azure.

Please redeploy opensearch and opensearch-dashboards.

1 Like

Thank you very much @Malone your solution worked I am able to login now.