Azure sso with saml issue

OpenSearch
1

Hello Team,
I am trying to configure azure ad SSO with opensearch using SAML.

I have done following config in opensearch_dashboard.yml
opensearch_security.auth.type: “saml”
server.xsrf.whitelist: [“/_opendistro/_security/saml/acs/idpinitiated”, “/_opendistro/_security/saml/acs”, “/_opendistro/_security/saml/logout”]
[“/_plugins/_security/saml/acs”,“/_opendistro/_security/saml/acs”,“/_plugins/_security/saml/acs/idpinitiated”,“/_opendistro/_security/saml/acs/idpinitiated”,“/_plugins/_security/saml/logout”,“/_opendistro/_security/saml/logout”]

in config.yml for ES I have done following config.

authc:
  basic_internal_auth_domain:
    http_enabled: true
    transport_enabled: true
    order: 0
    http_authenticator:
      type: basic
      challenge: false
    authentication_backend:
      type: internal
  saml_auth_domain:
    http_enabled: true
    transport_enabled: false
    order: 1
    http_authenticator:
      type: saml
      challenge: true
      config:
        idp:
          #metadata_file: /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/metadata.xml
           metadata_url: https://login.microsoftonline.com/<tenandidplaceholder>/federationmetadata/2007-06/federationmetadata.xml?appid=<appidplaceholder>
           entity_id: https://sts.windows.net/<<tenandidplaceholder>>/
        sp:
           entity_id: opensearch-dashboards-saml
           forceAuthn: true
        kibana_url: https://<url>
        roles_key: Roles
        #roles_key: ["roles","roles","groups","group","Group ID"]
        exchange_key: '12345678901234567890123456789012'
    authentication_backend:
      type: noop

while trying to hit my kibana server I am getting following error in browser.

{“statusCode”:500,“error”:“Internal Server Error”,“message”:“Internal Error”}

and while checking the logs getting following error in opensearch-dashboard log

{“type”:“log”,“@timestamp”:“2022-07-13T12:25:35Z”,“tags”:[“error”,“plugins”,“securityDashboards”],“pid”:1,“message”:“Failed to get saml header: Authentication Exception :: {"path":"/_plugins/_security/authinfo","query":{},"statusCode":401,"response":"Authentication finally failed"}”}

can you please help to resolve and make this work.
thanks for reading this, any help is appreciated.

1 Like
2

Hello,

I believe your issue is in roles_key.
Since you are using azure app registration as IDP try add http://schemas.microsoft.com/ws/2008/06/identity/claims/role as values to roles_key and re-deploy to see if that works. Dont forget to run securityadmin.sh

The issue basically could be that no roles are fetch from the SAML assertion , if you debug the SAML request you can see what is sent from azure.

Please redeploy opensearch and opensearch-dashboards.

1 Like
3

Thank you very much @Malone your solution worked I am able to login now.

4

Hello,

i am having some troubles too, maybe you can help… i am also using azure SSO saml.

dashboard config

      opensearch_security.auth.multiple_auth_enabled: "true"
      opensearch_security.auth.type: |
        ["basicauth","saml"]
      server.xsrf.allowlist: |
        ["/_plugins/_security/saml/acs/idpinitiated", "/_plugins/_security/saml/acs", "/_plugins/_security/saml/logout"]

config.yaml

        config:
          dynamic:
            #kibana:
            #  multitenancy_enabled: true
            #  server_username: kibanaserver
            #  index: '.kibana'
            do_not_fail_on_forbidden: true
            http:
              anonymous_auth_enabled: true
            authc:
              basic_internal_auth_domain:
                http_enabled: true
                transport_enabled: true
                order: 0
                http_authenticator:
                  type: basic
                  challenge: false
                authentication_backend:
                  type: internal
              saml_auth_domain:
                http_enabled: true
                transport_enabled: false
                order: 1
                http_authenticator:
                  type: saml
                  challenge: true
                  config:
                    idp:
                      #enable_ssl: true
                      #verify_hostnames: true
                      metadata_url: https://login.microsoftonline.com/XXXXX/federationmetadata/2007-06/federationmetadata.xml?appid=XXXX
                      entity_id: https://sts.windows.net/XXXXX/
                    sp:
                      entity_id: opensearch-dashboards-saml
                      forceAuthn: true
                    kibana_url: http://opensearch-cluster-dashboards:5601
                    roles_key: http://schemas.microsoft.com/ws/2008/06/identity/claims/role
                    exchange_key: '12345678901234567890123456789012'
                authentication_backend:
                  type: noop

Note that i have no idea where to get the exchange key from, so i copied the value in the 1st post.

config on the azure side

image
image831×893 45.1 KB

When i click on test SAML from azure, i get {"statusCode":401,"error":"Unauthorized","message":"Unauthorized"}

when i click on “login with single sing-on” in the dashboard page i get

{"statusCode":500,"error":"Internal Server Error","message":"Internal Error"}

and the opensearch dashboards logs look like this

Azure initiated test

{"type":"response","@timestamp":"2022-11-30T13:16:57Z","tags":[],"pid":1,"method":"get","statusCode":401,"req":{"url":"/_plugins/_security/saml/acs/idpinitiated","method":"get","headers":{"host":"XXXXXXXXX.com","x-request-id":"2b9cadca3e85127f7ab9ecf375e0b041","x-real-ip":"172.19.136.8","x-forwarded-for":"172.19.136.8","x-forwarded-host":"XXXXXXXXX.com","x-forwarded-port":"443","x-forwarded-proto":"https","x-forwarded-scheme":"https","x-scheme":"https","sec-ch-ua":"\"Google Chrome\";v=\"107\", \"Chromium\";v=\"107\", \"Not=A?Brand\";v=\"24\"","sec-ch-ua-mobile":"?0","sec-ch-ua-platform":"\"Windows\"","upgrade-insecure-requests":"1","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9","sec-fetch-site":"cross-site","sec-fetch-mode":"navigate","sec-fetch-dest":"document","referer":"https://account.activedirectory.windowsazure.com/","accept-encoding":"gzip, deflate, br","accept-language":"en-US,en;q=0.9,it;q=0.8,cs;q=0.7"},"remoteAddress":"10.244.4.11","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36","referer":"https://account.activedirectory.windowsazure.com/"},"res":{"statusCode":401,"responseTime":2,"contentLength":9},"message":"GET /_plugins/_security/saml/acs/idpinitiated 401 2ms - 9.0B"}

User initiated from the dashboard login page instead



{"type":"response","@timestamp":"2022-11-30T13:19:27Z","tags":[],"pid":1,"method":"get","statusCode":200,"req":{"url":"/auth/saml/captureUrlFragment?nextUrl=%2F","method":"get","headers":{"host":"xxxxxxxx.com","x-request-id":"9561700ae965e597a27d20210519b52a","x-real-ip":"10.244.4.1","x-forwarded-for":"10.244.4.1","x-forwarded-host":"xxxxxxxx.com","x-forwarded-port":"443","x-forwarded-proto":"https","x-forwarded-scheme":"https","x-scheme":"https","sec-ch-ua":"\"Google Chrome\";v=\"107\", \"Chromium\";v=\"107\", \"Not=A?Brand\";v=\"24\"","sec-ch-ua-mobile":"?0","sec-ch-ua-platform":"\"Windows\"","upgrade-insecure-requests":"1","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9","sec-fetch-site":"same-origin","sec-fetch-mode":"navigate","sec-fetch-user":"?1","sec-fetch-dest":"document","accept-encoding":"gzip, deflate, br","accept-language":"en-US,en;q=0.9,it;q=0.8,cs;q=0.7"},"remoteAddress":"10.244.4.11","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"},"res":{"statusCode":200,"responseTime":2,"contentLength":9},"message":"GET /auth/saml/captureUrlFragment?nextUrl=%2F 200 2ms - 9.0B"}
{"type":"response","@timestamp":"2022-11-30T13:19:27Z","tags":[],"pid":1,"method":"get","statusCode":200,"req":{"url":"/auth/saml/captureUrlFragment.js","method":"get","headers":{"host":"xxxxxxxx.com","x-request-id":"3c0a5f87540ae044847fd640b33e000a","x-real-ip":"10.244.4.1","x-forwarded-for":"10.244.4.1","x-forwarded-host":"xxxxxxxx.com","x-forwarded-port":"443","x-forwarded-proto":"https","x-forwarded-scheme":"https","x-scheme":"https","sec-ch-ua":"\"Google Chrome\";v=\"107\", \"Chromium\";v=\"107\", \"Not=A?Brand\";v=\"24\"","sec-ch-ua-mobile":"?0","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36","sec-ch-ua-platform":"\"Windows\"","accept":"*/*","sec-fetch-site":"same-origin","sec-fetch-mode":"no-cors","sec-fetch-dest":"script","referer":"https://xxxxxxxx.com/auth/saml/captureUrlFragment?nextUrl=%2F","accept-encoding":"gzip, deflate, br","accept-language":"en-US,en;q=0.9,it;q=0.8,cs;q=0.7"},"remoteAddress":"10.244.4.11","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36","referer":"https://xxxxxxxx.com/auth/saml/captureUrlFragment?nextUrl=%2F"},"res":{"statusCode":200,"responseTime":2,"contentLength":9},"message":"GET /auth/saml/captureUrlFragment.js 200 2ms - 9.0B"}
{"type":"log","@timestamp":"2022-11-30T13:19:27Z","tags":["error","plugins","securityDashboards"],"pid":1,"message":"Failed to get saml header: Error: Invalid SAML configuration."}
{"type":"error","@timestamp":"2022-11-30T13:19:27Z","tags":[],"pid":1,"level":"error","error":{"message":"Internal Server Error","name":"Error","stack":"Error: Internal Server Error\n    at HapiResponseAdapter.toError (/usr/share/opensearch-dashboards/src/core/server/http/router/response_adapter.js:143:19)\n    at HapiResponseAdapter.toHapiResponse (/usr/share/opensearch-dashboards/src/core/server/http/router/response_adapter.js:97:19)\n    at HapiResponseAdapter.handle (/usr/share/opensearch-dashboards/src/core/server/http/router/response_adapter.js:92:17)\n    at Router.handle (/usr/share/opensearch-dashboards/src/core/server/http/router/router.js:164:34)\n    at runMicrotasks (<anonymous>)\n    at processTicksAndRejections (internal/process/task_queues.js:95:5)\n    at handler (/usr/share/opensearch-dashboards/src/core/server/http/router/router.js:124:50)\n    at exports.Manager.execute (/usr/share/opensearch-dashboards/node_modules/@hapi/hapi/lib/toolkit.js:60:28)\n    at Object.internals.handler (/usr/share/opensearch-dashboards/node_modules/@hapi/hapi/lib/handler.js:46:20)\n    at exports.execute (/usr/share/opensearch-dashboards/node_modules/@hapi/hapi/lib/handler.js:31:20)\n    at Request._lifecycle (/usr/share/opensearch-dashboards/node_modules/@hapi/hapi/lib/request.js:371:32)\n    at Request._execute (/usr/share/opensearch-dashboards/node_modules/@hapi/hapi/lib/request.js:281:9)"},"url":"http://xxxxxxxx.com/auth/saml/login?nextUrl=%2F&redirectHash=false","message":"Internal Server Error"}
{"type":"response","@timestamp":"2022-11-30T13:19:27Z","tags":[],"pid":1,"method":"get","statusCode":500,"req":{"url":"/auth/saml/login?nextUrl=%2F&redirectHash=false","method":"get","headers":{"host":"xxxxxxxx.com","x-request-id":"c48783cc7d1aaf1aaa8d2287eff0074a","x-real-ip":"10.244.4.1","x-forwarded-for":"10.244.4.1","x-forwarded-host":"xxxxxxxx.com","x-forwarded-port":"443","x-forwarded-proto":"https","x-forwarded-scheme":"https","x-scheme":"https","sec-ch-ua":"\"Google Chrome\";v=\"107\", \"Chromium\";v=\"107\", \"Not=A?Brand\";v=\"24\"","sec-ch-ua-mobile":"?0","sec-ch-ua-platform":"\"Windows\"","upgrade-insecure-requests":"1","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9","sec-fetch-site":"same-origin","sec-fetch-mode":"navigate","sec-fetch-dest":"document","referer":"https://xxxxxxxx.com/auth/saml/captureUrlFragment?nextUrl=%2F","accept-encoding":"gzip, deflate, br","accept-language":"en-US,en;q=0.9,it;q=0.8,cs;q=0.7"},"remoteAddress":"10.244.4.11","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36","referer":"https://xxxxxxxx.com/auth/saml/captureUrlFragment?nextUrl=%2F"},"res":{"statusCode":500,"responseTime":8,"contentLength":9},"message":"GET /auth/saml/login?nextUrl=%2F&redirectHash=false 500 8ms - 9.0B"}