Versions (relevant – OpenSearch/Dashboard/Server OS/Browser)
-
OpenSearch: 3.2.0 (single node)
-
OpenSearch Dashboards: 3.2.0
-
Security plugin: bundled with 3.2.0
-
Server OS: Ubuntu 22.04
-
Browsers tested: Firefox and Microsoft Edge (normal + private/incognito)
-
TLS: internal PKI. Certificates were auto-generated by the official OpenSearch Ansible playbook (same playbook recommended in the OpenSearch docs).
Describe the issue
I’m enabling OpenID Connect (Azure AD) for OpenSearch Dashboards.
Flow:
-
Click “Log in with single sign-on” in Dashboards.
-
I’m redirected to
login.microsoftonline.comand see the Azure AD sign-in page. -
After entering credentials, the browser comes back to Dashboards but ends in a redirect loop → “Too many redirects / This page isn’t redirecting properly.”
Additional observations:
-
In a private/incognito window I do reach the AAD password prompt, but after submitting I still hit the same redirect error.
-
Dashboards logs show repeated “OpenId authentication failed: 401 Unauthorized” lines and occasional
ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWNmessages. -
OpenSearch logs show “Authentication finally failed” when the login page is loaded.
-
TLS is enabled both on OpenSearch and on Dashboards. Dashboards trusts the OpenSearch CA (CA file configured).
Questions for the community:
-
In 3.2.0, is there anything specific to OIDC/Azure AD that can cause redirect loops after the AAD login?
-
Do we also need to set
base_redirect_urlin the Security config for OIDC (besidesserver.publicBaseUrlin Dashboards)? -
What is the recommended DEBUG logging to pinpoint whether this is a TLS trust issue between Dashboards → OpenSearch vs. an OIDC callback/URL mismatch?
Configuration:
opensearch_dashboards.yml
server.port: 5601
server.host: "10.110.0.24"
opensearch.hosts: ["https://10.110.0.24:9200"]
opensearch.username: "kibanaserver"
opensearch.password: "******"
opensearch.requestHeadersWhitelist: [ authorization,securitytenant ]
opensearch_security.multitenancy.enabled: true
#opensearch_security.auth.type: ["basicauth"]
opensearch_security.multitenancy.tenants.preferred: ["custom_tenant","Global"]
opensearch_security.readonly_mode.roles: ["kibana_read_only"]
# Use this setting if you are running dashboards without https
opensearch_security.cookie.secure: false
logging.dest: "/usr/share/opensearch-dashboards/logs/opensearch_dashboards.log"
#SSL config
server.ssl.enabled: true
server.ssl.certificate: "/usr/share/opensearch-dashboards/config/opensearchwd.partech.local.pem"
server.ssl.key: "/usr/share/opensearch-dashboards/config/opensearchwd.partech.local.key"
opensearch.ssl.verificationMode: certificate
opensearch.ssl.certificateAuthorities: [ "/usr/share/opensearch-dashboards/config/root-ca.pem"]
# OpenID settings
opensearch_security.auth.multiple_auth_enabled: true
opensearch_security.auth.type: ["basicauth","openid"]
opensearch_security.openid.base_redirect_url: "https://opensearchwd.partech.local:5601"
opensearch_security.openid.client_id: "<REDACTED>"
opensearch_security.openid.scope: "openid profile email"
opensearch_security.openid.client_secret: "<REDACTED>"
opensearch_security.openid.connect_url: "https://login.microsoftonline.com/<TENANT_ID>/v2.0/.well-known/openid-configuration"
opensearch_security.openid.verify_hostnames: true
OpenSearch Security – config.yml (authc / OIDC domain)
---
_meta:
type: "config"
config_version: 2
config:
dynamic:
# OpenID settings
http:
anonymous_auth_enabled: false
xff:
enabled: false
internalProxies: ".*"
remoteIpHeader: "x-forwarded-for"
authc:
# In order for Dashboards to access OpenSearch, you must first use
# authentication_backend.type: internal
basic_internal_auth_domain:
description: "Authenticate via HTTP Basic against internal users database"
http_enabled: true
transport_enabled: false
order: 0
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: internal
openid_auth_domain:
description: "Authenticate via OpenID"
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: openid
challenge: false
config:
enable_ssl: false
verify_hostnames: false
subject_key: email
roles_key: roles
openid_connect_url: https://login.microsoftonline.com/<TENANT_ID>/v2.0/.well-known/openid-configuration
kibana_url: https://opensearchwd.partech.local:5601
authentication_backend:
type: noop
authz: {}
Azure AD app (OIDC)
-
Well-known endpoint reachable from the OpenSearch node
-
Client ID/Secret configured as above
Certificates for OpenSearch and Dashboards were produced automatically by the OpenSearch Ansible playbook.
Relevant Logs or Screenshots:
OpenSearch Dashboards (right when the SSO login page opens):
{"type":"error","tags":["connection","client","error"],"level":"error",
"error":{"message":"... SSL routines: sslv3 alert certificate unknown ... SSL alert number 46",
"code":"ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN"}}
{"type":"log","tags":["error","opensearch","data"],"message":"[ResponseError]: Response Error"}
{"type":"log","tags":["error","plugins","assistantDashboards"],
"message":"ResponseError ... statusCode: 401 ... body: 'Authentication finally failed' ..."}
OpenSearch Dashboards (after clicking SSO):
{"type":"log","tags":["error","plugins","securityDashboards"],
"message":"OpenId authentication failed: Error: Response Error: 401 Unauthorized"}
(repeated several times)
OpenSearch (when the login page is first loaded):
[WARN ][o.o.s.a.BackendRegistry] Authentication finally failed for null from 10.110.0.24:54880
Browser behavior
-
After returning from
login.microsoftonline.com, the browser shows “Too many redirects / This page isn’t redirecting properly.” -
In private/incognito I reach the password prompt, but after submitting I still hit the same error.
Any pointers on where to look next (TLS trust between Dashboards and OpenSearch vs. OIDC callback/base URL mismatch, or any known 3.2.0 quirks) would be greatly appreciated. Thanks!
