Discover URL lost when logged out with SSO

OpenSearch: v2.6.0
OpenSearch Dashboards: v2.6.0
Chrome: 115.0.5790.171

I have an issue with logging in via SSO when a URL containing an index and query are pasted in to the OpenSearch Dashboards application. The issue is very similar to that noted in OSD dashboard url redirection fails for the first time in Safari browser and load the dashboard lists page instead of specific dashboard - #3 by yogiks

The problem is that when you logout, having logged in via SSO and paste a link to a discover search containing an index and a term you end up on the discover home page, rather than at the original URL.

To demonstrace, login via SAML/ADFS SSO. View some logs under the ‘Discover’ tab. Take a copy of the URL

https://REDACTED/app/discover#/?_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-2d,to:now))&_a=(columns:!(_source),filters:!(),index:‘:sample-index-’,interval:auto,query:(language:kuery,query:‘lag_ms%20%3E%3D%2037000’),sort:!())

Logout and paste link above in:

https://REDACTED/app/discover#/?_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-2d,to:now))&_a=(columns:!(_source),filters:!(),index:‘:sample-index-’,interval:auto,query:(language:kuery,query:‘lag_ms%20%3E%3D%2037000’),sort:!())

Click on SSO login link and end up on

https://REDACTED/app/home#/

So, I do not end up on the app/page I was expecting. This behaviour does not happen when I logout and paste the link and login via AD credentials. When using that method I end up in the Discover app with the index and search query set correctly.

Has anyone encountered this before? I find it quite confusing to follow all the redirects involved in the SAML handshake but feel that a redirect is somehow getting lost or reset in the flow.

I’ve been looking at the requests during the SAML/SSO call once logged out and can see

/auth/saml/login?nextUrl=%2F&redirectHash=false and I can then see the call to the ACS responding with the web root location, ie / and then a redirect to /app/home but I’m not really sure what this is telling me.

I have tried to use the short url as a workaround (suggested in the post above) but that does not seem to work in this case.

Anyone able to help or able to reproduce this issue themselves?

Hey @Mr_Hedgehog

What are you using for IDP?

Im using Keycloak right now and here is my settings I use for redirect.

Root URL = https://opensearch.domain.com:5601/
Valid redirect URIs  = https://opensearch.domain.com:5601/_opendistro/_security/saml/acs
Assertion Consumer Service POST Binding URL  = https://opensearch.domain.com:5601/_opendistro/_security/saml/logout
Logout Service Redirect Binding URL = https://opensearch.domain.com:5601/

as for Opensearch SAML configuration

/etc/opensearch/opensearch-security/config.yml

 authc:
      saml_auth_domain:
       http_enabled: true
       transport_enabled: true
       order: 1
       http_authenticator:
        type: saml
        challenge: true
        config:
         idp:
          metadata_file: /etc/opensearch/keycloak.xml
          entity_id: https://keycloak.domain.com:8443/realms/opensearch
         sp:
          entity_id: opensearch
         kibana_url: https://opensearch.domain.com:5601
         roles_key: Role
         exchange_key: 8675309
       authentication_backend:
          type: noop

I followed this documentation

Hi there - thanks for the reply. I am using Microsoft ADFS which supports SAML. I should say the actual SAML login and flow is working fine, with configuration very similar to what you post above.

I’m discussing a bit of an edge case in that during the usual SAML redirect flow I am losing a user pasted url containing the index and search which would ideally be preserved during the SAML handshake.

Hey @Mr_Hedgehog

Unfortunately Im not familiar with that.

Understood, not sure how to go about that, my appologies.

Thanks - and no, me neither. It is a bit of a mystery at the moment! I also no knowing of Microsoft ADFS/SAML/SSO products/tools.

Hey @Mr_Hedgehog

I just started working with MS Entra ID (AKA Azure AD SSO) that s why im not on here that much. I started the 30 Day trial. If your referring to that, I may know something, and to be honest I barely got my SAML SSO to work with Zabbix.

image1312×861 77.3 KB

@Mr_Hedgehog Have you tried using the below options in the opensearch_dashboards.yml?

opensearch_security.cookie.isSameSite: "None"
opensearch_security.cookie.secure: true

I have not, but will try that. Thanks for the suggestion. Will report back.

@Mr_Hedgehog Did you solve this issue ??
Any update on it ??