Error configuring OSD with okta saml

Security
,
1

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

2.5.0

Describe the issue:

Hello ,

I am trying to configure SAML authentication with OSD 2.5.0.

I am running OSD on port 8080 , the information I have from okta are : okta cert okta.crt , okta.xml file in in addition to okta URL .

I tried several combinations and still get this error.

Appreciate help .

Thanks

Configuration:
config.yaml file

_meta:
type: “config”
config_version: 2

config:
dynamic:
http:
anonymous_auth_enabled: false
authc:
internal_auth:
order: 0
description: “HTTP basic authentication using the internal user database”
http_enabled: true
transport_enabled: true
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: internal
saml_auth:
order: 1
description: “SAML provider”
http_enabled: true
transport_enabled: false
http_authenticator:
type: saml
challenge: true
config:
idp:
enable_ssl: true
metadata_file: “/usr/share/opensearch/config/opensearch-security/okta.xml”
entity_id: “http://www.okta.com/xxxxxxxxxxxxx
sp:
entity_id: “https://fqdn-of-server
kibana_url: “https://fqdn-of-server:8080
subject_key: UserID
roles_key: Role
authentication_backend:
type: noop

OSD config file

opensearch_security.auth.type: “saml”
#server.xsrf.whitelist: [/_plugins/_security/saml/acs,/_opendistro/_security/saml/acs,/_plugins/_security/saml/acs/idpinitiated,/_opendistro/_security/saml/acs/idpinitiated,/_plugins/_security/saml/logout,/_opendistro/_security/saml/logout]
#server.xsrf.whitelist: [“/_plugins/_security/saml/acs”, “/_plugins/_security/saml/logout”]
#server.xsrf.whitelist:
[
/_plugins/_security/saml/acs,
/_plugins/_security/saml/acs/idpinitiated,
/_plugins/_security/saml/logout,
]

Relevant Logs or Screenshots:

{“type”:“log”,“@timestamp”:“2023-02-13T13:03:56Z”,“tags”:[“error”,“plugins”,“securityDashboards”],“pid”:1,“message”:“Failed to get saml header: Error: Error: failed parsing SAML config”}
{“type”:“error”,“@timestamp”:“2023-02-13T13:03:56Z”,“tags”:,“pid”:1,“level”:“error”,“error”:{“message”:“Internal Server Error”,“name”:“Error”,“stack”:“Error: Internal Server Error\n at HapiResponseAdapter.toError (/usr/share/opensearch-dashboards/src/core/server/http/router/response_adapter.js:143:19)\n at HapiResponseAdapter.toHapiResponse (/usr/share/opensearch-dashboards/src/core/server/http/router/response_adapter.js:97:19)\n at HapiResponseAdapter.handle (/usr/share/opensearch-dashboards/src/core/server/http/router/response_adapter.js:92:17)\n at Router.handle (/usr/share/opensearch-dashboards/src/core/server/http/router/router.js:164:34)\n at runMicrotasks ()\n at processTicksAndRejections (internal/process/task_queues.js:95:5)\n at handler (/usr/share/opensearch-dashboards/src/core/server/http/router/router.js:124:50)\n at exports.Manager.execute (/usr/share/opensearch-dashboards/node_modules/@hapi/hapi/lib/toolkit.js:60:28)\n at Object.internals.handler (/usr/share/opensearch-dashboards/node_modules/@hapi/hapi/lib/handler.js:46:20)\n at exports.execute (/usr/share/opensearch-dashboards/node_modules/@hapi/hapi/lib/handler.js:31:20)\n at Request._lifecycle (/usr/share/opensearch-dashboards/node_modules/@hapi/hapi/lib/request.js:371:32)\n at Request._execute (/usr/share/opensearch-dashboards/node_modules/@hapi/hapi/lib/request.js:281:9)”},“url”:“https://fqdn-of-server:8080/auth/saml/login?nextUrl=%2F&redirectHash=false",“message”:"Internal Server Error”}

2

I really appreciate any pointers to help get setup working. Thanks

3

I found this guide on troubleshooting:

and this topic on okta:

those may help.

@scrawfor - would you have time to assist? thanks

4

Hi @tru64jurus,

Thank you for taking the time to file this issue on the website. As @kris, mentioned, the two links provided may be helpful in resolving your issue. Looking at your configuration file, there are two things I noticed.

First, it may be a copy+paste issue, but you will need to make sure your configuration file is properly formatted in a yaml structure with the different levels of indentation for children elements. This means that metadata_file should be indented further then idp for example.

Second, I don’t see a specified exchange_key in your configuration file. Perhaps you have mapped the the UserID to this in some way but I would expect to see an exchange_key with for SAML since the idea is to not send credentials with each request.

If you checkout the links Kris shared you should be able to find a working configuration which can help you get started by swapping in your Okta information for the default values.

I hope this helps.

Best,

Stephen

1 Like
5

Hi @tru64jurus !

You have commented out all of the server.xsrf.whitelist options in your opensearch_dashboards.yaml file. For SAML authentication you must provide server.xsrf.whitelist (OS v1.x) or server.xsrf.allowlist (OSv2.x). Please follow the documentation.