Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
Opensearch 2.19
Opensearch-dasboards 2.19
Ubuntu 22.04 LTS
Describe the issue:
I have integrated OpenSearch with an identity provider that uses OpenID Connect: WSO2 Identity Server 7.0.0.
The basic_internal_auth_domain
is configured with order: 0
, and the OIDC authentication domain is configured with order: 1
.
When I attempt to log in via SSO, the user is successfully authenticated by WSO2 IS, but access to OpenSearch fails with a 401 Unauthorized
error — the user is not authorized.
Configuration:
openserach.yml
network.host: 0.0.0.0
discovery.type: single-node
plugins.security.allow_unsafe_democertificates: true
plugins.security.disabled: false
plugins.security.ssl.http.enabled: true
plugins.security.ssl.transport.pemcert_filepath: /etc/opensearch/admin.pem
plugins.security.ssl.transport.pemkey_filepath: /etc/opensearch/admin-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: /etc/opensearch/root-ca.pem
plugins.security.ssl.http.pemcert_filepath: /etc/opensearch/admin.pem
plugins.security.ssl.http.pemkey_filepath: /etc/opensearch/admin-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: /etc/opensearch/root-ca.pem
plugins.security.allow_default_init_securityindex: true
plugins.security.authcz.admin_dn:
- "CN=admin,OU=UNIT,O=ORG,L=BARI,ST=ITALIA,C=IT"
plugins.security.nodes_dn:
- "CN=opensearch01,OU=UNIT,O=ORG,L=BARI,ST=ITALIA,C=IT"
plugins.security.audit.type: internal_opensearch
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [.plugins-ml-agent, .plugins-ml-config, .plugins-ml-connector,
.plugins-ml-controller, .plugins-ml-model-group, .plugins-ml-model, .plugins-ml-task,
.plugins-ml-conversation-meta, .plugins-ml-conversation-interactions, .plugins-ml-memory-meta,
.plugins-ml-memory-message, .plugins-ml-stop-words, .opendistro-alerting-config,
.opendistro-alerting-alert*, .opendistro-anomaly-results*, .opendistro-anomaly-detector*,
.opendistro-anomaly-checkpoints, .opendistro-anomaly-detection-state, .opendistro-reports-*,
.opensearch-notifications-*, .opensearch-notebooks, .opensearch-observability, .ql-datasources,
.opendistro-asynchronous-search-response*, .replication-metadata-store, .opensearch-knn-models,
.geospatial-ip2geo-data*, .plugins-flow-framework-config, .plugins-flow-framework-templates,
.plugins-flow-framework-state]
plugins.query.datasources.encryption.masterkey: "zzzzzzAAAAA"
config.yml
authc:
basic_internal_auth_domain:
description: "Authenticate via HTTP Basic against internal users database"
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: intern
#oidc auth
openid_auth_domain:
description: "OIDC with WSO2 IS 7.0.0"
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: openid
challenge: true
config:
openid_connect_url: "IT'SNOTLINKhttps://wso2isdemo.plusinnovation.it/oauth2/oidcdiscovery/.well-known/openid-configuration"
subject_key: preferred_username
roles_key: roles
client_id: "xxxxxxxxxxxx"
client_secret: "yyyyyyyyyy"
scope: "openid profile email groups"
authentication_backend:
type: noop
roles_mapping.yml
_meta:
type: "rolesmapping"
config_version: 2
all_access:
reserved: false
backend_roles:
- "admin"
description: "Maps admin to all_access"
own_index:
reserved: false
users:
- "*"
description: "Allow full access to an index named like the username"
logstash:
reserved: false
backend_roles:
- "logstash"
kibana_user:
reserved: false
backend_roles:
- "kibanauser"
- "oidc_user"
description: "Maps kibanauser to kibana_user"
readall:
reserved: false
backend_roles:
- "readall"
manage_snapshots:
reserved: false
backend_roles:
- "snapshotrestore"
kibana_server:
reserved: true
users:
- "kibanaserver"
opensearch_dashboard.yml
opensearch.hosts: [IT'SNOTLINKhttps://localhost:9200]
opensearch.ssl.verificationMode: none
opensearch.username: kibanaserver
opensearch.password: kibanaserver
opensearch.requestHeadersWhitelist: [authorization, securitytenant]
opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.preferred: [Private, Global]
opensearch_security.readonly_mode.roles: [kibana_read_only]
opensearch_security.cookie.secure: false
opensearch_security.auth.type: ["basicauth","openid"]
opensearch_security.auth.multiple_auth_enabled: true
opensearch_security.openid.connect_url: "IT'SNOTLINKhttps://wso2isdemo.plusinnovation.it/oauth2/oidcdiscovery/.well-known/openid-configuration"
opensearch_security.openid.client_id: "xxxxxxxxxxxx"
opensearch_security.openid.client_secret: "yyyyyyyyyy"
opensearch_security.openid.scope: "openid profile email address phone groups"
opensearch_security.openid.base_redirect_url: "IT'SNOTLINKhttps://opensearchdemo.plusinnovation.it/_dashboards"
opensearch_security.openid.logout_url: "IT'SNOTLINKhttps://wso2isdemo.plusinnovation.it/oauth2/oidcdiscovery/oidc/logout"
Relevant Logs or Screenshots:
{"type":"response","@timestamp":"2025-05-12T19:48:24Z","tags":[],"pid":434804,"method":"get","statusCode":401,"req":{"url":"/favicon.ico","method":"get","headers":{"host":"opensearchdemo.plusinnovation.it","x-forwarded-for":"x.x.x.x","x-forwarded-proto":"https","x-forwarded-host":"opensearchdemo.plusinnovation.it","connection":"close","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:138.0) Gecko/20100101 Firefox/138.0","accept":"image/avif,image/webp,image/png,image/svg+xml,image/*;q=0.8,*/*;q=0.5","accept-language":"it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3","accept-encoding":"gzip, deflate, br, zstd","referer":"IT'SNOTLINKhttps://opensearchdemo.plusinnovation.it/_dashboards/auth/openid/login?code=1fbd71c5-3d21-3a15-9228-f6f8afdee522&session_state=37d1c9f319c8c0012cf3cad2d05efd569505f527a8fade9a98ad536e844e36c6.n3sBCzfCWWTfrSsbDjFj4Q&state=gK2qPT0vxJqum4y8vA5Ilc","sec-fetch-dest":"image","sec-fetch-mode":"no-cors","sec-fetch-site":"cross-site","priority":"u=6"},"remoteAddress":"127.0.0.1","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:138.0) Gecko/20100101 Firefox/138.0","referer":"IT'SNOTLINKhttps://opensearchdemo.plusinnovation.it/_dashboards/auth/openid/login?code=1fbd71c5-3d21-3a15-9228-f6f8afdee522&session_state=37d1c9f319c8c0012cf3cad2d05efd569505f527a8fade9a98ad536e844e36c6.n3sBCzfCWWTfrSsbDjFj4Q&state=gK2qPT0vxJqum4y8vA5Ilc"},"res":{"statusCode":401,"responseTime":1,"contentLength":9},"message":"GET /favicon.ico 401 1ms - 9.0B"}