Fail at configuring Google Workspace SAML Authentication on Opensearch Dashboard

Security
1

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
Opensearch: 2.11.0
Dashboards: 2.11.0
Server OS: linux Debian 12.2

Describe the issue:
I can’t manage to use SAML authentication with Google Workspace.
/auth/saml/login?nextUrl=%2F&redirectHash=false replies 500
/_opendistro/_security/saml/acs/idpinitiated via Google Workspace connexion test replies 500 too.

Configuration:
config.yaml :

config.dynamic.authc.saml_auth_domain:
        http_enabled: true
        transport_enabled: false
        order: 1
        http_authenticator:
          type: saml
          challenge: true
          config:
            idp:
              metadata_file: GoogleIDPMetadata.xml
              entity_id: https://accounts.google.com/o/saml2?idpid=*********
            sp:
              entity_id: https://REDACTED.local #same in Google Workspace config
            kibana_url: https://REDACTED.local
            subject_key: NameID
            roles_key: Role
            exchange_key: ***********************************
        authentication_backend:
          type: noop

opensearch-dashboards.yml :

[...]
opensearch_security.auth.type: ["basicauth", "saml"]
opensearch_security.auth.multiple_auth_enabled: true
server.xsrf.allowlist:
  - /_plugins/_security/saml/acs
  - /_opendistro/_security/saml/acs
  - /_plugins/_security/saml/acs/idpinitiated
  - /_opendistro/_security/saml/acs/idpinitiated
  - /_plugins/_security/saml/logout
  - /_opendistro/_security/saml/logout
[...]

Relevant Logs or Screenshots:
opensearch log shows at startup :

[2024-09-27T15:50:51,873][INFO ][o.o.c.c.InitializationService] [logconsult03] Initializing OpenSAML using the Java Services API
[2024-09-27T15:50:52,675][INFO ][o.o.s.m.r.i.AbstractReloadingMetadataResolver] [logconsult03] Metadata Resolver SamlFilesystemMetadataResolver com.amazon.dlic.auth.http.saml.HTTPSamlAuthenticator_1: New metadata successfully loaded for '/etc/opensearch/rt/GoogleIDPMetadata.xml'
[2024-09-27T15:50:52,676][INFO ][o.o.s.m.r.i.AbstractReloadingMetadataResolver] [logconsult03] Metadata Resolver SamlFilesystemMetadataResolver com.amazon.dlic.auth.http.saml.HTTPSamlAuthenticator_1: Next refresh cycle for metadata provider '/etc/opensearch/rt/GoogleIDPMetadata.xml' will occur on '2024-09-27T16:50:52.654Z' ('2024-09-27T18:50:52.654+02:00' local time)
[2024-09-27T15:50:52,679][WARN ][c.a.d.a.h.s.Saml2SettingsProvider] [hostname01] The IdP does not provide a Single Logout Service. In order to ensure that users have to re-enter their password after logging out, OpenSearch Security will issue all SAML authentication requests with a mandatory password input (ForceAuthn=true)

Opensearch Dashboard shows on request https://.../auth/saml/login?nextUrl=%2F&redirectHash=false:

{"type":"log","@timestamp":"2024-09-27T13:23:04Z","tags":["error","plugins","securityDashboards"],"pid":1767240,"message":"Failed to get saml header: Error: Error: failed parsing SAML config"}
{"type":"error","@timestamp":"2024-09-27T13:23:04Z","tags":[],"pid":1767240,"level":"error","error":{"message":"Internal Server Error","name":"Error","stack":"Error: Internal Server Error\n    at HapiResponseAdapter.toError (/opt/opensearch-dashboards/opensearch-dashboards-2.11.0/src/core/server/http/router/response_adapter.js:143:19)\n    at HapiResponseAdapter.toHapiResponse (/opt/opensearch-dashboards/opensearch-dashboards-2.11.0/src/core/server/http/router/response_adapter.js:97:19)\n    at HapiResponseAdapter.handle (/opt/opensearch-dashboards/opensearch-dashboards-2.11.0/src/core/server/http/router/response_adapter.js:92:17)\n    at Router.handle (/opt/opensearch-dashboards/opensearch-dashboards-2.11.0/src/core/server/http/router/router.js:164:34)\n    at processTicksAndRejections (node:internal/process/task_queues:95:5)\n    at handler (/opt/opensearch-dashboards/opensearch-dashboards-2.11.0/src/core/server/http/router/router.js:124:50)\n    at exports.Manager.execute (/opt/opensearch-dashboards/opensearch-dashboards-2.11.0/node_modules/@hapi/hapi/lib/toolkit.js:60:28)\n    at Object.internals.handler (/opt/opensearch-dashboards/opensearch-dashboards-2.11.0/node_modules/@hapi/hapi/lib/handler.js:46:20)\n    at exports.execute (/opt/opensearch-dashboards/opensearch-dashboards-2.11.0/node_modules/@hapi/hapi/lib/handler.js:31:20)\n    at Request._lifecycle (/opt/opensearch-dashboards/opensearch-dashboards-2.11.0/node_modules/@hapi/hapi/lib/request.js:371:32)\n    at Request._execute (/opt/opensearch-dashboards/opensearch-dashboards-2.11.0/node_modules/@hapi/hapi/lib/request.js:281:9)"},"url":"https://REDACTED.local/auth/saml/login?nextUrl=%2F&redirectHash=false","message":"Internal Server Error"}

when adding in log4j2.properties for opensearch node

logger.token.name = com.amazon.dlic.auth.http.saml.Token
logger.token.level = debug

nothing shows.

using ngrep on node with plugins.security.ssl.http.enabled: false, I can see a request :

T ::1:54766 -> ::1:9203 [AP] #21
  GET /_plugins/_security/authinfo HTTP/1.1..x-opensearch-product-origin: opensearch-dashboards..x-opaque-id: 46018254-d34e-42e3-980d-41e01eb
  8bdd9..Host: localhost:9203..Content-Length: 0..Connection: keep-alive....

node replies :

< HTTP/1.1 401 Unauthorized
< WWW-Authenticate: Basic realm="OpenSearch Security"
< content-type: text/plain; charset=UTF-8
< content-length: 0
< 
* Connection #0 to host localhost left intact
2

@dhardy Are you getting redirected to the Google Workspace login page?