'Failed to get subject from JWT claims' when using SAML

I’ve created an issue https://github.com/opensearch-project/security/issues/1593 but have been ask to create a new case here.

I have set up SAML authentication like this

  http_enabled: true
  transport_enabled: false
  order: 1
    type: saml
    challenge: true
        metadata_url: https://myadfsserver.com/FederationMetadata/2007-06/FederationMetadata.xml
        entity_id: http://myadfsserver.com/adfs/services/trust
        entity_id: https://mydashboard.com/
      kibana_url: https://mydashboard.com/
      subject_key: NameID
      #roles_key: groups
      exchange_key: mykey

and activated SAML in my dashboard

opensearch_security.auth.type: "saml"
server.xsrf.whitelist: ["/_plugins/_security/saml/acs", "/_plugins/_security/saml/logout", "/_plugins/_opendistro/saml/acs", "/_plugins/_opendistro/saml/logout"]

But when I open mydashboard.com I get ‘{“statusCode”:500,“error”:“Internal Server Error”,“message”:“Internal Error”}’ and in the opensearch error log I see this

[2022-02-01T14:28:06,287][WARN ][o.o.s.h.HTTPBasicAuthenticator] [opensearch-cluster-master-1] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'
[2022-02-01T14:28:06,294][WARN ][c.a.d.a.h.j.AbstractHTTPJwtAuthenticator] [opensearch-cluster-master-1] Failed to get subject from JWT claims, check if subject_key 'sub' is correct.
[2022-02-01T14:28:06,294][ERROR][c.a.d.a.h.j.AbstractHTTPJwtAuthenticator] [opensearch-cluster-master-1] No subject found in JWT token

In my config.yml I have only basic_internal_auth_domain, clientcert_auth_domain and saml_auth_domain, no other JWT based method.
I also checked the SAML xml response. It looks fine to me and contains the correct NameID element.

I use a kubernetes helm installation.

@domruf What is your SAML IDP?
What version of OpenSearch are you currently running?

I use Microsoft ADFS as IDP and I’m using the latest docker image 1.2.4

@domruf I’ve done some testing and found that removing subject_key from config.yml allows passing JWT subject_key error.
According to documentation, that field is optional.

1 Like