I’ve created an issue https://github.com/opensearch-project/security/issues/1593 but have been ask to create a new case here.
I have set up SAML authentication like this
saml_auth_domain:
http_enabled: true
transport_enabled: false
order: 1
http_authenticator:
type: saml
challenge: true
config:
idp:
metadata_url: https://myadfsserver.com/FederationMetadata/2007-06/FederationMetadata.xml
entity_id: http://myadfsserver.com/adfs/services/trust
sp:
entity_id: https://mydashboard.com/
kibana_url: https://mydashboard.com/
subject_key: NameID
#roles_key: groups
exchange_key: mykey
and activated SAML in my dashboard
opensearch_security.auth.type: "saml"
server.xsrf.whitelist: ["/_plugins/_security/saml/acs", "/_plugins/_security/saml/logout", "/_plugins/_opendistro/saml/acs", "/_plugins/_opendistro/saml/logout"]
But when I open mydashboard.com I get ‘{“statusCode”:500,“error”:“Internal Server Error”,“message”:“Internal Error”}’ and in the opensearch error log I see this
[2022-02-01T14:28:06,287][WARN ][o.o.s.h.HTTPBasicAuthenticator] [opensearch-cluster-master-1] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'
[2022-02-01T14:28:06,294][WARN ][c.a.d.a.h.j.AbstractHTTPJwtAuthenticator] [opensearch-cluster-master-1] Failed to get subject from JWT claims, check if subject_key 'sub' is correct.
[2022-02-01T14:28:06,294][ERROR][c.a.d.a.h.j.AbstractHTTPJwtAuthenticator] [opensearch-cluster-master-1] No subject found in JWT token
In my config.yml I have only basic_internal_auth_domain, clientcert_auth_domain and saml_auth_domain, no other JWT based method.
I also checked the SAML xml response. It looks fine to me and contains the correct NameID element.
I use a kubernetes helm installation.