Hi @pablo, yes and no.
Yes, because I had to manually modify OpenSearch’s routes.js to simulate “SP initiated” SSO to do IdP initiated instead. First I configured Google Workspace ACS URL to /_opendistro/_security/saml/acs/idpinitiated and then hardcoding in routes.js the url to redirect for IdP initiated path on /auth/saml/login, e.g.:
}, async (context, request, response) => {
if (request.auth.isAuthenticated) {
return response.redirected({
headers: {
location: `${this.coreSetup.http.basePath.serverBasePath}/app/wazuh`
}
});
}
// NOTE(Gilad): Fix this... I added this line because Google Workspace SAML apps can't configure multiple SSO urls
// So the idea is to simulate SP SSO Initiated (when the url is given in the browser), whilst we actually force here IdP.
return response.redirected({
headers: {
location: `https://accounts.google.com/o/saml2/initsso?idpid=****&spid=****&forceauthn=false`
}
});
Not ideal solution, but it works for now at least. Also note that there are other issues around this kind of setup, where the session that expires doesn’t renew the JWT auth cookie. There are still pile of ongoing GitHub issues around this:
- SAML logout/session renewal bugs · Issue #4595 · wazuh/wazuh-kibana-app · GitHub
- [BUG] Kibana throws errors 500/401 one hour after login when using SAML · Issue #828 · opensearch-project/security-dashboards-plugin · GitHub
- [RFC] Improved session management · Issue #1311 · opensearch-project/security-dashboards-plugin · GitHub
and following mvanderlee’s suggestion there, helped making things better by setting in opensearch_dashboard.yml the session keepalive to false:
opensearch_security.session.keepalive: false
No, because these workarounds I had to figure out myself shouldn’t exists in first place, unfortunately.