I have configured elasticsearch with openid by setting the config.yml:
description: "Authenticate via Azure"
Then in kibana.yml/opensearch-dashboards.yml I have set:
I have apache infront of kibana as a reverse proxy.
I’m not able to configure the session timeout value. Can someone suggest how to achieve that?
@sushovan What is your ODFE version and what OpenID provider do you use?
I have ODFE
1.13.1 and opensearch
1.3.1 (two separate deployments)
OpenID provider is Micorsoft AzureAD
@sushovan The Kibana/OpenSearch Dashboards cookie settings will be ignored as external IdP is controlling that and overwrites local settings.
I had the same issue recently and I couldn’t find any session cookie setting inside the Azure tenant. Also, nothing useful is present in the Azure documentation.
I checked with IDP provider. They do not control the session timeouts. So this must be something with opensearch dashboard security module .
I have this same problem with Okta and openid_auth_domain.
I have even tried manually setting the jwt expiry in the security plugin’s config.yml, as detailed here: Session timeout in Kibana SAML · Issue #159 · opensearch-project/security-dashboards-plugin · GitHub
…but have not had any success with that method, either.
This is probably the most useful comment regarding this issue, highlighting the code that is defective:
I have not found any viable workaround. It’s a popular, old bug that is maddening. Especially for those who have multi-tenancy enabled.
I wanted to let you all know that I made sure to tap a few engineers here at Amazon on the shoulder and made a request that this fix get prioritized. I can’t make promises, but at least they know this is an actual issue that is happening in the wild. I’ll let you know if I hear anything.
In the meantime, you can probably help push a bit by visiting Session timeout in Kibana SAML · Issue #159 · opensearch-project/security-dashboards-plugin · GitHub and make sure to voice your need for this to be addressed.
Here’s another related issue - I think the previous link might have been closed as a duplicate.
Get in there and make sure they know you’re there, and you need it!