How to configure session timeout in kibana with using openid for SSO

sushovan · May 4, 2022, 9:08pm

I have configured elasticsearch with openid by setting the config.yml:

     openid_auth_domain:
        description: "Authenticate via Azure"
        http_enabled: true
        order: 1
        http_authenticator:
          type: openid
          challenge: false
          config:
            subject_key: userprincipalname
            roles_key: roles
            openid_connect_url: "url"
        authentication_backend:
          type: noop

Then in kibana.yml/opensearch-dashboards.yml I have set:

opensearch_security.cookie.ttl: 86400000
opensearch_security.session.ttl: 86400000
opensearch_security.session.keepalive: true

I have apache infront of kibana as a reverse proxy.

I’m not able to configure the session timeout value. Can someone suggest how to achieve that?

pablo · May 5, 2022, 12:58am

@sushovan What is your ODFE version and what OpenID provider do you use?

sushovan · May 5, 2022, 1:19pm

I have ODFE 1.13.1 and opensearch 1.3.1 (two separate deployments)
OpenID provider is Micorsoft AzureAD

pablo · May 6, 2022, 12:40pm

@sushovan The Kibana/OpenSearch Dashboards cookie settings will be ignored as external IdP is controlling that and overwrites local settings.

I had the same issue recently and I couldn’t find any session cookie setting inside the Azure tenant. Also, nothing useful is present in the Azure documentation.

sushovan · May 6, 2022, 5:53pm

I checked with IDP provider. They do not control the session timeouts. So this must be something with opensearch dashboard security module .

mhoydis · May 10, 2022, 7:30pm

I have this same problem with Okta and openid_auth_domain.

I have even tried manually setting the jwt expiry in the security plugin’s config.yml, as detailed here: Session timeout in Kibana SAML · Issue #159 · opensearch-project/security-dashboards-plugin · GitHub
…but have not had any success with that method, either.

This is probably the most useful comment regarding this issue, highlighting the code that is defective:
https://github.com/opensearch-project/security-dashboards-plugin/issues/159#issuecomment-1022438420

I have not found any viable workaround. It’s a popular, old bug that is maddening. Especially for those who have multi-tenancy enabled.

nateynate · May 11, 2022, 7:16pm

I wanted to let you all know that I made sure to tap a few engineers here at Amazon on the shoulder and made a request that this fix get prioritized. I can’t make promises, but at least they know this is an actual issue that is happening in the wild. I’ll let you know if I hear anything.

In the meantime, you can probably help push a bit by visiting Session timeout in Kibana SAML · Issue #159 · opensearch-project/security-dashboards-plugin · GitHub and make sure to voice your need for this to be addressed.

nateynate · May 11, 2022, 8:06pm

https://github.com/opensearch-project/security-dashboards-plugin/issues/828

Here’s another related issue - I think the previous link might have been closed as a duplicate.

Get in there and make sure they know you’re there, and you need it!

mhoydis · June 23, 2022, 1:43pm

Hey @nateynate, any update from the inside regarding progress on this? Any idea where it might be on the roadmap?