"Internal Server Error" for unauthorized users

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
2.14.0

Describe the issue:
I have OpenSearch cluster with SAML authentication (adfs). Everything works fine but for user not included in any group in AD opensearch-dasboards issues following error: “{“statusCode”:500,“error”:“Internal Server Error”,“message”:“Internal Error”}” instead, i think, it must show some “unauthorized” message.

Configuration:

      kibana:
        server_username: opensearch_dashboards
        index: '.kibana'
      authc:
        basic_internal_auth_domain:
          description: "Authenticate via HTTP Basic against internal users database"
          http_enabled: true
          transport_enabled: true
          order: 1
          http_authenticator:
            type: basic
            challenge: false
          authentication_backend:
            type: intern
        saml_auth_domain:
          http_enabled: true
          transport_enabled: false
          order: 2
          http_authenticator:
            type: saml
            challenge: true
            config:
              idp:
                metadata_url: "https://adfs.domain/FederationMetadata/2007-06/FederationMetadata.xml"
                entity_id: "http://adfs.domain/adfs/services/trust"
              sp:
                entity_id: "https://dashboard.domain"
              kibana_url: "https://dashboard.domain"
              roles_key: roles
              exchange_key: "...."
              jwt:
                expiry: AUTO+1440
          authentication_backend:
            type: noop

Relevant Logs or Screenshots:

[2024-07-17T13:38:36,918][DEBUG][c.a.d.a.h.s.Token        ] [node.hostname] SAMLResponse for ONELOGIN_66747c71-beee-4043-aa71-36e8f129c441
<samlp:Response ID="_5f1a9c06-b8b1-4a22-9550-1988fa821c26" Version="2.0" IssueInstant="2024-07-17T10:38:36.696Z" Destination="https://dashboard.domain/_opendistro/_security/saml/acs" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="ONELOGIN_66747c71-beee-4043-aa71-36e8f129c441" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://adfs.domain/adfs/services/trust</Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /><ds:Reference URI="#_5f1a9c06-b8b1-4a22-9550-1988fa821c26"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /><ds:DigestValue>XvN9Dy8u1UblaF4SGx+sefyN+moxgkXPoRt433YQdN4=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>...</ds:SignatureValue><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>...</ds:X509Certificate></ds:X509Data></KeyInfo></ds:Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:RequestDenied" /></samlp:StatusCode></samlp:Status></samlp:Response>
[2024-07-17T13:38:36,926][ERROR][c.o.s.a.SamlResponse     ] [node.hostname] The status code of the Response was not Success, was urn:oasis:names:tc:SAML:2.0:status:Responder
[2024-07-17T13:38:36,927][WARN ][c.a.d.a.h.s.AuthTokenProcessorHandler] [node.hostname] Error while validating SAML response in /_opendistro/_security/api/authtoken

Hi @ComBin,

Have you tried running ldapsearch, and checking the output for clues?

something like:

env LDAPTLS_REQCERT=never ldapsearch -b "CN=<USERNAME>,..,.." -H ldaps://<ldap_server>:636 -D "CN=<user>,..,.." -w "password"

ldapsearch -x -b <search_base> -H <ldap_host> -D <bind_dn> -W

Would you mind sharing the output?

Could you also try:

curl --insecure -u <ldap_user>:<ldap_password> -XGET https://<OS_node>:9200/_plugins/_security/authinfo?pretty

best,
mj

What kind of clues we are searching in LDAP?

curl --insecure -u <ldap_user>:<ldap_password> -XGET https://<OS_node>:9200/_plugins/_security/authinfo?pretty

I can’t do that, i don’t have any ldap user in internal OpenSearch users. Or you mean my domain user? As far as i know SAML don’t work like that…

You are right, sorry for the confusion I`ve misread your configuration, I’ll have a closer look at it and come back to you if ill find something.

nest,
mj

Hi @ComBin,

Ran a test in my lab and it works as expected. Have you tried using a metadata file instead of the path just to make sure you get through to it:

          config:
            idp:
              metadata_file: <file.xml>

Are there any error logs in your OpenSearch logs or Trace logs on SAML?

best,
mj

I see in log:
[2024-07-29T22:18:35,869][INFO ][o.o.s.m.r.i.AbstractReloadingMetadataResolver] [hode.host] Metadata Resolver SamlHTTPMetadataResolver com.amazon.dlic.auth.http.saml.HTTPSamlAuthenticator_894: New metadata successfully loaded for 'https://adfs.host/FederationMetadata/2007-06/FederationMetadata.xml' Do you think replace url to file can change something?

About log, i mentioned all relevant error what i can find in my logs. Can check SAML trace little bit later.

What behavior you receive for unauthorized SAML users on your test stand?

@ComBin, this is what I see:

Thanks,
mj