My username/email is not showing up on my dashboard - using MS Entra id as OIDC

OpenSearch
1

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

Describe the issue:

I recently enabled oidc for user authentication using MS entra id, it was successful, however i notice i am not seeing my email or preffered name showup on the dashboard when i login instead i get a long string as username

image
image1152×648 37.7 KB

Configuration:

I have a two nodes cluster
manager node and warm node both are running on a onsite k3s server.

This is my dashboard yaml

opensearch_dashboards.yml: |
server.name: opensearch-dashboards
server.host: 0.0.0.0
server.port: 5601
opensearch.hosts: [“https://opensearch-manager:9200”,“https://opensearch-warm:9200”]
opensearch.ssl.verificationMode: none
opensearch.ssl.certificateAuthorities: “/usr/share/opensearch-dashboards/certs/root-ca.pem”
server.ssl.enabled: false
opensearch_security.cookie.secure: false
opensearch.requestHeadersWhitelist: [“Authorization”, “securitytenant”]
opensearch_security.readonly_mode.roles: [“kibana_read_only”]
opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.preferred: [“Private”, “Global”]
opensearch_security.auth.multiple_auth_enabled: false
opensearch_security.auth.type: [“openid”]
opensearch_security.openid.connect_url: “entra id url”
opensearch_security.openid.client_id: “”
opensearch_security.openid.client_secret: “”
opensearch_security.openid.scope: “openid email profile User.Read”
opensearch_security.openid.base_redirect_url: “opensearch.xxxxxxx”
opensearch_security.openid.verify_hostnames: false
opensearch_security.openid.refresh_tokens: false
logging.verbose: true

Running securityadmin shows cluster is green with no issues

kubectl exec -it ti-opensearch-cluster-manager-node-0 -- sh plugins/opensearch-security/tools/securityadmin.sh \
           -cd /usr/share/opensearch/config/opensearch-security/ \
           -icl -nhnv \
           -cert /usr/share/opensearch/config/certs/admin.pem \
           -cacert /usr/share/opensearch/config/certs/root-ca.pem \
           -key /usr/share/opensearch/config/certs/admin-key.pem \
           -t config

output

Security Admin v7
Will connect to localhost:9200 … done
Connected as “EMAILADDRESS=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx”
OpenSearch Version: 3.0.0
Contacting opensearch cluster ‘opensearch’ and wait for YELLOW clusterstate …
Clustername: main-opensearch-cluster
Clusterstate: GREEN
Number of nodes: 2
Number of data nodes: 2
.opendistro_security index already exists, so we do not need to create one.
Populate config from /usr/share/opensearch/config/opensearch-security/
Will update ‘/config’ with /usr/share/opensearch/config/opensearch-security/config.yml
SUCC: Configuration for ‘config’ created or updated
Will update ‘/roles’ with /usr/share/opensearch/config/opensearch-security/roles.yml
SUCC: Configuration for ‘roles’ created or updated
Will update ‘/rolesmapping’ with /usr/share/opensearch/config/opensearch-security/roles_mapping.yml
SUCC: Configuration for ‘rolesmapping’ created or updated
Will update ‘/internalusers’ with /usr/share/opensearch/config/opensearch-security/internal_users.yml
SUCC: Configuration for ‘internalusers’ created or updated
Will update ‘/actiongroups’ with /usr/share/opensearch/config/opensearch-security/action_groups.yml
SUCC: Configuration for ‘actiongroups’ created or updated
Will update ‘/tenants’ with /usr/share/opensearch/config/opensearch-security/tenants.yml
SUCC: Configuration for ‘tenants’ created or updated
Will update ‘/nodesdn’ with /usr/share/opensearch/config/opensearch-security/nodes_dn.yml
SUCC: Configuration for ‘nodesdn’ created or updated
Will update ‘/audit’ with /usr/share/opensearch/config/opensearch-security/audit.yml
SUCC: Configuration for ‘audit’ created or updated
Will update ‘/allowlist’ with /usr/share/opensearch/config/opensearch-security/allowlist.yml
SUCC: Configuration for ‘allowlist’ created or updated
SUCC: Expected 9 config types for node {“updated_config_types”:[“allowlist”,“tenants”,“rolesmapping”,“nodesdn”,“audit”,“roles”,“actiongroups”,“config”,“internalusers”],“updated_config_size”:9,“message”:null} is 9 ([“allowlist”,“tenants”,“rolesmapping”,“nodesdn”,“audit”,“roles”,“actiongroups”,“config”,“internalusers”]) due to: null
SUCC: Expected 9 config types for node {“updated_config_types”:[“allowlist”,“tenants”,“rolesmapping”,“nodesdn”,“audit”,“roles”,“actiongroups”,“config”,“internalusers”],“updated_config_size”:9,“message”:null} is 9 ([“allowlist”,“tenants”,“rolesmapping”,“nodesdn”,“audit”,“roles”,“actiongroups”,“config”,“internalusers”]) due to: null
Done with success

This is my config.yml on the nodes

config.yml: |
_meta:
type: “config”
config_version: 2
config:
dynamic:
http:
anonymous_auth_enabled: false
xff:
enabled: false
internalProxies: ‘192.168.0.10|192.168.0.11’
remoteIpHeader: ‘x-forwarded-for’
do_not_fail_on_forbidden: true
do_not_fail_on_forbidden_empty: true
authc:
basic_internal_auth_domain:
description: “Authenticate via HTTP Basic against internal users database”
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: internal
openid_auth_domain:
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: openid
challenge: false
config:
openid_connect_idp:
enable_ssl: true
pemtrustedcas_filepath: /usr/share/opensearch/config/certs/root-ca.pem
verify_hostnames: false
subject_key: preferred_username
roles_key: roles
openid_connect_url: entra url
authentication_backend:
type: noop

on the subject key, i have used email and preffered name none worked.

on the azure side i have enabled app roles on the registered application

admin and read_only

i also have the following enabled for token configuration

  • email
  • prefered_username

what am i missing. i have been on this for weeks, i couldget my username or email to popup on the dashboard. Kindly assist

2

@nelson have you examined your token? Does the email and preferred_username appear on it?
Example can be seen here

I have not tried with MS Entra id, but this should work for any oidc. Please confirm

3

Hello @Anthony That was my initial thought but i have tried to see how to get the token, i have not been able to. Do you know how i can access the token. nothing on the browser, i am not if this is an azure issue or something else. let me know if there other ways i can access it.

4

@nelson There should be a way similar to the below, assuming you have the .well-known/openid-configuration url. You should be able to find the token endpoint. Below is a sample command:

curl -k --noproxy '*' -d '<client_name>' -d 'username=admin' -d 'password=admin' -d 'grant_type=password' -d 'client_secret=<client_secret>' -d 'scope=openid' '<token_url>' (eg. https://<idp>/realms/master/protocol/openid-connect/token)
5

Hello Anthony

i was able to get the token id
{
“aud”: “xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx”,
“iss”: “https://login.microsoftonline.com/xxxxxxxxxxxxxxxxxxxxxxxx/v2.0”,
“iat”: 1750999283,
“nbf”: 1750999283,
“exp”: 1751003183,
“aio”: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
",
“email”: “nelson.nwa@xxxx.com”,
“name”: “Nelson Nwajie”,
“oid”: “xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx”,
“preferred_username”: “nelson.nwa@xxxx.com”,
“rh”: “1.xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.”,
“roles”: [
“admin”
],
“sid”: “005fb419-7f6f-665b-xxxxxxxxxxxxxxxxhjukkkkkkkkkk5”,
“sub”: “xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx”,
“tid”: “xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx”,
“uti”: “daD1zrT5YEqxGS0Pty-3AA”,
“ver”: “2.0”
}

I am still not sure what i am missing now

6

@nelson this is very strange, the values are there, if you retrieve configuration using securityadmin.sh, do you see the same config.yml file?

In your screenshot, do you see where it gets the “9Ad…” value from? Is this part of the token?

Could you also try to put " around “preferred_username”, this shouldn’t make a difference, but just in case.

7 
{
  "aud": "xxxxxxxxxxxxxxxxxxxxxxxxxxxx",
  "iss": "https://login.microsoftonline.com/xxxxxxxxxxxxxxxxxxxxxxxx/v2.0",
  "iat": 1750999283,
  "nbf": 1750999283,
  "exp": 1751003183,
  "aio": "AbQAS/8ZAAAAkE0L58dWKHr9WmFmd5emM9T4SxFiQ5gPRaGIV0MDipA66CzI+DaSO5OQv3/JXLyxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx28F9+dpFLlq21ql+V0uqEUddC3KrmnjubPj8AppF6/EVfl3d4CP63Qf3V5O1nZtXEbZfsBc/oRFFu7Y2q4bdtYRGh2Y727jcRM8wIdL4E/yk4+AtdURTLSQLXjJ0k1LuvY=",
  "email": "nelson.nwajie@xxxx.com",
  "name": "Nelson Nwajie",
  "oid": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
  "preferred_username": "nelson.nwajie@xxxxxxxx",
  "rh": "1.xxxxxxxxxxxxxxxxxxxxxxxxxaOaVH9IMY5Iri3YO5yV80osAJosAA.",
  "roles": [
    "admin"
  ],
  "sid": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
  "sub": "9AdtkApVUrgnzSZffStoxW_xxxxxxxxxxxxxxxxxxx",  <------------------ here 
  "tid": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
  "uti": "daD1zrT5YEqxGS0Pty-3AA",
  "ver": "2.0"
}

it gets the 9A… under key called sub

I am not sure why its picking sub when its suppose to pick preferred_username

secondly added “preferred_username” in my config.yml, still the same

image
image418×284 15.5 KB

i wish i have someone who has done oidc through Microsoft entra id, that would help. I think the issue might be how opensearch interacts with Microsoft entra id token.

8

I assume the config.yml file retrieved using securityadmin.sh is the same as above then?

9

well am not sure if this is the expected out, i ran this to apply changes and retrieve the config file

sh ./securityadmin.sh \
   -cd /usr/share/opensearch/config/opensearch-security/ \
   -icl -nhnv -r \
   -cert /usr/share/opensearch/config/certs/admin.pem \
   -cacert /usr/share/opensearch/config/certs/root-ca.pem \
   -key /usr/share/opensearch/config/certs/admin-key.pem

i was able to retrieve the config file here

Will retrieve ‘/config’ into /usr/share/opensearch/config/opensearch-security/config_2025-Jun-27_13-11-28.yml
SUCC: Configuration for ‘config’ stored in /usr/share/opensearch/config/opensearch-security/config_2025-Jun-27_13-11-28.yml

so when i cat the config_2025-Jun-27_13-11-28.yml, showed me all the details that is suppose to be in the config file
and it also the same file changes i made that reflected.

let me know if this is not what you mean and what am suppose to do. ?

10

@nelson would you be able to paste the content of the retrieved config_2025-Jun-27_13-11-28.yml, please surround it with code block to see the correct indentation.

11

Ops so sorry have not been doing this,

_meta:
  type: "config"
  config_version: 2
config:
  dynamic:
    http:
      anonymous_auth_enabled: false
      xff:
        enabled: false
        internalProxies: "192\\.168\\.0\\.10|192\\.168\\.0\\.11"
        remoteIpHeader: "x-forwarded-for"
    do_not_fail_on_forbidden: true
    do_not_fail_on_forbidden_empty: true
    authc:
      basic_internal_auth_domain:
        description: "Authenticate via HTTP Basic against internal users database"
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: "basic"
          challenge: false
        authentication_backend:
          type: "internal"
      openid_auth_domain:
        http_enabled: true
        transport_enabled: true
        order: 1
        http_authenticator:
          type: "openid"
          challenge: false
          config:
            openid_connect_idp:
              enable_ssl: true
              pemtrustedcas_filepath: "/usr/share/opensearch/config/certs/oidc-ca.pem"
              verify_hostnames: false
              subject_key: "preferred_username"
        transport_enabled: true
        order: 1
        http_authenticator:
          type: "openid"
          challenge: false
          config:
            openid_connect_idp:
              enable_ssl: true
              pemtrustedcas_filepath: "/usr/share/opensearch/config/certs/oidc-ca.pem"
              verify_hostnames: false
              subject_key: "preferred_username"
        order: 1
        http_authenticator:
          type: "openid"
          challenge: false
          config:
            openid_connect_idp:
              enable_ssl: true
              pemtrustedcas_filepath: "/usr/share/opensearch/config/certs/oidc-ca.pem"
              verify_hostnames: false
              subject_key: "preferred_username"
        http_authenticator:
          type: "openid"
          challenge: false
          config:
            openid_connect_idp:
              enable_ssl: true
              pemtrustedcas_filepath: "/usr/share/opensearch/config/certs/oidc-ca.pem"
              verify_hostnames: false
              subject_key: "preferred_username"
          type: "openid"
          challenge: false
          config:
            openid_connect_idp:
              enable_ssl: true
              pemtrustedcas_filepath: "/usr/share/opensearch/config/certs/oidc-ca.pem"
              verify_hostnames: false
              subject_key: "preferred_username"
            openid_connect_idp:
              enable_ssl: true
              pemtrustedcas_filepath: "/usr/share/opensearch/config/certs/oidc-ca.pem"
              verify_hostnames: false
              subject_key: "preferred_username"
              enable_ssl: true
              pemtrustedcas_filepath: "/usr/share/opensearch/config/certs/oidc-ca.pem"
              verify_hostnames: false
              subject_key: "preferred_username"
              roles_key: "roles"
            openid_connect_url: "https://login.microsoftonline.com/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/v2.0/.well-known/openid-configuration"
        authentication_backend:
              pemtrustedcas_filepath: "/usr/share/opensearch/config/certs/oidc-ca.pem"
              verify_hostnames: false
              subject_key: "preferred_username"
              roles_key: "roles"
            openid_connect_url: "https://login.microsoftonline.com/xxxxxxxxxxxxxxxxxxxxxxxx5/v2.0/.well-known/openid-configuration"
        authentication_backend:
              verify_hostnames: false
              subject_key: "preferred_username"
              roles_key: "roles"
            openid_connect_url: "https://login.microsoftonline.com/xxxxxxxxxxxxxxxxxxxxxxxxx/v2.0/.well-known/openid-configuration"
        authentication_backend:
              roles_key: "roles"
            openid_connect_url: "https://login.microsoftonline.com/xxxxxxxxxxxxxxxxxxxxxxxxxxx/v2.0/.well-known/openid-configuration"
        authentication_backend:
          type: "

noop"

12

Hello Anthony and all

it seems to me that this "subject_key part of the config doesnt work as much, at least for Microsoft Entra id oidc

subject_key: "preferred_username"

i changed the attribute to aud, email etc…

it still defaults to sub attribute.

  "sid": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
  "sub": "9AdtkApVUrgnzSZffStoxW_xxxxxxxxxxxxxxxxxxx",  <------------------ here 
  "tid": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
  "uti": "daD1zrT5YEqxGS0Pty-3AA",
  "ver": "2.0"

seems this is the default attribute for opensearch, Please how else can we change this. i have been stuck with this issue for two weeks now.

Any help?

13

@nelson the issue seems to be with the config.yml, there seems to be a lot of unnecessary repeated lines, like http_authenticator for example, please review this. Maybe it was just the copy and paste issue.

But more importantly, subject_key should go under config, not config.openid_connect_idp

So should look like this:

config:
  subject_key: "name"
  roles_key: "roles"
1 Like
14

oh i see, let me make that change now, i will let you know
Thanks Anthony for the support.

15

Hey Anthony, that was actually the problem

image
image1917×501 43.5 KB

issue fixed. Thanks alot for your help

hope this will help someone else in the future, if subject_keys isnt set right opensearch defaults to using “sub” as an attribute instead of perffered_username or whatever you have initially set

old config


   _meta:
      type: "config"
      config_version: 2
    config:
      dynamic:
        http:
          anonymous_auth_enabled: false
          xff:
            enabled: false
            internalProxies: '192\.168\.0\.10|192\.168\.0\.11'
            remoteIpHeader:  'x-forwarded-for'
        do_not_fail_on_forbidden: true
        do_not_fail_on_forbidden_empty: true
        authc:
          basic_internal_auth_domain:
            description: "Authenticate via HTTP Basic against internal users database"
            http_enabled: true
            transport_enabled: true
            order: 0 
            http_authenticator:
              type: basic
              challenge: false
            authentication_backend:
              type: internal
          openid_auth_domain:
            http_enabled: true
            transport_enabled: true
            order: 1 
            http_authenticator:
              type: openid
              challenge: false
              config:
                subject_key: "preferred_username"
                roles_key: "roles"
                openid_connect_idp:
                  enable_ssl: true
                  pemtrustedcas_filepath: /usr/share/opensearch/config/certs/oidc-ca.pem
                  verify_hostnames: false        
                openid_connect_url: https://login.microsoftonline.com/xxxxxxxxxxxxxxxxxx/v2.0/.well-known/openid-configuration 
            authentication_backend:
              type: noop

new config

  _meta:
        type: "config"
        config_version: 2

      config:
        dynamic:
          http:
            anonymous_auth_enabled: false
            xff:
              enabled: false
              internalProxies: '192\.168\.0\.10|192\.168\.0\.11'
              remoteIpHeader:  'x-forwarded-for'
          do_not_fail_on_forbidden: true
          do_not_fail_on_forbidden_empty: true    
          authc:
            basic_internal_auth_domain:
              http_enabled: true
              transport_enabled: true
              order: 0
              http_authenticator:
                type: basic
                challenge: false
              authentication_backend:
                type: internal
            openid_auth_domain:
              http_enabled: true
              transport_enabled: true
              order: 1
              http_authenticator:
                type: openid
                challenge: false
                config:
                  subject_key: preferred_username
                  roles_key: roles
                  openid_connect_url: https://login.microsoftonline.com/xxxxxxxxxxxxxxxxxxxxx/v2.0/.well-known/openid-configuration
                  openid_connect_idp:
                    enable_ssl: true
                    pemtrustedcas_filepath: /usr/share/opensearch/config/certs/oidc-ca.pem
                    verify_hostnames: false
              authentication_backend:
                type: noop
2 Likes