No user admin found after configuring SAML

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser): Opensearch/Dashboard 2.4.1

Describe the issue:
I have been trying configuring SAML and successfully configured but when I tried logging in, I am getting error 500 and the same time I am getting an error, which says “No User admin found in LDAP” and SAML also not routing to the SAML Login page.

Configuration:

saml_auth_domain:
description: “SAML Auth”
http_enabled: true
transport_enabled: false
order: 7
http_authenticator:
type: saml
challenge: true
config:
idp:
enable_ssl: true
verify_hostnames: true
metadata_file: /etc/opensearch/idp-elk-r2.xml
entity_id: “Dell.UAT.SAML2.0”
sp:
entity_id: “https://elk-r2.dell.com
acs: “https://elk-r2.dell.com:443/kibana/api/security/v1/saml
logout: “https://elk-r2.dell.com/logout
kibana_url: “https://elk-r2.dell.com
subject_key: UserID
roles_key: Role
exchange_key: “<<<removed by admin - do not post keys/passwords>>>”
#exchange_key: “<<<removed by admin - do not post keys/passwords>>>”
authentication_backend:
type: noop

ldap:
description: “Authenticate via LDAP or Active Directory”
http_enabled: true
transport_enabled: true
order: 5
http_authenticator:
type: “basic”
challenge: true
authentication_backend:
type: “ldap”
config:
enable_ssl: true
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: true
pemtrustedcas_filepath: /etc/opensearch/dellldap.crt
hosts:
- “ausdcamer.ins.dell.com:3269
bind_dn: CN=svc_prdelkstck70902,OU=Service Accounts,DC=amer,DC=dell,DC=com
password: <<<removed by admin - do not post keys/passwords>>>
userbase: “DC=dell,DC=com”
usersearch: “(sAMAccountName={0})”
username_attribute: “sAMAccountName”

authz:
  roles_from_myldap:
    description: "Authorize via LDAP or Active Directory"
    http_enabled: true
    transport_enabled: true
    authorization_backend:
      type: "ldap"
      config:
        enable_ssl: true
        enable_start_tls: false
        enable_ssl_client_auth: false
        verify_hostnames: true
        pemtrustedcas_filepath: /etc/opensearch/dellldap.crt
        hosts:
        - "ausdcamer.ins.dell.com:3269"
        bind_dn: CN=svc_prdelkstck70902,OU=Service Accounts,DC=amer,DC=dell,DC=com
        password: <<<removed by admin - do not post keys/passwords>>>
        username_attribute: "uid"
        rolebase: "DC=dell,DC=com"
        rolesearch: "(member={0})"
        userroleattribute: null
        userrolename: "none"
        rolename: "cn"
        resolve_nested_roles: true
        userbase: "DC=dell,DC=com"
        usersearch: "(uid={0})"

Relevant Logs or Screenshots:

image

Kindly help me in fixing this issue.

Regards,
Debashis

@dmallick19 Please share your opensearch_dashboards.yml file.
What IDP do you use for SAML authentication?

Hi @pablo ,

Please find opensearch_dashboards.yml file below and we are using xml based IPD metadata file generated by our Dell SAML.

server.basePath: “/kibana”

opensearchDashboards.defaultAppId: “home”

logging.verbose: true

opensearch.requestTimeout: 180000

opensearch.shardTimeout: 180000

opensearch.hosts:

opensearch.ssl.verificationMode: none

opensearch.username:

opensearch.password:

opensearch.requestHeadersWhitelist: [authorization, securitytenant]

opensearch_security.auth.anonymous_auth_enabled: false

opensearch_security.session.keepalive: false

opensearch_security.auth.type: “saml”

#server.xsrf.allowlist: [“/_opendistro/_security/saml/acs/idpinitiated”, “/_opendistro/_security/saml/acs”, “/_opendistro/_security/saml/logout”]

server.xsrf.whitelist: [/_plugins/_security/saml/acs,/_opendistro/_security/saml/acs,/_plugins/_security/saml/acs/idpinitiated,/_opendistro/_security/saml/acs/idpinitiated,/_plugins/_security/saml/logout,/_opendistro/_security/saml/logout]

#opensearch_security.auth.type: “basicauth”

opensearch_security.multitenancy.enabled: true

opensearch_security.multitenancy.tenants.preferred: [Private, Global]

opensearch_security.readonly_mode.roles: [kibana_read_only]

Use this setting if you are running opensearch-dashboards without https

opensearch_security.cookie.secure: false

Below are the SAML response, taken using SAML Tracer -

</ds:KeyInfo>
</ds:Signature>
samlp:Status
<samlp:StatusCode Value=“urn:oasis:names:tc:SAML:2.0:status:Requester” />
samlp:StatusMessageUnknown AssertionConsumerServiceURL https://elk-r2.dell.com/_opendistro/_security/saml/acs</samlp:StatusMessage>
</samlp:Status>
</samlp:Response>

Note - In order to get the IDP Metadata file from SAML Team, we are providing them the SP data generated using elasticsearch-saml-metadata command using similar configuration as Opensearch. Had to use this command, as Openearch doesn’t have the same or alternate command to generate the SP data.

@dmallick19 Are you getting redirected to Dell IDP for authentication?

Hi @pablo ,

Below is the response, if I am browsing to FQDN -

</ds:KeyInfo>
</ds:Signature>
samlp:Status
<samlp:StatusCode Value=“urn:oasis:names:tc:SAML:2.0:status:Requester” />
samlp:StatusMessageUnknown AssertionConsumerServiceURL https://elk-r2.dell.com/_opendistro/_security/saml/acs</samlp:StatusMessage>
</samlp:Status>
</samlp:Response>

and it is not rerouting to dell saml.

Thanks,
Debashis

You should cut sensible informations!
Such as opensearch.hosts and SAML endpoint.

Thank you @vas1le , my bad forgot to remove those.

Thanks,
Debashis

Hi @pablo ,

Kindly help me on this.

This is bit urgent and I am not sure whether Opensearch support Dell’s internal SAML auth.

Thanks,
Debashis

Why do you need this line?

Hi @pablo ,

In Kibana, the base.path configuration setting is used to specify the path where Kibana will be accessible from a web browser. This setting is important because it allows you to specify a custom URL path for accessing Kibana, rather than using the default path of / . This can be useful in situations where you want to run multiple instances of Kibana on the same server, or if you want to use a different path for security or organizational reasons.

Please let me know, if you want me remove this configuration.

Thanks,
Debashis

@dmallick19 I do understand the usage of this option and according to Kibana documentation, this is used when Kibana is behind the proxy.

As per documentation, you should also use server.rewriteBasePath.

Try to remove or comment out that option.

Hi @pablo ,

Yes, we are using nginx as proxy and Kibana is behind nginx.

Thanks,
Debashis

Hi @pablo ,

The below is configuration of rewrite base.path in nginx -

server {
listen 443;
server_name elk-r2.dell.com, elknlr2cr2kb01.us.dell.com;

ssl_certificate           /etc/nginx/elk-r2.pem;
ssl_certificate_key       /etc/nginx/elk-r2.key;


ssl on;
ssl_session_cache  builtin:1000  shared:SSL:10m;
ssl_protocols  TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;
access_log  /var/log/nginx/access.log  main;

location ~ ^/(.*)$ {
    rewrite /kibana/(.*) /$1 break;
    proxy_pass http://localhost:5601;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection 'upgrade';
    proxy_set_header Host $host;
    proxy_cache_bypass $http_upgrade;
}

}

Thanks,
Debashis