No user admin found after configuring SAML

Security
1

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser): Opensearch/Dashboard 2.4.1

Describe the issue:
I have been trying configuring SAML and successfully configured but when I tried logging in, I am getting error 500 and the same time I am getting an error, which says “No User admin found in LDAP” and SAML also not routing to the SAML Login page.

Configuration:

saml_auth_domain:
description: “SAML Auth”
http_enabled: true
transport_enabled: false
order: 7
http_authenticator:
type: saml
challenge: true
config:
idp:
enable_ssl: true
verify_hostnames: true
metadata_file: /etc/opensearch/idp-elk-r2.xml
entity_id: “Dell.UAT.SAML2.0”
sp:
entity_id: “https://elk-r2.dell.com
acs: “https://elk-r2.dell.com:443/kibana/api/security/v1/saml
logout: “https://elk-r2.dell.com/logout
kibana_url: “https://elk-r2.dell.com
subject_key: UserID
roles_key: Role
exchange_key: “<<<removed by admin - do not post keys/passwords>>>”
#exchange_key: “<<<removed by admin - do not post keys/passwords>>>”
authentication_backend:
type: noop

ldap:
description: “Authenticate via LDAP or Active Directory”
http_enabled: true
transport_enabled: true
order: 5
http_authenticator:
type: “basic”
challenge: true
authentication_backend:
type: “ldap”
config:
enable_ssl: true
enable_start_tls: false
enable_ssl_client_auth: false
verify_hostnames: true
pemtrustedcas_filepath: /etc/opensearch/dellldap.crt
hosts:
- “ausdcamer.ins.dell.com:3269
bind_dn: CN=svc_prdelkstck70902,OU=Service Accounts,DC=amer,DC=dell,DC=com
password: <<<removed by admin - do not post keys/passwords>>>
userbase: “DC=dell,DC=com”
usersearch: “(sAMAccountName={0})”
username_attribute: “sAMAccountName”

authz:
  roles_from_myldap:
    description: "Authorize via LDAP or Active Directory"
    http_enabled: true
    transport_enabled: true
    authorization_backend:
      type: "ldap"
      config:
        enable_ssl: true
        enable_start_tls: false
        enable_ssl_client_auth: false
        verify_hostnames: true
        pemtrustedcas_filepath: /etc/opensearch/dellldap.crt
        hosts:
        - "ausdcamer.ins.dell.com:3269"
        bind_dn: CN=svc_prdelkstck70902,OU=Service Accounts,DC=amer,DC=dell,DC=com
        password: <<<removed by admin - do not post keys/passwords>>>
        username_attribute: "uid"
        rolebase: "DC=dell,DC=com"
        rolesearch: "(member={0})"
        userroleattribute: null
        userrolename: "none"
        rolename: "cn"
        resolve_nested_roles: true
        userbase: "DC=dell,DC=com"
        usersearch: "(uid={0})"

Relevant Logs or Screenshots:

image

Kindly help me in fixing this issue.

Regards,
Debashis

2

@dmallick19 Please share your opensearch_dashboards.yml file.
What IDP do you use for SAML authentication?

3

Hi @pablo ,

Please find opensearch_dashboards.yml file below and we are using xml based IPD metadata file generated by our Dell SAML.

server.basePath: “/kibana”

opensearchDashboards.defaultAppId: “home”

logging.verbose: true

opensearch.requestTimeout: 180000

opensearch.shardTimeout: 180000

opensearch.hosts:

opensearch.ssl.verificationMode: none

opensearch.username:

opensearch.password:

opensearch.requestHeadersWhitelist: [authorization, securitytenant]

opensearch_security.auth.anonymous_auth_enabled: false

opensearch_security.session.keepalive: false

opensearch_security.auth.type: “saml”

#server.xsrf.allowlist: [“/_opendistro/_security/saml/acs/idpinitiated”, “/_opendistro/_security/saml/acs”, “/_opendistro/_security/saml/logout”]

server.xsrf.whitelist: [/_plugins/_security/saml/acs,/_opendistro/_security/saml/acs,/_plugins/_security/saml/acs/idpinitiated,/_opendistro/_security/saml/acs/idpinitiated,/_plugins/_security/saml/logout,/_opendistro/_security/saml/logout]

#opensearch_security.auth.type: “basicauth”

opensearch_security.multitenancy.enabled: true

opensearch_security.multitenancy.tenants.preferred: [Private, Global]

opensearch_security.readonly_mode.roles: [kibana_read_only]

Use this setting if you are running opensearch-dashboards without https

opensearch_security.cookie.secure: false

Below are the SAML response, taken using SAML Tracer -

</ds:KeyInfo>
</ds:Signature>
samlp:Status
<samlp:StatusCode Value=“urn:oasis:names:tc:SAML:2.0:status:Requester” />
samlp:StatusMessageUnknown AssertionConsumerServiceURL https://elk-r2.dell.com/_opendistro/_security/saml/acs</samlp:StatusMessage>
</samlp:Status>
</samlp:Response>

Note - In order to get the IDP Metadata file from SAML Team, we are providing them the SP data generated using elasticsearch-saml-metadata command using similar configuration as Opensearch. Had to use this command, as Openearch doesn’t have the same or alternate command to generate the SP data.

4

@dmallick19 Are you getting redirected to Dell IDP for authentication?

5

Hi @pablo ,

Below is the response, if I am browsing to FQDN -

</ds:KeyInfo>
</ds:Signature>
samlp:Status
<samlp:StatusCode Value=“urn:oasis:names:tc:SAML:2.0:status:Requester” />
samlp:StatusMessageUnknown AssertionConsumerServiceURL https://elk-r2.dell.com/_opendistro/_security/saml/acs</samlp:StatusMessage>
</samlp:Status>
</samlp:Response>

and it is not rerouting to dell saml.

Thanks,
Debashis

6

You should cut sensible informations!
Such as opensearch.hosts and SAML endpoint.

7

Thank you @vas1le , my bad forgot to remove those.

Thanks,
Debashis

8

Hi @pablo ,

Kindly help me on this.

This is bit urgent and I am not sure whether Opensearch support Dell’s internal SAML auth.

Thanks,
Debashis

9

Why do you need this line?

10

Hi @pablo ,

In Kibana, the base.path configuration setting is used to specify the path where Kibana will be accessible from a web browser. This setting is important because it allows you to specify a custom URL path for accessing Kibana, rather than using the default path of / . This can be useful in situations where you want to run multiple instances of Kibana on the same server, or if you want to use a different path for security or organizational reasons.

Please let me know, if you want me remove this configuration.

Thanks,
Debashis

11

@dmallick19 I do understand the usage of this option and according to Kibana documentation, this is used when Kibana is behind the proxy.

image
image860×122 15.6 KB

As per documentation, you should also use server.rewriteBasePath.

Try to remove or comment out that option.

12

Hi @pablo ,

Yes, we are using nginx as proxy and Kibana is behind nginx.

Thanks,
Debashis

13

Hi @pablo ,

The below is configuration of rewrite base.path in nginx -

server {
listen 443;
server_name elk-r2.dell.com, elknlr2cr2kb01.us.dell.com;

ssl_certificate           /etc/nginx/elk-r2.pem;
ssl_certificate_key       /etc/nginx/elk-r2.key;


ssl on;
ssl_session_cache  builtin:1000  shared:SSL:10m;
ssl_protocols  TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;
access_log  /var/log/nginx/access.log  main;

location ~ ^/(.*)$ {
    rewrite /kibana/(.*) /$1 break;
    proxy_pass http://localhost:5601;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection 'upgrade';
    proxy_set_header Host $host;
    proxy_cache_bypass $http_upgrade;
}

}

Thanks,
Debashis