Okta SSO not working as expected

Hi there, I’ve been trying to integrate Okta SSO using saml I’ve faced errors trying to directly redirect from the Okta app or using the raw link to access directly from the browser.

Process followed to find the issue:

• Followed the Opensearch documentation to enable saml in the OpenSearch cluster and the Dashboard.

• After some errors I’ve found the [BUG] SAML endpoint still using _opendistro instead of _plugins and finally after setting this I was allowed to log in from the URL of the services where we set. But in the other hand when I try to log using the APP in Okta portal it redirects me into https://myservice.com/_opendistro/_security/saml/acs but showing and 500 Internal Server error. Opensearch-dashboard logs below:

imagen1519×814 249 KB

• Checking in the forum we have seen that if we use https://myservice.com/_opendistro/_security/saml/acs/idpintiated in the url as Anthony says it works from the Okta APP but not directly from the link, throwing similar logs as before.

When I was using Opendistro the two ways were available using https://myservice.com/_opendistro/_security/saml/acs you could login vie Okta APP or from the link.

Do you know if this is the normal behavior in OpenSearch or if there may exist a bug?

Thanks in advance.

Hi @jhaos, I have just tested with opensearch 1.3.0 and can confirm it works the same way.

The configuration I have in OKTA is as follows:

Screenshot 2022-05-16 at 10.44.51771×522 34.7 KB

Using this config I am able to login coming from APP in OKTA and opensearch url (in my case localhost:5601).

If you have the same setup but still not able to connect via either of the methods, can you please post your opensearch_dashboards.yml and config.yml (feel free to redact any sensitive details)

Hi @Anthony thanks for the response an sorry for the late reply. In Okta I have a similar config as yours but Requestable SSO URLs check the picture below

imagen770×482 20.8 KB

As a config.yml I added the following block to add saml

    authc:
      saml_auth_domain:
        http_enabled: true
        transport_enabled: true
        order: 1
        http_authenticator:
          type: "saml"
          challenge: true
          config:
            idp:
              metadata_url: "https://urlokta.com/app/myapp/sso/saml/metadata"
              entity_id: "http://www.okta.com/myapp"
            sp:
              entity_id: "saml-saml"
            kibana_url: "https://url.com/"
            roles_key: "Roles"
            exchange_key: "My_token"
        authentication_backend:
          type: "noop"

And changed the Basic auth in the order and challege:

      basic_internal_auth_domain:
        description: "Authenticate via HTTP Basic against internal users database"
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: "basic"
          challenge: false

And added to my opensearch_dashboards.yml the following

    opensearch_security.auth.type: "saml"
    server.xsrf.whitelist: [ "/_plugins/_security/saml/acs/idpinitiated", "/_plugins/_security/saml/acs", "/_plugins/_security/saml/logout", "/_opendistro/_security/saml/acs/idpinitiated", "/_opendistro/_security/saml/acs", "/_opendistro/_security/saml/logout"]

I’ve tried "/_plugins/_security/api/authtoken" and "/_opendistro/_security/api/authtoken" but didn’t work neither.

Thanks for helping.

@jhaos The config seems ok, similar to mine, I don’t have the exchange_key, but this shouldn’t have impact. Can you try adding the Requestable SSO URLs pointing to …/saml/acs

Hi @Anthony it seems is working adding that option in the Okta dashboard, correct me if I’m wrong but I understand now that option is like an alternative URL to give the access right?

Thanks for your help.

@jhaos
Similar question was posted on Okta support page, have a look here