Opensearch Dashboard SAML2 Failure

Security
1

Versions

OpenSearch / Dashboard: v3.5.0, v3.4.0
Server OS: Intel Mac OS X 10_15_7
Browser: Chrome/145.0.0.0

Describe the issue:
Facing (different) error in both IdP initialised flow and SP initialised flow, can any one help suggest what the issues and why?
(Also - why in IdP initialised flow, ODS is trying to connect to /_plugins/_security/api/authtoken with query parameter auth_type? )

Configuration:
opensearch-security/config.yml

---
_meta:
  type: "config"
  config_version: 2
config:
  dynamic:
    http:
      anonymous_auth_enabled: false
      xff:
        enabled: false
    authc:
      clientcert_auth_domain:
        description: "Authenticate via SSL client certificates"
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: clientcert
          challenge: false
        authentication_backend:
          type: noop
      saml_auth_domain:
        http_enabled: true
        transport_enabled: false
        order: 1
        http_authenticator:
          type: saml
          challenge: true
          config:
            idp:
              enable_ssl: true
              verify_hostnames: true
              metadata_url: https://host.docker.internal:7000/metadata
              entity_id: https://localhost:7000
              pemtrustedcas_filepath: tls/RootCA.crt
            sp:
              forceAuthn: true
              entity_id: https://localhost:5601/#/
            exchange_key: 2e1a7d2224ca2ef9c362e68553a61b6155d46a0bc21092c819150ba17ce92075
            roles_key: http://schemas.microsoft.com/ws/2008/06/identity/claims/groups
            kibana_url: https://localhost:5601/
        authentication_backend:
          type: noop

opensearch_dashboards.yml

---
server.port: 5601
server.host: "0.0.0.0"
server.rewriteBasePath: false
server.maxPayloadBytes: 1048576
server.name: "Opensearch Dashboards"
server.xsrf.allowlist: ["/_opendistro/_security/saml/acs/idpinitiated", "/_plugins/_security/saml/acs/idpinitiated", "/_opendistro/_security/saml/acs", "/_plugins/_security/saml/acs", "/_opendistro/_security/saml/logout", "/_plugins/_security/saml/logout"]
opensearchDashboards.index: ".opensearch_dashboards"
opensearchDashboards.configIndex: ".opensearch_dashboards_config"
opensearchDashboards.defaultAppId: "home"
server.ssl.enabled: true
server.ssl.clientAuthentication: none
opensearch.ssl.alwaysPresentCertificate: true
opensearch.ssl.verificationMode: full
opensearch.pingTimeout: 1500
opensearch.requestTimeout: 30000
opensearch.requestHeadersAllowlist: ["securitytenant", "authorization"]
opensearch.shardTimeout: 30000
opensearch.logQueries: false
logging.ignoreEnospcError: false
logging.silent: false
logging.quiet: false
ops.interval: 5000
i18n.locale: "en"
map.showRegionDeniedWarning: true
data.search.usageTelemetry.enabled: false
vis_builder.enabled: true
ml_commons_dashboards.enabled: true
assistant.chat.enabled: true
observability.query_assist.enabled: true
usageCollection.uiMetric.enabled: false
assistant.alertInsight.enabled: true
assistant.smartAnomalyDetector.enabled: true
assistant.text2viz.enabled: true
queryEnhancements.queryAssist.summary.enabled: true
home.disableWelcomeScreen: true
home.disableExperienceModal: true
opensearch_security.auth.type: "saml"
opensearch_security.auth.multiple_auth_enabled: false
opensearch_security.multitenancy.enabled: false
opensearch_security.cookie.secure: true
opensearch_security.session.keepalive: true
opensearch_security.session.ttl: 3600000
opensearch_security:
  readonly_mode:
    roles:
      - Infodir-mpos-local-readonly
opensearchDashboards:
  dashboardAdmin:
    groups:
      - Infodir-mpos-local-privilege
opensearch:
  hosts:
    - https://opensearch-node-0:9200
    - https://opensearch-node-1:9200
    - https://opensearch-node-2:9200
  ssl:
    truststore:
      path: /usr/share/opensearch-dashboards/config/tls/truststore.p12
      password: changeit
    keystore:
      path: /usr/share/opensearch-dashboards/config/tls/opensearch-dashboards.p12
      password: changeit
server:
  ssl:
    supportedProtocols:
      - TLSv1.3
    truststore:
      path: /usr/share/opensearch-dashboards/config/tls/truststore.p12
      password: changeit
    keystore:
      path: /usr/share/opensearch-dashboards/config/tls/opensearch-dashboards.p12
      password: changeit
logging:
  dest: /usr/share/opensearch-dashboards/logs/dashboards_bootstrap.log
  verbose: true

Metadata (https://host.docker.internal:7000/metadata)

<EntityDescriptor entityID="https://localhost:7000" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
  <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <KeyDescriptor use="signing">
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
        <X509Data>
          <X509Certificate>MIID9zCCAt+gAwIBAgIJAP5opAk/ElTuMA0GCSqGSIb3DQEBDAUAMGYxCzAJBgNVBAYTAkNOMQswCQYDVQQIEwJHRDELMAkGA1UEBxMCR1oxGTAXBgNVBAoTEE1EUC1DZXJ0aWZpY2F0ZXMxDDAKBgNVBAsTA01EUDEUMBIGA1UEAxMLTURQLVJvb3QtQ0EwHhcNMjYwMjIzMDUwODI4WhcNMjYwNTI0MDUwODI4WjBkMQswCQYDVQQGEwJDTjELMAkGA1UECBMCR0QxCzAJBgNVBAcTAkdaMRkwFwYDVQQKExBNRFAtQ2VydGlmaWNhdGVzMQwwCgYDVQQLEwNNRFAxEjAQBgNVBAMTCXNhbWwyLWlkcDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANLVyvGpWOaPDO2hKeKKPTaug1JZpZKbr6pB9hAri+4O+aNmTkmTYkX1KhBwoVLJxLkR2Jmg09eZs5Gd5UZACtEYYuBDt5KStXSqGyzZkPGTIXEGj9M2Xl5cZCmUAUBtzEW0rShRNzwhnZozfOUzE6oMrWRrUEjfGIqd5l6jTX82Kvh7ea9pns3rB1LStyrxFONsFuuhNxVnl9eS6gFMT0jryjBuaY9mshULFUzF5smgCfH7RYsQ3OYpq2x6TeU1d79ZgQzdLXpqlJmlleAp15ELCjX3QqC7tfvUv1sOMdFsIElA0HaDeeuGYK6thq28ge+i+HcvHiLZKPiNA747DRUCAwEAAaOBqTCBpjAdBgNVHQ4EFgQUeSuVn9IGb7B1wb/KUtSBRR2YZdowDgYDVR0PAQH/BAQDAgWgMDUGA1UdEQQuMCyCCXNhbWwyLWlkcIIJbG9jYWxob3N0ghRob3N0LmRvY2tlci5pbnRlcm5hbDAfBgNVHSMEGDAWgBThzEi8hGFeHhbAkaZZscM+x4G9MDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQEMBQADggEBAJGPwNU/mo6YNJU1fMAbDgpBp1xB3KsFVdFlk9jXvCi0ZKvuuRjxjbru3eeAUIRCQURYr7dBTPwwZk4YJQyzZYnj+M+/nZPYNpOOdTdaM2aQGldw+UoxAReI1tT0v55GNgBpzCuGVIz35D/bed1V/opDOisRTBbenfHU1SfFlWbtjU7izytd9swIwBpuTgmizMJ4R1z4zLO+R4BtCShmQWVjEbWKNZ2v8nEBiMhCuxprzE7t2Q74ofWgeIrhNtCY/dqQvLxW750OWxMQz1u/SPeg4+G9ur15ZAKMe7oRXi57ZrVS5GHc2+czeBXkGQJwXXyyMkeXYfzNSz9F/ZCIhX8=</X509Certificate>
        </X509Data>
      </KeyInfo>
    </KeyDescriptor>
    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://localhost:7000/saml/slo"/>
    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost:7000/saml/slo"/>
    <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
    <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
    <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://localhost:7000/saml/sso"/>
    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost:7000/saml/sso"/>
    <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/displayname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Display Name" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"/>
    <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Email Address" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"/>
    <Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="AD Groups" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"/>
  </IDPSSODescriptor>
</EntityDescriptor>

Relevant Logs or Screenshots:

SP initialised flow failed with error:

{"type":"log","@timestamp":"2026-02-24T15:29:48Z","tags":["error","plugins","securityDashboards"],"pid":1,"message":"Failed to get saml header: Error: Invalid SAML configuration."}
{"type":"error","@timestamp":"2026-02-24T15:29:48Z","tags":[],"pid":1,"level":"error","error":{"message":"Internal Server Error","name":"Error","stack":"Error: Internal Server Error\n    at HapiResponseAdapter.toError (/usr/share/opensearch-dashboards/src/core/server/http/router/response_adapter.js:127:19)\n    at HapiResponseAdapter.toHapiResponse (/usr/share/opensearch-dashboards/src/core/server/http/router/response_adapter.js:83:19)\n    at HapiResponseAdapter.handle (/usr/share/opensearch-dashboards/src/core/server/http/router/response_adapter.js:79:17)\n    at Router.handle (/usr/share/opensearch-dashboards/src/core/server/http/router/router.js:175:34)\n    at processTicksAndRejections (node:internal/process/task_queues:103:5)\n    at handler (/usr/share/opensearch-dashboards/src/core/server/http/router/router.js:140:50)\n    at exports.Manager.execute (/usr/share/opensearch-dashboards/node_modules/@hapi/hapi/lib/toolkit.js:60:28)\n    at Object.internals.handler (/usr/share/opensearch-dashboards/node_modules/@hapi/hapi/lib/handler.js:46:20)\n    at exports.execute (/usr/share/opensearch-dashboards/node_modules/@hapi/hapi/lib/handler.js:31:20)\n    at Request._lifecycle (/usr/share/opensearch-dashboards/node_modules/@hapi/hapi/lib/request.js:371:32)\n    at Request._execute (/usr/share/opensearch-dashboards/node_modules/@hapi/hapi/lib/request.js:281:9)"},"url":"https://localhost:5601/auth/saml/login?redirectHash=false&nextUrl=%2F","message":"Internal Server Error"}
{"type":"response","@timestamp":"2026-02-24T15:29:48Z","tags":[],"pid":1,"method":"get","statusCode":500,"req":{"url":"/auth/saml/login?redirectHash=false&nextUrl=%2F","routePath":"/auth/saml/login","method":"get","headers":{"host":"localhost:5601","connection":"keep-alive","sec-ch-ua":"\"Not:A-Brand\";v=\"99\", \"Google Chrome\";v=\"145\", \"Chromium\";v=\"145\"","sec-ch-ua-mobile":"?0","sec-ch-ua-platform":"\"macOS\"","upgrade-insecure-requests":"1","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7","sec-fetch-site":"same-origin","sec-fetch-mode":"navigate","sec-fetch-dest":"document","referer":"https://localhost:5601/auth/saml/captureUrlFragment?nextUrl=%2F","accept-encoding":"gzip, deflate, br, zstd","accept-language":"en-GB,en-US;q=0.9,en;q=0.8"},"remoteAddress":"172.18.0.1","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36","referer":"https://localhost:5601/auth/saml/captureUrlFragment?nextUrl=%2F"},"res":{"statusCode":500,"responseTime":48,"contentLength":9},"message":"GET /auth/saml/login?redirectHash=false&nextUrl=%2F 500 48ms - 9.0B"}
{"type":"log","@timestamp":"2026-02-24T15:29:48Z","tags":["debug","http","server","OpenSearchDashboards","cookie-session-storage"],"pid":1,"message":"Error: Unauthorized"}
{"type":"response","@timestamp":"2026-02-24T15:29:48Z","tags":[],"pid":1,"method":"get","statusCode":401,"req":{"url":"/favicon.ico","routePath":"/{p*}","method":"get","headers":{"host":"localhost:5601","connection":"keep-alive","sec-ch-ua-platform":"\"macOS\"","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36","sec-ch-ua":"\"Not:A-Brand\";v=\"99\", \"Google Chrome\";v=\"145\", \"Chromium\";v=\"145\"","sec-ch-ua-mobile":"?0","accept":"image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8","sec-fetch-site":"same-origin","sec-fetch-mode":"no-cors","sec-fetch-dest":"image","referer":"https://localhost:5601/auth/saml/login?redirectHash=false&nextUrl=%2F","accept-encoding":"gzip, deflate, br, zstd","accept-language":"en-GB,en-US;q=0.9,en;q=0.8"},"remoteAddress":"172.18.0.1","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36","referer":"https://localhost:5601/auth/saml/login?redirectHash=false&nextUrl=%2F"},"res":{"statusCode":401,"responseTime":4,"contentLength":9},"message":"GET /favicon.ico 401 4ms - 9.0B"}

Idp Initialised flow failed with error:

StatusCodeError: [illegal_argument_exception] request [/_plugins/_security/api/authtoken] contains unrecognized parameter: [auth_type]
    at respond (/usr/share/opensearch-dashboards/node_modules/elasticsearch/src/lib/transport.js:349:15)
    at checkRespForFailure (/usr/share/opensearch-dashboards/node_modules/elasticsearch/src/lib/transport.js:306:7)
    at HttpConnector.<anonymous> (/usr/share/opensearch-dashboards/node_modules/elasticsearch/src/lib/connectors/http.js:173:7)
    at IncomingMessage.wrapper (/usr/share/opensearch-dashboards/node_modules/lodash/lodash.js:4991:19)
    at IncomingMessage.emit (node:events:520:35)
    at endReadableNT (node:internal/streams/readable:1701:12)
    at processTicksAndRejections (node:internal/process/task_queues:89:21) {
  status: 400,
  displayName: 'BadRequest',
  path: '/_plugins/_security/api/authtoken',
  query: { auth_type: 'saml' },
  body: {
    error: {
      root_cause: [Array],
      type: 'illegal_argument_exception',
      reason: 'request [/_plugins/_security/api/authtoken] contains unrecognized parameter: [auth_type]'
    },
    status: 400
  },
  statusCode: 400,
  response: '{"error":{"root_cause":[{"type":"illegal_argument_exception","reason":"request [/_plugins/_security/api/authtoken] contains unrecognized parameter: [auth_type]"}],"type":"illegal_argument_exception","reason":"request [/_plugins/_security/api/authtoken] contains unrecognized parameter: [auth_type]"},"status":400}',
  toString: [Function (anonymous)],
  toJSON: [Function (anonymous)]
}
{"type":"log","@timestamp":"2026-02-24T15:31:35Z","tags":["error","plugins","securityDashboards"],"pid":1,"message":"SAML IDP initiated authentication workflow failed: Error: failed to get token"}
{"type":"error","@timestamp":"2026-02-24T15:31:35Z","tags":[],"pid":1,"level":"error","error":{"message":"Internal Server Error","name":"Error","stack":"Error: Internal Server Error\n    at HapiResponseAdapter.toError (/usr/share/opensearch-dashboards/src/core/server/http/router/response_adapter.js:127:19)\n    at HapiResponseAdapter.toHapiResponse (/usr/share/opensearch-dashboards/src/core/server/http/router/response_adapter.js:83:19)\n    at HapiResponseAdapter.handle (/usr/share/opensearch-dashboards/src/core/server/http/router/response_adapter.js:79:17)\n    at Router.handle (/usr/share/opensearch-dashboards/src/core/server/http/router/router.js:175:34)\n    at processTicksAndRejections (node:internal/process/task_queues:103:5)\n    at handler (/usr/share/opensearch-dashboards/src/core/server/http/router/router.js:140:50)\n    at exports.Manager.execute (/usr/share/opensearch-dashboards/node_modules/@hapi/hapi/lib/toolkit.js:60:28)\n    at Object.internals.handler (/usr/share/opensearch-dashboards/node_modules/@hapi/hapi/lib/handler.js:46:20)\n    at exports.execute (/usr/share/opensearch-dashboards/node_modules/@hapi/hapi/lib/handler.js:31:20)\n    at Request._lifecycle (/usr/share/opensearch-dashboards/node_modules/@hapi/hapi/lib/request.js:371:32)\n    at Request._execute (/usr/share/opensearch-dashboards/node_modules/@hapi/hapi/lib/request.js:281:9)"},"url":"https://localhost:5601/_opendistro/_security/saml/acs/idpinitiated","message":"Internal Server Error"}
{"type":"response","@timestamp":"2026-02-24T15:31:35Z","tags":[],"pid":1,"method":"post","statusCode":500,"req":{"url":"/_opendistro/_security/saml/acs/idpinitiated","routePath":"/_opendistro/_security/saml/acs/idpinitiated","method":"post","headers":{"host":"localhost:5601","connection":"keep-alive","content-length":"9769","cache-control":"max-age=0","sec-ch-ua":"\"Not:A-Brand\";v=\"99\", \"Google Chrome\";v=\"145\", \"Chromium\";v=\"145\"","sec-ch-ua-mobile":"?0","sec-ch-ua-platform":"\"macOS\"","origin":"https://localhost:7000","content-type":"application/x-www-form-urlencoded","upgrade-insecure-requests":"1","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7","sec-fetch-site":"same-site","sec-fetch-mode":"navigate","sec-fetch-dest":"document","referer":"https://localhost:7000/","accept-encoding":"gzip, deflate, br, zstd","accept-language":"en-GB,en-US;q=0.9,en;q=0.8"},"remoteAddress":"172.18.0.1","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36","referer":"https://localhost:7000/"},"res":{"statusCode":500,"responseTime":209,"contentLength":9},"message":"POST /_opendistro/_security/saml/acs/idpinitiated 500 209ms - 9.0B"}
{"type":"log","@timestamp":"2026-02-24T15:31:35Z","tags":["debug","http","server","OpenSearchDashboards","cookie-session-storage"],"pid":1,"message":"Error: Unauthorized"}
{"type":"response","@timestamp":"2026-02-24T15:31:35Z","tags":[],"pid":1,"method":"get","statusCode":401,"req":{"url":"/favicon.ico","routePath":"/{p*}","method":"get","headers":{"host":"localhost:5601","connection":"keep-alive","sec-ch-ua-platform":"\"macOS\"","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36","sec-ch-ua":"\"Not:A-Brand\";v=\"99\", \"Google Chrome\";v=\"145\", \"Chromium\";v=\"145\"","sec-ch-ua-mobile":"?0","accept":"image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8","sec-fetch-site":"same-origin","sec-fetch-mode":"no-cors","sec-fetch-dest":"image","referer":"https://localhost:5601/_opendistro/_security/saml/acs/idpinitiated","accept-encoding":"gzip, deflate, br, zstd","accept-language":"en-GB,en-US;q=0.9,en;q=0.8"},"remoteAddress":"172.18.0.1","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36","referer":"https://localhost:5601/_opendistro/_security/saml/acs/idpinitiated"},"res":{"statusCode":401,"responseTime":4,"contentLength":9},"message":"GET /favicon.ico 401 4ms - 9.0B"}

Saml Response sent during Idp Initialised flow:

<samlp:Response
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_33678bfafafb40d76480" Version="2.0" IssueInstant="2026-02-25T01:51:20.414Z" Destination="https://localhost:5601/_opendistro/_security/saml/acs/idpinitiated">
    <saml:Issuer
        xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
        https://localhost:7000
      
    </saml:Issuer>
    <Signature
        xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <Reference URI="#_33678bfafafb40d76480">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <DigestValue>
              vU8JjqP69eOtj5R1v42kT6YBYvtEWJ41MXoNTKUqFuk=
            </DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>
          qUREM6EN7nR32oKZKvBL6TdmtQl6If+yK5bEG/PMgf8i0VY6A0eVJ7zQav+TyQEX1KO3o1Suu4R7ZZeLJXtHJpsizbjXL9mFOIGng5LvfydTEQ97mBq1JRUv8K0jczqSgneUExGUOUfuYWDqMXpqJHA1I009jLmJhhw1LLbRHX2aRJnZBFsl/YEcFr7aa2ppzdWl7gqN7ds/JSC7x9Rj/doswfQSi7sOKvN+KpvdHmYmxc1kSmKXB/h3v/xehrj7Zx8R7yiT+CW7L+0PDpAmB0bTbjPiD2WSQijVfnCd05RYfrms87KsUV9SX0VjxKcIS4j/6jctr7YPxndiK2mrwQ==
        </SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>
              MIID9zCCAt+gAwIBAgIJAP5opAk/ElTuMA0GCSqGSIb3DQEBDAUAMGYxCzAJBgNVBAYTAkNOMQswCQYDVQQIEwJHRDELMAkGA1UEBxMCR1oxGTAXBgNVBAoTEE1EUC1DZXJ0aWZpY2F0ZXMxDDAKBgNVBAsTA01EUDEUMBIGA1UEAxMLTURQLVJvb3QtQ0EwHhcNMjYwMjIzMDUwODI4WhcNMjYwNTI0MDUwODI4WjBkMQswCQYDVQQGEwJDTjELMAkGA1UECBMCR0QxCzAJBgNVBAcTAkdaMRkwFwYDVQQKExBNRFAtQ2VydGlmaWNhdGVzMQwwCgYDVQQLEwNNRFAxEjAQBgNVBAMTCXNhbWwyLWlkcDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANLVyvGpWOaPDO2hKeKKPTaug1JZpZKbr6pB9hAri+4O+aNmTkmTYkX1KhBwoVLJxLkR2Jmg09eZs5Gd5UZACtEYYuBDt5KStXSqGyzZkPGTIXEGj9M2Xl5cZCmUAUBtzEW0rShRNzwhnZozfOUzE6oMrWRrUEjfGIqd5l6jTX82Kvh7ea9pns3rB1LStyrxFONsFuuhNxVnl9eS6gFMT0jryjBuaY9mshULFUzF5smgCfH7RYsQ3OYpq2x6TeU1d79ZgQzdLXpqlJmlleAp15ELCjX3QqC7tfvUv1sOMdFsIElA0HaDeeuGYK6thq28ge+i+HcvHiLZKPiNA747DRUCAwEAAaOBqTCBpjAdBgNVHQ4EFgQUeSuVn9IGb7B1wb/KUtSBRR2YZdowDgYDVR0PAQH/BAQDAgWgMDUGA1UdEQQuMCyCCXNhbWwyLWlkcIIJbG9jYWxob3N0ghRob3N0LmRvY2tlci5pbnRlcm5hbDAfBgNVHSMEGDAWgBThzEi8hGFeHhbAkaZZscM+x4G9MDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQEMBQADggEBAJGPwNU/mo6YNJU1fMAbDgpBp1xB3KsFVdFlk9jXvCi0ZKvuuRjxjbru3eeAUIRCQURYr7dBTPwwZk4YJQyzZYnj+M+/nZPYNpOOdTdaM2aQGldw+UoxAReI1tT0v55GNgBpzCuGVIz35D/bed1V/opDOisRTBbenfHU1SfFlWbtjU7izytd9swIwBpuTgmizMJ4R1z4zLO+R4BtCShmQWVjEbWKNZ2v8nEBiMhCuxprzE7t2Q74ofWgeIrhNtCY/dqQvLxW750OWxMQz1u/SPeg4+G9ur15ZAKMe7oRXi57ZrVS5GHc2+czeBXkGQJwXXyyMkeXYfzNSz9F/ZCIhX8=
            </X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </samlp:Status>
    <saml:Assertion
        xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="_l7TffpoHFBkPFfWgqRw2yvSW98HfoTqc" IssueInstant="2026-02-25T01:51:20.395Z">
        <saml:Issuer>
          https://localhost:7000
        </saml:Issuer>
        <Signature
            xmlns="http://www.w3.org/2000/09/xmldsig#">
            <SignedInfo>
                <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
                <Reference URI="#_l7TffpoHFBkPFfWgqRw2yvSW98HfoTqc">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                    <DigestValue>
                Xbas0P/dSNpzdzhmX+blQlKEGioiC4JsXpIMMpoLP6k=
              </DigestValue>
                </Reference>
            </SignedInfo>
            <SignatureValue>
            Aj68zyZfNxorBcweZl4PkfKapEyZsQKQD/L85/O2pEwauz74505fNN/OzkWyNyPAYY8t3qyTyN2ngZcX9D3UIIbjPpU0A/h9PHZU9mcLZHKsHTCEYo7aI2dB4GqLB7dEtQjeJiqSgHkzSUTBAVEwtkcmFlEGds1Ao+pMJPAX6ZgdnFFsTcpqRORLaNhOkq3Am6M0NXBd36V/ZRmOvd+YzXJ5BbAvOSS54VeDPQjoQ2mGWqfZlASXy+4+FU2i6uCzFG8h7UwLUTOH3x0M71ahJRUDA2cQEfbGgB7SZe9Az/iLFwVgqmDi4sxSswdfVTHIcM6fCcMiPYKlmy4RL+58CQ==
          </SignatureValue>
            <KeyInfo>
                <X509Data>
                    <X509Certificate>
                MIID9zCCAt+gAwIBAgIJAP5opAk/ElTuMA0GCSqGSIb3DQEBDAUAMGYxCzAJBgNVBAYTAkNOMQswCQYDVQQIEwJHRDELMAkGA1UEBxMCR1oxGTAXBgNVBAoTEE1EUC1DZXJ0aWZpY2F0ZXMxDDAKBgNVBAsTA01EUDEUMBIGA1UEAxMLTURQLVJvb3QtQ0EwHhcNMjYwMjIzMDUwODI4WhcNMjYwNTI0MDUwODI4WjBkMQswCQYDVQQGEwJDTjELMAkGA1UECBMCR0QxCzAJBgNVBAcTAkdaMRkwFwYDVQQKExBNRFAtQ2VydGlmaWNhdGVzMQwwCgYDVQQLEwNNRFAxEjAQBgNVBAMTCXNhbWwyLWlkcDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANLVyvGpWOaPDO2hKeKKPTaug1JZpZKbr6pB9hAri+4O+aNmTkmTYkX1KhBwoVLJxLkR2Jmg09eZs5Gd5UZACtEYYuBDt5KStXSqGyzZkPGTIXEGj9M2Xl5cZCmUAUBtzEW0rShRNzwhnZozfOUzE6oMrWRrUEjfGIqd5l6jTX82Kvh7ea9pns3rB1LStyrxFONsFuuhNxVnl9eS6gFMT0jryjBuaY9mshULFUzF5smgCfH7RYsQ3OYpq2x6TeU1d79ZgQzdLXpqlJmlleAp15ELCjX3QqC7tfvUv1sOMdFsIElA0HaDeeuGYK6thq28ge+i+HcvHiLZKPiNA747DRUCAwEAAaOBqTCBpjAdBgNVHQ4EFgQUeSuVn9IGb7B1wb/KUtSBRR2YZdowDgYDVR0PAQH/BAQDAgWgMDUGA1UdEQQuMCyCCXNhbWwyLWlkcIIJbG9jYWxob3N0ghRob3N0LmRvY2tlci5pbnRlcm5hbDAfBgNVHSMEGDAWgBThzEi8hGFeHhbAkaZZscM+x4G9MDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQEMBQADggEBAJGPwNU/mo6YNJU1fMAbDgpBp1xB3KsFVdFlk9jXvCi0ZKvuuRjxjbru3eeAUIRCQURYr7dBTPwwZk4YJQyzZYnj+M+/nZPYNpOOdTdaM2aQGldw+UoxAReI1tT0v55GNgBpzCuGVIz35D/bed1V/opDOisRTBbenfHU1SfFlWbtjU7izytd9swIwBpuTgmizMJ4R1z4zLO+R4BtCShmQWVjEbWKNZ2v8nEBiMhCuxprzE7t2Q74ofWgeIrhNtCY/dqQvLxW750OWxMQz1u/SPeg4+G9ur15ZAKMe7oRXi57ZrVS5GHc2+czeBXkGQJwXXyyMkeXYfzNSz9F/ZCIhX8=
              </X509Certificate>
                </X509Data>
            </KeyInfo>
        </Signature>
        <saml:Subject>
            <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
            test-user
          </saml:NameID>
            <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml:SubjectConfirmationData NotOnOrAfter="2026-02-25T02:51:20.395Z" Recipient="https://localhost:5601/_opendistro/_security/saml/acs/idpinitiated"/>
            </saml:SubjectConfirmation>
        </saml:Subject>
        <saml:Conditions NotBefore="2026-02-25T01:51:20.395Z" NotOnOrAfter="2026-02-25T02:51:20.395Z">
            <saml:AudienceRestriction>
                <saml:Audience>
              https://localhost:5601/#/
            </saml:Audience>
            </saml:AudienceRestriction>
        </saml:Conditions>
        <saml:AuthnStatement AuthnInstant="2026-02-25T01:51:20.395Z" SessionIndex="1941237757">
            <saml:AuthnContext>
                <saml:AuthnContextClassRef>
              urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
            </saml:AuthnContextClassRef>
            </saml:AuthnContext>
        </saml:AuthnStatement>
        <saml:AttributeStatement
            xmlns:xs="http://www.w3.org/2001/XMLSchema"
            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/displayname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
                <saml:AttributeValue xsi:type="xs:string">
              TestUser
            </saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
                <saml:AttributeValue xsi:type="xs:string">
              testuser@test.com
            </saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
                <saml:AttributeValue xsi:type="xs:string">
              Infodir-mpos-local-privilege
            </saml:AttributeValue>
            </saml:Attribute>
        </saml:AttributeStatement>
    </saml:Assertion>
</samlp:Response>

Note:
No logs seen in opensearch nodes side while error happens in opensearch dashboards….

2

@Lambertyan What is your IdP server?

Are you getting redirected to the IdP’s login screen?

3

Hi @pablo - I am running saml-idp locally along with opensearch and opensearch-dashboards. In my original attempt, I was not redirected to IdP login screen.
But I have somehow managed to make SAML2 working now by re-ordering the authentication methods, making the clientcert_auth_domain the last. :grinning_face:

1 Like