Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
OpenSearch: 2.19.1
OpenSearch Dashboards: 2.19.1
OS: rhel centos 9.5
Browser: Chrome
Describe the issue:
I am trying to setup SSO using OPENID connect in the Opensearch dashboard.
When trying to access Opensearch Dashboards I get redirected to SSO login page. After inputting the credentials I get redirected back to opensearch dashboards
but i am getting the unauthorized.
{“statusCode”:401,“error”:“Unauthorized”,“message”:“Unauthorized”}
following are the URL in the browser
Configuration:
Below is the security related config in opensearch_dashboards.yml
opensearch_security.auth.type: ["openid","basicauth"]
opensearch_security.auth.multiple_auth_enabled: true
opensearch_security.openid.connect_url: "https://accounts-icloud.company-it.com/auth/realms/coc/.well-known/openid-configuration"
opensearch_security.openid.client_id: "cns:coc:company"
opensearch_security.openid.client_secret: "71ce-4db6-a619-936d5"
opensearch_security.openid.base_redirect_url: "http://100.200.101.10/shared/api/security/oidc/callback"
opensearch_security.openid.scope: "openid email profile"
opensearch_security.openid.header: "Authorization"
opensearch_security.openid.logout_url: "https://accounts-icloud.company-it.com/auth/realms/coc/protocol/openid-connect/logout"
Below is the security related details of config.yml file under the opensearch-security folder
_meta:
type: "config"
config_version: 2
config:
dynamic:
authc:
basic_internal_auth_domain:
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: internal
openid_auth_domain:
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: openid
challenge: false
config:
openid_connect_idp:
enable_ssl: true
verify_hostnames: false
pemtrustedcas_filepath: /home/ganesh/opensearch-2.19.1/config/final/root-ca.pem
subject_key: preferred_username
roles_key: groups
openid_connect_url: https://accounts-icloud.company-it.com/auth/realms/coc/.well-known/openid-configuration
client_id: "cns:coc:company"
client_secret: "71ce-4db6-a619-936d5"
jwks_uri: "https://accounts-icloud.company-it.com/auth/realms/coc/protocol/openid-connect/certs"
authentication_backend:
type: noop
Below is the details in roles_mapping.yml
all_access:
reserved: false
backend_roles:
- "admin"
- "cns:coc:company"
- "cns:coc:company:::roles:service-provider-admin"
- "cns:coc:company::company:roles:admin"
description: "Maps company admin to all_access"
Relevant Logs or Screenshots:
Following are the logs from opensearch_dashboards
{"type":"response","@timestamp":"2025-03-16T16:54:46Z","tags":[],"pid":367686,"method":"get","statusCode":200,"req":{"url":"/auth/openid/captureUrlFragment.js","method":"get","headers":{"host":"100.200.101.10","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36","accept":"*/*","referer":"http://100.200.101.10/shared/auth/openid/captureUrlFragment","accept-encoding":"gzip, deflate","accept-language":"en-GB,en-US;q=0.9,en;q=0.8","x-forwarded-for":"10.80.88.109"},"remoteAddress":"100.210.20.10","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36","referer":"http://100.200.101.10/shared/auth/openid/captureUrlFragment"},"res":{"statusCode":200,"responseTime":1,"contentLength":9},"message":"GET /auth/openid/captureUrlFragment.js 200 1ms - 9.0B"}
{"type":"response","@timestamp":"2025-03-16T16:54:46Z","tags":[],"pid":367686,"method":"get","statusCode":302,"req":{"url":"/auth/openid/login?redirectHash=false","method":"get","headers":{"host":"100.200.101.10","upgrade-insecure-requests":"1","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7","referer":"http://100.200.101.10/shared/auth/openid/captureUrlFragment","accept-encoding":"gzip, deflate","accept-language":"en-GB,en-US;q=0.9,en;q=0.8","x-forwarded-for":"10.80.88.109"},"remoteAddress":"100.210.20.10","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36","referer":"http://100.200.101.10/shared/auth/openid/captureUrlFragment"},"res":{"statusCode":302,"responseTime":2,"contentLength":9},"message":"GET /auth/openid/login?redirectHash=false 302 2ms - 9.0B"}
{"type":"response","@timestamp":"2025-03-16T16:54:47Z","tags":[],"pid":367686,"method":"get","statusCode":401,"req":{"url":"/api/security/oidc/callback/auth/openid/login?state=ttS8fFMGaQ8x9bdxxDNttO&session_state=1b09238c-0ba3-4c7d-ab05-b60502515f42&code=59bf48d7-cdae-47f1-b812-c5dcd9336436.1b09238c-0ba3-4c7d-ab05-b60502515f42.07f59572-89ba-4ce4-b6ca-bec150a1eb2e","method":"get","headers":{"host":"100.200.101.10","upgrade-insecure-requests":"1","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7","accept-encoding":"gzip, deflate","accept-language":"en-GB,en-US;q=0.9,en;q=0.8","x-forwarded-for":"10.80.88.109"},"remoteAddress":"100.210.20.10","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36"},"res":{"statusCode":401,"responseTime":2,"contentLength":9},"message":"GET /api/security/oidc/callback/auth/openid/login?state=ttS8fFMGaQ8x9bdxxDNttO&session_state=1b09238c-0ba3-4c7d-ab05-b60502515f42&code=59bf48d7-cdae-47f1-b812-c5dcd9336436.1b09238c-0ba3-4c7d-ab05-b60502515f42.07f59572-89ba-4ce4-b6ca-bec150a1eb2e 401 2ms - 9.0B"}
Please correct me if i am doing anything wrong in the setup.
Thanks
Ganeshbabu R