I have configured logging via Keycloack,and when trying to login with SSO to dashboards, I am getting 502 Bad Gateway and “No ‘Basic Authorization’ header, send 401 and 'WWW-Authenticate Basic” in the logs for the Opensearch.
What’s the reason for opensearch.ssl.certificateAuthorities and server.ssl.certificateAuthorities as opensearch.ssl.verificationMode is set to none and server.ssl.enabled is not configured?
I’ve noticed in the kibana.yml that opensearch_security.openid.connect_url is set to HTTPS address. Do you use self-signed certificates in Keycloak? Do you use a reverse proxy in front of the Keycloak?
Yes this process is working correctly, i am getting redirected to Keycloacks login page, and after that I can see successful opened session in keycloack
I believe it is configured normally. Here is the JWT token output, where you can see the two roles: “all_access,” which is the default for OpenSearch, and “admin_role,” the custom role I created with all permissions.
@dav.m Have you assigned admin_role as backend role in roles_mapping.yml?
If you want to use built-in backend roles then try assigning either kibanauser or admin in Keycloak.
Let me share with you the contents of the internal_users.yml , roles.yml , and roles_mapping.yml files. Could you please review them and let me know if they are correct or not?
@dav.m The User Realm Role configuration is crucial. The Multivalued option must be set to true (On). If that is set to false, Keycloak will send it as a single array and the OpenSearch security plugin won’t understand it.
Could you share a screenshot of your User Realm Role configuration? You’ll find it in Client Scopes.
Regarding the roles mapped to the Keycloak user, please use admin instead of all_access as admin is a built-in backend role.
The logic of the OpenID and OpenSearch roles mapping is as follows.
Keycloak’s role is assigned to the Keycloak’s user in Keycloak.
The OpenSearch role is created for a Keycloak user.
The Keycloak’s role is assigned (mapped) as a backend role to the OpenSearch role.
As for the “admin_role,” initially, I intended to use only that role. However, after some testing, I decided to also include the “all_access” role to see if that resolves the issue.
I want to clarify something about the error message I’m encountering in the web interface after logging in with SSO. It’s a WARNING message indicating the absence of a Basic auth header. However, I want to emphasize that I am indeed using Basic auth, and it’s functioning successfully.
@dav.m Have you tried using admin instead of all_access? The admin is a backend built-in role in OpenSearch.
When you authenticate with an external IdP (i.e. LDAP, SAML, OpenID) all the roles sent by the IdP are called backed roles. To use these roles, they must be mapped with OpenSearch’s roles in the roles_mapping.yml file.
The exception is built-in roles (i.e. admin, kibanauser, logstash etc) which can be defined directly in the IdP’s user and doesn’t have to be mapped in the roles_mapping.yml file.