Opensearch-Dashboards + Okta (OpenID Connect)

Security
, ,
1

I have this issue in integrating Okta OpenID Connect to my Opensearch-dashboards;

{“statusCode”:401,“error”:“Unauthorized”,“message”:“Unauthorized”}

Here are my configs:

  • config.yml
 openid_auth_domain:
 http_enabled: true
 transport_enabled: true
 order: 1
 http_authenticator:
   type: openid
  challenge: true
   config:
    openid_connect_idp:
       verify_hostnames: false
       enable_ssl: true
     openid_connect_url: https://IDP.com/.well-known/openid-configuration 
 authentication_backend:
  type: noop
  • opensearch-dashboards.yml
opensearch_security.auth.type: "openid"
opensearch_security.openid.connect_url: "https://IDP.com/.well-known/openid-configuration"
opensearch_security.openid.client_id: "ea9613IIIDDDIDIDI42489e0ff2"
opensearch_security.openid.client_secret: "dcc22711SECRETTTb4dd6b"
opensearch_security.cookie.isSameSite: None
opensearch_security.openid.verify_hostnames: false
opensearch_security.openid.base_redirect_url: "https://k1b4naUrL:5601/"

I am using Opensearch v1.2.3 and Opensearch-dashboards v1.2.0

Did I missed something here? Thanks in advance!

1 Like
2

As with any other YAML file, please pay special attention to the proper indentation in your config.yml file. Please make sure all your values are indented as shown in the example configuration here:

Also, since you’re using SSL/TLS when connecting to the IdP to obtain the “.well-known” config, you’d need to configure the CA certificate in pemtrustedcas_filepath: or pemtrustedcas_content:
(this would be the CA that signed your IdP certificate)

3

Hello. Thanks for your response.

Is it not possible to make the connection unsecured so it will ignore the cert configuration?

4

You could use an insecure connection by disabling hostname verification (NOT recommended for a Production cluster) - or you can provide the CA cert (the one that signed the IdP certificate).

However, I’d first confirm your config.yml file is correctly formatted (proper indentation). You can upload your configuration as usual, by executing securityadmin.sh

./securityadmin.sh -cd ../../../config/opensearch-security/ -icl -nhnv \
  -cacert ../../../config/root-ca.pem \
  -cert ../../../config/kirk.pem \
  -key ../../../config/kirk-key.pem

And then retrieve it (obtain a backup) also by executing securityadmin.sh

./securityadmin.sh -backup my-backup-directory \
  -icl \
  -nhnv \
  -cacert ../../../config/root-ca.pem \
  -cert ../../../config/kirk.pem \
  -key ../../../config/kirk-key.pem

So that you can compare what was actually stored in the security index (what you’ll obtain in your backup) against what you initially uploaded. If there are any differences, please share the config you get in your backup.

5

@nardixcx Could you take a look at this thread?

Okta/OpenID(OIDC) authentication

Please verify the OKTA application configuration including the roles claim config and the redirect URL value.

Are you getting redirected to the OKTA login page?

1 Like