OpenSearch interconnection in SAML with KeyCloak does not work

rbosc · October 16, 2024, 12:39pm

Hello,

Versions :
OpenSearch 1.3.16 and KeyCloak 25.0.4 under Docker 24.0.7

Describe the issue:
When I try to attain the OpenSeach Dashboards, I get the following error :
{“statusCode”:500,“error”:“Internal Server Error”,“message”:“Internal Error”}

In the OpenSearch Dashboards log, I see :
“message”:“Failed to get saml header: Error: Error: failed parsing SAML config”

In the following, I replaced http by hhttp to avoir error when creating the topic.

Configuration:

Here is an extract of opensearch nodes config.yml :

 authc:
      saml_auth_domain:
        hhttp_enabled: true
        transport_enabled: false
        order: 1
        hhttp_authenticator:
          type: saml
          challenge: true
          config:
            idp:
              metadata_file: metadata-idp.xml
              entity_id: hhttp://x.x.x.x:8080/realms/nuxeo-realm
            sp:
              entity_id: hhttp://x.x.x.x:5601
            kibana_url: hhttp://x.x.x.x:5601/
            roles_key: Role
            exchange_key: 39b49528-eec3-4364-ad0d-1e091cfa4fe2
        authentication_backend:
          type: noop
      kerberos_auth_domain:

Here is the content of opensearch_dashboards.yml :

opensearch.hosts: [hhttps://localhost:9200]
opensearch.ssl.verificationMode: none
opensearch.username: kibanaserver
opensearch.password: kibanaserver
opensearch.requestHeadersWhitelist: [authorization, securitytenant]

opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.preferred: [Private, Global]
opensearch_security.readonly_mode.roles: [kibana_read_only]
# Use this setting if you are running opensearch-dashboards without hhttps
opensearch_security.cookie.secure: false
server.host: '0.0.0.0'

opensearch_security.auth.type: "saml"
server.xsrf.whitelist: ["/_opendistro/_security/saml/acs", "/_opendistro/_security/saml/logout", "/_opendistro/_security/saml/acs/idpinitiated"]

logging.root.level: debug

Relevant Logs or Screenshots:

Here is the complete log of the issue in OpenSeach Dashboards :

{"type":"response","@timestamp":"2024-10-08T08:45:38Z","tags":[],"pid":1,"method":"get","statusCode":200,"req":{"url":"/auth/saml/captureUrlFragment.js","method":"get","headers":{"host":"192.168.52.128:5601","connection":"keep-alive","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36","accept":"*/*","referer":"hhttp://192.168.52.128:5601/auth/saml/captureUrlFragment?nextUrl=%2F","accept-encoding":"gzip, deflate","accept-language":"fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7"},"remoteAddress":"192.168.52.1","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36","referer":"hhttp://192.168.52.128:5601/auth/saml/captureUrlFragment?nextUrl=%2F"},"res":{"statusCode":200,"responseTime":4,"contentLength":9},"message":"GET /auth/saml/captureUrlFragment.js 200 4ms - 9.0B"}
Error: failed parsing SAML config
    at SecurityClient.getSamlHeader (/usr/share/opensearch-dashboards/plugins/securityDashboards/server/backend/opensearch_security_client.ts:177:15)
    at process._tickCallback (internal/process/next_tick.js:68:7)
{"type":"log","@timestamp":"2024-10-08T08:45:38Z","tags":["error","plugins","securityDashboards"],"pid":1,"message":"Failed to get saml header: Error: Error: failed parsing SAML config"}
{"type":"error","@timestamp":"2024-10-08T08:45:38Z","tags":[],"pid":1,"level":"error","error":{"message":"Internal Server Error","name":"Error","stack":"Error: Internal Server Error\n    at HapiResponseAdapter.toError (/usr/share/opensearch-dashboards/src/core/server/hhttp/router/response_adapter.js:145:19)\n    at HapiResponseAdapter.toHapiResponse (/usr/share/opensearch-dashboards/src/core/server/hhttp/router/response_adapter.js:99:19)\n    at HapiResponseAdapter.handle (/usr/share/opensearch-dashboards/src/core/server/hhttp/router/response_adapter.js:94:17)\n    at Router.handle (/usr/share/opensearch-dashboards/src/core/server/hhttp/router/router.js:202:34)\n    at process._tickCallback (internal/process/next_tick.js:68:7)"},"url":{"protocol":null,"slashes":null,"auth":null,"host":null,"port":null,"hostname":null,"hash":null,"search":"?nextUrl=%2F&redirectHash=false","query":{"nextUrl":"/","redirectHash":"false"},"pathname":"/auth/saml/login","path":"/auth/saml/login?nextUrl=%2F&redirectHash=false","href":"/auth/saml/login?nextUrl=%2F&redirectHash=false"},"message":"Internal Server Error"}
{"type":"response","@timestamp":"2024-10-08T08:45:38Z","tags":[],"pid":1,"method":"get","statusCode":500,"req":{"url":"/auth/saml/login?nextUrl=%2F&redirectHash=false","method":"get","headers":{"host":"192.168.52.128:5601","connection":"keep-alive","upgrade-insecure-requests":"1","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7","referer":"hhttp://192.168.52.128:5601/auth/saml/captureUrlFragment?nextUrl=%2F","accept-encoding":"gzip, deflate","accept-language":"fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7"},"remoteAddress":"192.168.52.1","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36","referer":"hhttp://192.168.52.128:5601/auth/saml/captureUrlFragment?nextUrl=%2F"},"res":{"statusCode":500,"responseTime":10,"contentLength":9},"message":"GET /auth/saml/login?nextUrl=%2F&redirectHash=false 500 10ms - 9.0B"}
{"type":"response","@timestamp":"2024-10-08T08:45:38Z","tags":[],"pid":1,"method":"get","statusCode":401,"req":{"url":"/favicon.ico","method":"get","headers":{"host":"192.168.52.128:5601","connection":"keep-alive","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36","accept":"image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8","referer":"hhttp://192.168.52.128:5601/auth/saml/login?nextUrl=%2F&redirectHash=false","accept-encoding":"gzip, deflate","accept-language":"fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7"},"remoteAddress":"192.168.52.1","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36","referer":"hhttp://192.168.52.128:5601/auth/saml/login?nextUrl=%2F&redirectHash=false"},"res":{"statusCode":401,"responseTime":5,"contentLength":9},"message":"GET /favicon.ico 401 5ms - 9.0B"}

Mantas · October 22, 2024, 2:32pm

hi @rbosc,

could you share the output of ls -l ./config ( to make sure the configuration is available and permissions are set for metadata_file: metadata-idp.xml)

also could you confirm if the values below are correct (the hhttp…?):

best,
mj

rbosc · October 22, 2024, 2:52pm

Hi Mantas,

Thank you for your answer.

Here is the output of ls -l ./config

total 64

-rw------- 1 opensearch opensearch 1704 Sep 19 07:40 admin-key.pem

-rw-rw-r-- 1 opensearch opensearch 1237 Sep 19 07:40 admin.pem

-rw-rw---- 1 opensearch opensearch 2660 May 15 19:34 jvm.options

drwxr-x--- 2 opensearch opensearch 4096 Jan 1 1970 jvm.options.d

-rw-rw---- 1 opensearch opensearch 792 Oct 7 12:07 log4j2.properties

-rw-rw-r-- 1 opensearch opensearch 3350 Oct 8 08:39 metadata-idp.xml

-rw------- 1 opensearch opensearch 1704 Sep 19 07:41 node1-key.pem

-rw-rw-r-- 1 opensearch opensearch 1403 Sep 19 07:41 node1.pem

drwxr-x--- 2 opensearch opensearch 4096 Apr 22 2024 opensearch-observability

drwxr-x--- 2 opensearch opensearch 4096 Apr 22 2024 opensearch-performance-analyzer

drwxr-x--- 2 opensearch opensearch 4096 Apr 22 2024 opensearch-reports-scheduler

lrwxrwxrwx 1 opensearch opensearch 64 Oct 4 14:53 opensearch-security -> /usr/share/opensearch/plugins/opensearch-security/securityconfig

-rw-rw---- 1 opensearch opensearch 196 Sep 18 16:02 opensearch.keystore

-rw-rw---- 1 opensearch opensearch 1700 Oct 7 11:03 opensearch.yml

-rw------- 1 opensearch opensearch 1704 Sep 19 07:40 root-ca-key.pem

-rw-rw-r-- 1 opensearch opensearch 1363 Sep 19 07:40 root-ca.pem

Yes, the values are correct. I changed http to hhttp to not be bothered by the URL control while posting to the forum.

Regards,

Raphaël

Mantas · October 23, 2024, 2:11pm

Fair enough, just make sure that in your config those are valid URLs.

To test if the metadata-idp.xml is not corrupted - could you test with idp.metadata_url instead:

something like:
idp.metadata_url: http://localhost:8080/realms/master/protocol/saml/descriptor

on the Keycloak:

Best,
mj

rbosc · October 23, 2024, 2:27pm

I already tested idp.metadata_url with no luck.

Mantas · October 23, 2024, 2:30pm

Could you share the output of:

curl --insecure -u <admin_username>:<admin_password> -XGET https://<OS_node>:9200/_plugins/_security/api/securityconfig?pretty

Topic		Replies	Views
Configuration for SAML login in OpenSearch with Keycloak Security	17	203	August 29, 2024
Failing to configure SAML between OpenSearch and Keycloak Security configure	8	1522	February 28, 2023
SAML with Keycloak - Error: failed parsing SAML config Security	3	968	June 30, 2021
SAML authenticating and failing without exception Security troubleshoot , configure	9	897	April 17, 2023
Opensearch/opensearch-dashboard Failed to get saml header: Error: Error: failed parsing SAML config Security troubleshoot	16	2745	July 27, 2022

OpenSearch interconnection in SAML with KeyCloak does not work

Related topics