OpenSearch/OpenSearch Dashboards v2.6.0 with ADFS SAML
I have a working SAML SSO login page that authenticates against an on-prem ADFS server. I also have multi-auth setup, so I can choose to login via SSO, or login via ‘basic auth’ or via LDAP which goes through to an on-prem LDAP/AD backend.
This all ‘works’, but I have noticed that when I login via SAML (and only via SAML) I see the following in the log files (with multiple occurrences, almost for every action in Dashboards). The log line is
[2023-04-11T14:57:59,298][WARN ][o.o.s.h.HTTPBasicAuthenticator] [opensearch-d1] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'
I can’t figure out how to make this warning message go away. I have saml_auth_domain setup at the end of the order chain, with the challenge set to true:
The basic_auth and ldap are set to order 0 and 1 respectively and have challenge: false. Order 2 is clientcert_auth_domain.
There is a reverse proxy in front of two OpenSearch Dashboards instances (using traefik). I have a feeling this might be causing the issue as I have tried manipulating the configuration file options but cannot make the WARN messages go away.
It’s not an issue as such, until someone else comes along and looks at the log file or has to debug and issue.
kind of confusing, your using SAML but error shows Basic Authorization.
I also have multiple logon s config. using keycloak. I did Basic order[0]. SAML order[1], and left ldap order [5]
I think this warning is expected behaviour. When you have a mixture of SAML or OpenID and basic/LDAP authentication then the security plugin will try to authenticate the same user against all enabled authentication domains in the order specified in config.yml. That’s why, when the SAML ADFS user is authenticated, the plugin will also try to authenticate against basic auth and produce the observed warning.