OpenSearch SAML/AD: working but with No 'Basic Authorization' header warning

Security
1

OpenSearch/OpenSearch Dashboards v2.6.0 with ADFS SAML

I have a working SAML SSO login page that authenticates against an on-prem ADFS server. I also have multi-auth setup, so I can choose to login via SSO, or login via ‘basic auth’ or via LDAP which goes through to an on-prem LDAP/AD backend.

This all ‘works’, but I have noticed that when I login via SAML (and only via SAML) I see the following in the log files (with multiple occurrences, almost for every action in Dashboards). The log line is

[2023-04-11T14:57:59,298][WARN ][o.o.s.h.HTTPBasicAuthenticator] [opensearch-d1] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'

I can’t figure out how to make this warning message go away. I have saml_auth_domain setup at the end of the order chain, with the challenge set to true:

      saml_auth_domain:
        http_enabled: true
        transport_enabled: false
        order: 3
        http_authenticator:
          type: saml
          challenge: true
          config:

The basic_auth and ldap are set to order 0 and 1 respectively and have challenge: false. Order 2 is clientcert_auth_domain.

There is a reverse proxy in front of two OpenSearch Dashboards instances (using traefik). I have a feeling this might be causing the issue as I have tried manipulating the configuration file options but cannot make the WARN messages go away.

It’s not an issue as such, until someone else comes along and looks at the log file or has to debug and issue.

Any suggestions on what I can try? Thanks.

2

Hey @Mr_Hedgehog

kind of confusing, your using SAML but error shows Basic Authorization.
I also have multiple logon s config. using keycloak. I did Basic order[0]. SAML order[1], and left ldap order [5]

authc:
      saml_auth_domain:
       http_enabled: true
       transport_enabled: true
       order: 1
       http_authenticator:
        type: saml
        challenge: true
        config:
         idp:
          metadata_file: /etc/opensearch/keycloak.xml
          entity_id: https://keycloak.domain.com:8443/realms/opensearch
         sp:
          entity_id: https://opensearch.domain.com:5601
         kibana_url: https://opensearch.domain.com:5601
         roles_key: Role
         exchange_key: 7LsWZ9B4D_m3TVWHNAsIVF1odcmXOu8VaI4xdfhInMk
       authentication_backend:
          type: noop
     basic_internal_auth_domain:
        description: "Authenticate via HTTP Basic against internal users database"
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: basic
          challenge: false
        authentication_backend:
          type: intern
     ldap:
        description: "Authenticate via LDAP or Active Directory"
        http_enabled: false
        transport_enabled: false
        order: 5

image

Dont forget to execute ./securityadmin.sh everytime adjustments are made to config.yml file

3

I think this warning is expected behaviour. When you have a mixture of SAML or OpenID and basic/LDAP authentication then the security plugin will try to authenticate the same user against all enabled authentication domains in the order specified in config.yml. That’s why, when the SAML ADFS user is authenticated, the plugin will also try to authenticate against basic auth and produce the observed warning.

1 Like
4

Hi there - thanks for the reply. Just to follow up on this, are you using ldap. It looks to be turned off in the config quote.

Thanks.

5

Hey @Mr_Hedgehog

That is correct, I use LDAP on my SSO instance ( keycloak) not on Opensearch