Opensearch SAML Google Workspace

Versions: Opensearch 3.3

Describe the issue: We are trying to setup SAML in AWS Opensearch through Google Workspace. The ACS URL contains /idpinitiated and the app is part of Google Dashboard , the entity id is correct in the Google Workspace App.

We haven’t tackled attribute mapping as we can’t even get the authentication working successfully yet.

Using the /idpinitiated ACS URL we get the below error each time:

{“statusCode”:500,“error”:“Internal Server Error”,“message”:“Internal Error”}

Any help appreciated.

@elliot100 Do you see any errors in OpenSearch and OpenSearch Dashboards logs?

Could you share your config.yml and opensearch_dashboards.yml files?

Since this is an AWS Managed OpenSearch Service, I don’t have direct access to the underlying file system to pull config.yml. However, I can provide the Terraform configuration and the CloudWatch Application Logs. Currently, the logs show doesnt show any erros related to SAML or any ERRORS

@pablo

Enable publishing of application logs to CloudWatch actually turned on in the domain settings.

@matijasever55 This is already enabled in Cloudwatch.

We do get this error in Logs:

[ERROR][c.o.s.a.SamlResponse ][27a26**************] _PATH_ is not a valid audience for this Response

@elliot100 Did you resolve your issue?

AWS describes this error in the documentation

image1213×121 26.7 KB

I think you should review your configuration as per the documentation and ask AWS support for help as this is a managed service.