Opensearch Security Plugin config ignoring openId setting

williejay2009 · February 9, 2022, 9:56pm

Hi,
I am trying to setup SSO via OIDC using the opensearch security plugin. My config.yml seems to be correct. I have tried setting the order for openId to be the preferred way of authentication (0) but it continues to bypass this order and go straight to basic auth. I have provided my configs below (minus important details heh).

Config.yml

_meta:
  type: "config"
  config_version: 2
config:
  dynamic:
    http:
      anonymous_auth_enabled: true
    authc:
      basic_internal_auth_domain:
        http_enabled: true
        order: 1
        http_authenticator:
          type: "basic"
          challenge: false
        authentication_backend:
          type: "internal"
      openid_auth_domain:
        http_enabled: true
        order: 0
        http_authenticator:
          type: "openid"
          challenge: false
          config:
            subject_key: "preferred_username"
            roles_key: "roles"
            openid_connect_url: "<connect url placeholder>"
        authentication_backend:
          type: "noop"

opensearch_dashboards.yml

opensearch.ssl.verificationMode: none
opensearch.username: username
opensearch.password: password
opensearch.requestHeadersWhitelist: ["Authorization", "security_tenant", "securitytenant"]
server.ssl.enabled: false

opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.enable_global: false
opensearch_security.multitenancy.tenants.enable_private: false
opensearch_security.multitenancy.tenants.preferred: ...<Tenant_Name>
opensearch_security.multitenancy.enable_filter: false
opensearch_security.readonly_mode.roles: ["kibana_read_only"]


plugins.security.auth.type: "openid" 
plugins.security.openid.header: Authorization 
plugins.security.openid.base_redirect_url: ...<redirect_url>

Not sure what else to check. With our 7.10.2 Opendistro cluster everything works just fine. Due to log4j our org is forcing the move to Opensearch. Any input would be greatly appreciated.

Thanks.

pablo · February 9, 2022, 11:37pm

@williejay2009 What is your IDP solution?
Do you get to the login screen?
Have you noticed any errors in OpenSearch logs?

williejay2009 · February 10, 2022, 3:11am

@pablo

Keycloak
Nope, It takes me straight to the opensearch login (basic auth) vs redirecting to our designated IDP. Works fine with our 7.4.2 cluster and our 7.10.2 cluster of open distro (the config settings).
No errors at all. Just seems like it completely disregards the openid settings inside the config.yml.

pablo · February 10, 2022, 11:57pm

@williejay2009 According to your config files you’re using plugins.security prefix in OpenID configuration in OpenSearch Dashboards.

Please have a look at the OpenID configuration section OpenSearch documentation.

Also, I don’t see connect_url option configured in opensearch_dashboards.yml

Topic		Replies	Views
openID IDP integration with Opensearch OpenSearch	10	463	August 18, 2022
Set simple password Security configure	3	420	July 22, 2022
Azure sso with openid issue OpenSearch	0	231	July 13, 2022
OIDC config - getting errors that config keys don't exist Security	6	483	August 15, 2023
Opensearch ldaps Security troubleshoot , configure	24	950	June 17, 2022

Opensearch Security Plugin config ignoring openId setting

Related Topics