Hello,
I managed to have my SAML working, but now i don’t have choice but to use SAML i would like to be able to connect through username, password or by using SAML is it possible ?
I’m deploying Opensearch and dashboards with Helm here is the interesting values for your reference :
data:
config.yml: |-
_meta:
type: "config"
config_version: "2"
config:
dynamic:
http:
anonymous_auth_enabled: false
authc:
basic_internal_auth_domain:
description: "Authenticate via HTTP Basic against internal users database"
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: internal
saml_auth_domain:
order: 1
description: "SAML provider"
http_enabled: true
transport_enabled: false
http_authenticator:
type: saml
challenge: true
config:
idp:
metadata_file: "/usr/share/opensearch/config/opensearch-security/gsuite.xml"
entity_id: "https://accounts.google.com/o/saml2?idpid=xxxxxxxxxx"
sp:
entity_id: "kibana-saml"
kibana_url: "https://kibana.mydomain.com"
exchange_key : "xxxxxxxxx"
roles_key: Role
authentication_backend:
type: noop
and for the dashboard:
config:
# Default OpenSearch Dashboards configuration from docker image of Dashboards
opensearch_dashboards.yml: |
timelion:
ui:
enabled: "true"
server:
host: "https://kibana.mydomain.com/"
ssl:
enabled: "false"
xsrf:
allowlist: ["/_plugins/_security/api/authtoken", "/_opendistro/_security/api/authtoken", "/_opendistro/_security/saml/acs/idpinitiated", "/_opendistro/_security/saml/acs", "/_opendistro/_security/saml/logout", "/_plugins/_security/saml/acs/idpinitiated", "/_plugins/_security/saml/acs", "/_plugins/_security/saml/logout"]
opensearch_security:
auth:
type: "saml"
multitenancy:
enabled: "true"
tenants:
preferred: ["Private", "Global"]
opensearch:
ssl:
verificationMode: "none"
hosts: ["${var.elasticsearch-host}:9200"]
username: "kibanaserver"
password: "mypassword"
requestHeadersAllowlist: ["securitytenant", "security_tenant", "Authorization"]