SAML authenticating and failing without exception

OpenSearch version 2.6.0, Same issue faced with 2.5.0,1.3.5

SAML authenticating and failing without any exception. Logs attached.

Configuration:

config.yml

---
_meta:
  type: "config"
  config_version: 2
config:
  dynamic:
    http:
      anonymous_auth_enabled: false
    authc:
      internal_auth:
        order: 0
        description: "HTTP basic authentication using the internal user database"
        http_enabled: true
        transport_enabled: true
        http_authenticator:
          type: "basic"
          challenge: false
        authentication_backend:
          type: "internal"
      saml_auth:
        order: 1
        description: "SAML provider"
        http_enabled: true
        transport_enabled: false
        http_authenticator:
          type: "saml"
          challenge: true
          config:
            idp:
              metadata_file: "metadata.xml"
              entity_id: "<removed>"
            sp:
              entity_id: "<removed>"
              forceAuthn: true
            kibana_url: "https://kibana-url:5601"
            subject_key: "FirstName"
            roles_key: "Groups"
            exchange_key: "<removed>"
        authentication_backend:
          type: "noop"

Dashboard.yml

timelion.ui.enabled: true
server.host: "0.0.0.0"
opensearch.hosts: https://<hostname>:9200
opensearch.ssl.verificationMode: none
opensearch.username: kibanaserver
opensearch.password: kibanaserver
opensearch.requestHeadersWhitelist: ["securitytenant","Authorization"]
opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.enable_global: true
opensearch_security.multitenancy.tenants.enable_private: true
opensearch_security.multitenancy.tenants.preferred: ["Private", "Global"]
opensearch_security.multitenancy.enable_filter: false
opensearch_security.readonly_mode.roles: ["kibana_read_only"]
opensearch_security.auth.type: ["basicauth","saml"]
opensearch_security.auth.multiple_auth_enabled: true
server.xsrf.whitelist:  [/_plugins/_security/saml/acs,/_opendistro/_security/saml/acs,/_plugins/_security/saml/acs/idpinitiated,/_opendistro/_security/saml/acs/idpinitiated,/_plugins/_security/saml/logout,/_opendistro/_security/saml/logout]

Relevant Logs:
[2023-03-08T12:56:43,144][DEBUG][o.o.s.a.BackendRegistry ] Check authdomain for rest noop/1 or 2 in total
[2023-03-08T12:56:43,146][DEBUG][o.o.s.a.BackendRegistry ] Rest user ‘User [name=rj999@xyz.com, backend_roles=[…groups eg:345245…], requestedTenant=null]’ is authenticated
[2023-03-08T12:56:43,146][DEBUG][o.o.s.a.BackendRegistry ] securitytenant ‘null’
[2023-03-08T12:56:43,672][DEBUG][o.o.s.a.BackendRegistry ] Check authdomain for rest internal/0 or 2 in total
[2023-03-08T12:56:43,672][DEBUG][o.o.s.a.BackendRegistry ] Rest user ‘User [name=kibanaserver, backend_roles=, requestedTenant=null]’ is authenticated

Screenshot:
Login page redirect back to the login page after the saml auth. Attached screenshot.

@Rajkumar I’ve tested your configuration and so far can’t find anything wrong.
I have only a question about the kibana_url in config.yml. The URL is pointing to HTTPS but in opensearch_dashboards.yml you didn’t enable SSL and set OpenSearch Dashboards certificates.

Have you tried SAML Troubleshooting section in OpenSeach documentation?

What is your SAML IdP?
Did you get any other errors either in OpenSearch or OpenSearch Dashboards?

I assume that this case is a duplicate.

Could you close that case and continue troubleshooting here?

1 Like

@pablo Thanks for checking on this, we can close duplicate case.

Enabled SSL also in my configuration.

timelion.ui.enabled: true
server.host: 0.0.0.0
opensearch.hosts: ["https://<hostname>:9200"]
opensearch.ssl.verificationMode: none
opensearch.username: "kibanaserver"
opensearch.password: "kibanaserver"
opensearch.requestHeadersWhitelist: ["securitytenant","Authorization"]
opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.enable_global: true
opensearch_security.multitenancy.tenants.enable_private: true
opensearch_security.multitenancy.tenants.preferred: ["Private", "Global"]
opensearch_security.multitenancy.enable_filter: false
server.ssl.enabled: true
server.ssl.certificate: /cert.pem
server.ssl.key: /key.pem
opensearch.ssl.certificateAuthorities: /ca-cert.pem
opensearch_security.readonly_mode.roles: ["kibana_read_only"]
opensearch_security.cookie.secure: true
opensearch_security.auth.type: ["basicauth","saml"]
opensearch_security.auth.multiple_auth_enabled: true
server.xsrf.whitelist:  [/_plugins/_security/saml/acs,/_opendistro/_security/saml/acs,/_plugins/_security/saml/acs/idpinitiated,/_opendistro/_security/saml/acs/idpinitiated,/_plugins/_security/saml/logout,/_opendistro/_security/saml/logout]

After the authentication, the UI redirects to login page.

Rest user 'User [name=rj999@xyz.com, backend_roles=[..groups eg:345245..], requestedTenant=null]' is authenticated

> --> Working till here.

securitytenant 'null'
Check authdomain for rest internal/0 or 2 in total
Rest user 'User [name=kibanaserver, backend_roles=[], requestedTenant=null]' is authenticated
securitytenant 'null'

→ SAML IdP? IDMS based SAMP Auth is used within the organisation.

→ Share dashboard logs, seeing 302/304/401 responses.

GET /auth/saml/captureUrlFragment?nextUrl=%2F 200 12ms - 9.0B
GET /auth/saml/captureUrlFragment.js 200 1ms - 9.0B
GET /auth/saml/login?nextUrl=%2F&redirectHash=false 302 33ms - 9.0B
POST /_opendistro/_security/saml/acs 302 792ms - 9.0B
GET / 302 4ms - 9.0B
GET /app/login 200 17ms - 9.0B
GET /bootstrap.js 304 15ms - 9.0B
GET /ui/favicons/manifest.json 200 3ms - 9.0B
GET /ui/favicons/favicon-32x32.png 200 4ms - 9.0B
GET /node_modules/@osd/ui-framework/dist/kui_light.css 200 4ms - 9.0B
GET /translations/en.json 200 1ms - 9.0B
GET /ui/legacy_light_theme.css 200 5ms - 9.0B
GET /ui/fonts/inter_ui/Inter-UI-Regular.woff2 200 2ms - 9.0B
GET /api/v1/restapiinfo 401 2ms - 9.0B
GET /api/v1/configuration/account 401 1ms - 9.0B
POST /api/core/capabilities 200 302ms - 9.0B
GET /api/v1/multitenancy/tenant 401 1ms - 9.0B
GET /api/v1/auth/type 401 1ms - 9.0B
GET /api/v1/configuration/account 401 1ms - 9.0B

Thanks
Rajkumar

@Rajkumar What is the exact redirect URL in the IDP?

@pablo

we have configured below 2 redirect URLs.

https://hostname:5601/_opendistro/_security/saml/acs/idpinitiated
https://hostname:5601/_opendistro/_security/saml/acs

@Rajkumar Can you just keep https://hostname:5601/_opendistro/_security/saml/acsfor testing?

Have you tried SAML Troubleshooting guide from OpenSearch documentation?
It will give you extra DEBUG level information in OpenSearch logs.

@pablo

Have tested both the endpoints separately /_opendistro/_security/saml/acs & /_opendistro/_security/saml/acs/idpinitiated getting below 500 error.

{“statusCode”:500,“error”:“Internal Server Error”,“message”:“Internal Error”}

Have enabled DEBUG level and able to find below SAML logs. However the UI is redirecting back to the login page.

Rest user ‘User [name=rj999@xyz.com, backend_roles=[…groups eg:345245…], requestedTenant=null]’ is authenticated

→ Working till here.

securitytenant ‘null’
Check authdomain for rest internal/0 or 2 in total
Rest user ‘User [name=kibanaserver, backend_roles=, requestedTenant=null]’ is authenticated
securitytenant ‘null’

Thanks
Rajkumar

@Rajkumar Could you share the role and role mapping config of the test user?

@pablo

Sharing the role & role mapping.

roles_mapping.yml

test-role:
  hosts: []
  users:
  - "admin"
  reserved: false
  hidden: false
  backend_roles:
  - "345245" --> Mapped with one of groupids. 
  and_backend_roles: []

roles.yml

test-role:
  reserved: false
  hidden: false
  cluster_permissions:
  - "cluster_composite_ops"
  - "indices_monitor"
  index_permissions:
  - index_patterns:
    - "test*"
    dls: ""
    fls: []
    masked_fields: []
    allowed_actions:
    - "read"
  tenant_permissions:
  - tenant_patterns:
    - "test"
    allowed_actions:
    - "kibana_all_read"
  static: false

Please let me know, if I am missing anything.

Thanks
Rajkumar

Hi @pablo

Looks like we are hitting with this issue.

We have many Roles IDs for the for the user. Ppl with less roles are working fine.

Can you please let us know tentative release date for below request #1352?

Thanks
Rajkumar