SAML Authentication

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
2.11.1

Describe the issue:
Good day,

I’m trying to set up SAML authentication for Opensearch but I keep getting an error 500 →

Request URL:
http://192.168.211.170:5601/auth/saml/login?nextUrl=%2F&redirectHash=false
Request Method:
GET
Status Code:
500 Internal Server Error
Remote Address:
192.168.211.170:5601
Referrer Policy:
strict-origin-when-cross-origin
Cache-Control:
private, no-cache, no-store, must-revalidate
Connection:
keep-alive
Content-Length:
77
Content-Type:
application/json; charset=utf-8
Date:
Tue, 19 Dec 2023 09:49:27 GMT
Keep-Alive:
timeout=120
Osd-Name:
debian
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding:
gzip, deflate
Accept-Language:
en-US,en;q=0.9
Connection:
keep-alive
Host:
192.168.211.170:5601
Referer:
http://192.168.211.170:5601/auth/saml/captureUrlFragment?nextUrl=%2F
Upgrade-Insecure-Requests:
1
User-Agent:
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36

Configuration:

authc:
      basic_internal_auth_domain:
        description: "Authenticate via HTTP Basic against internal users database"
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: "basic"
          challenge: false
        authentication_backend:
          type: "intern"
      saml_auth_domain:
        http_enabled: true
        transport_enabled: false
        order: 1
        http_authenticator:
          type: saml
          challenge: true
          config:
            idp:
              metadata_url: 'XXXXXXXXXXX'
              entity_id: 'XXXXXXXX'
            sp:
              entity_id: opensearch
            kibana_url: https://<OPENSEARCH_DASHBOARD_URL>
            roles_key: Roles
            exchange_key: 'XXXXXXXXXXXXXX.'
        authentication_backend:
          type: noop

@LeonvanEeden What IdP do you use for SAML authentication?
Do you have any proxy in the front of OpenSearch Dashboards?
Are you getting redirected to IdP for login or do you get a 500 error straight away?

Please share your opensearch_dashboards.yml file.

Hi Pablo,

Thank you for the prompt response.

We are using WebAdm/OpenOTP

No proxy

No redirection, it goes straight to error 500.

I am trying to share the yml but it wont let me

Regards,

Leon

Attached please find the configs

(Attachment opensearch_dashboards.yml is missing)

@LeonvanEeden I didn’t get your opensearch_dashboards.yml file.
Would you mind sharing the content instead of the file attachment?

Good morning,

Here you go :slight_smile:

Hi there,

Any news regarding this?

Regards,

Leon

@LeonvanEeden There is still no content of opensearch_dashboards.yml from you.

For some reason it won’t let me send it it through.

The only think changed to the is the last two lines was added.

“opensearch_security.auth.type: “saml”
“server.xsrf.allowlist: [”/_opendistro/_security/saml/acs”]"

Have you tried using the below instead?

metadata_file: metadata.xml

Do you see any errors in OpenSearch nodes during the startup or when accessing the OpenSearch Dashboards and IdP?