SAML config works in single-node, but not in cluster

Security
1

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

OpensSearch 2.19.1, Ubuntu, Chrome/Firefox

Describe the issue:

I successfully configured OpenSearch to use SAML authentication with Azure on a single node system. When I tried to apply that same configuration to a cluster, I get a ‘failed to parse SAML header’ and a 500 internal server error.

This seems to be related to some sort of SSL error since I see “ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN” in the cluster dashboard logs, but not in the single node logs.

Configuration:
I have 3 nodes connected, running, and dashboards working. I can log in with basic auth and there are no obvious errors in the OpenSearch logs. I have self-signed certificates for each node and PEM certificates and keys configured.

Relevant Logs or Screenshots:
On the single node system, the dashboard logs report:

{"type":"response","@timestamp":"2026-01-29T16:22:17Z","tags":[],"pid":1529,"method":"get","statusCode":200,"req":{"url":"/auth/saml/captureUrlFragment","method":"get","headers":{"host":"10.101.3.21:5601","connection":"keep-alive","sec-ch-ua":"\"Not(A:Brand\";v=\"8\", \"Chromium\";v=\"144\", \"Google Chrome\";v=\"144\"","sec-ch-ua-mobile":"?0","sec-ch-ua-platform":"\"macOS\"","upgrade-insecure-requests":"1","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/144.0.0.0 Safari/537.36","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7","sec-fetch-site":"same-origin","sec-fetch-mode":"navigate","sec-fetch-user":"?1","sec-fetch-dest":"document","accept-encoding":"gzip, deflate, br, zstd","accept-language":"en-US,en;q=0.9"},"remoteAddress":"10.101.2.182","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/144.0.0.0 Safari/537.36"},"res":{"statusCode":200,"responseTime":4,"contentLength":9},"message":"GET /auth/saml/captureUrlFragment 200 4ms - 9.0B"}

{"type":"response","@timestamp":"2026-01-29T16:22:17Z","tags":[],"pid":1529,"method":"get","statusCode":200,"req":{"url":"/auth/saml/captureUrlFragment.js","method":"get","headers":{"host":"10.101.3.21:5601","connection":"keep-alive","sec-ch-ua-platform":"\"macOS\"","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/144.0.0.0 Safari/537.36","sec-ch-ua":"\"Not(A:Brand\";v=\"8\", \"Chromium\";v=\"144\", \"Google Chrome\";v=\"144\"","sec-ch-ua-mobile":"?0","accept":"*/*","sec-fetch-site":"same-origin","sec-fetch-mode":"no-cors","sec-fetch-dest":"script","referer":"https://10.101.3.21:5601/auth/saml/captureUrlFragment","accept-encoding":"gzip, deflate, br, zstd","accept-language":"en-US,en;q=0.9"},"remoteAddress":"10.101.2.182","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/144.0.0.0 Safari/537.36","referer":"https://10.101.3.21:5601/auth/saml/captureUrlFragment"},"res":{"statusCode":200,"responseTime":2,"contentLength":9},"message":"GET /auth/saml/captureUrlFragment.js 200 2ms - 9.0B"}

{"type":"response","@timestamp":"2026-01-29T16:22:17Z","tags":[],"pid":1529,"method":"get","statusCode":302,"req":{"url":"/auth/saml/login?redirectHash=false","method":"get","headers":{"host":"10.101.3.21:5601","connection":"keep-alive","sec-ch-ua":"\"Not(A:Brand\";v=\"8\", \"Chromium\";v=\"144\", \"Google Chrome\";v=\"144\"","sec-ch-ua-mobile":"?0","sec-ch-ua-platform":"\"macOS\"","upgrade-insecure-requests":"1","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/144.0.0.0 Safari/537.36","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7","sec-fetch-site":"same-origin","sec-fetch-mode":"navigate","sec-fetch-user":"?1","sec-fetch-dest":"document","referer":"https://10.101.3.21:5601/auth/saml/captureUrlFragment","accept-encoding":"gzip, deflate, br, zstd","accept-language":"en-US,en;q=0.9"},"remoteAddress":"10.101.2.182","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/144.0.0.0 Safari/537.36","referer":"https://10.101.3.21:5601/auth/saml/captureUrlFragment"},"res":{"statusCode":302,"responseTime":63,"contentLength":9},"message":"GET /auth/saml/login?redirectHash=false 302 63ms - 9.0B"}

On the cluster node running dashboards I see:

{"type":"response","@timestamp":"2026-01-29T16:25:17Z","tags":[],"pid":126111,"method":"get","statusCode":200,"req":{"url":"/auth/saml/captureUrlFragment","method":"get","headers":{"host":"10.101.3.152:5601","connection":"keep-alive","sec-ch-ua":"\"Not(A:Brand\";v=\"8\", \"Chromium\";v=\"144\", \"Google Chrome\";v=\"144\"","sec-ch-ua-mobile":"?0","sec-ch-ua-platform":"\"macOS\"","upgrade-insecure-requests":"1","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/144.0.0.0 Safari/537.36","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7","sec-fetch-site":"same-origin","sec-fetch-mode":"navigate","sec-fetch-user":"?1","sec-fetch-dest":"document","accept-encoding":"gzip, deflate, br, zstd","accept-language":"en-US,en;q=0.9"},"remoteAddress":"10.101.2.182","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/144.0.0.0 Safari/537.36"},"res":{"statusCode":200,"responseTime":2,"contentLength":9},"message":"GET /auth/saml/captureUrlFragment 200 2ms - 9.0B"}

{"type":"response","@timestamp":"2026-01-29T16:25:17Z","tags":[],"pid":126111,"method":"get","statusCode":200,"req":{"url":"/auth/saml/captureUrlFragment.js","method":"get","headers":{"host":"10.101.3.152:5601","connection":"keep-alive","sec-ch-ua-platform":"\"macOS\"","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/144.0.0.0 Safari/537.36","sec-ch-ua":"\"Not(A:Brand\";v=\"8\", \"Chromium\";v=\"144\", \"Google Chrome\";v=\"144\"","sec-ch-ua-mobile":"?0","accept":"*/*","sec-fetch-site":"same-origin","sec-fetch-mode":"no-cors","sec-fetch-dest":"script","referer":"https://10.101.3.152:5601/auth/saml/captureUrlFragment","accept-encoding":"gzip, deflate, br, zstd","accept-language":"en-US,en;q=0.9"},"remoteAddress":"10.101.2.182","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/144.0.0.0 Safari/537.36","referer":"https://10.101.3.152:5601/auth/saml/captureUrlFragment"},"res":{"statusCode":200,"responseTime":2,"contentLength":9},"message":"GET /auth/saml/captureUrlFragment.js 200 2ms - 9.0B"}

{"type":"error","@timestamp":"2026-01-29T16:25:17Z","tags":["connection","client","error"],"pid":126111,"level":"error","error":{"message":"0078CF68367F0000:error:0A000416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1586:SSL alert number 46\n","name":"Error","stack":"Error: 0078CF68367F0000:error:0A000416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1586:SSL alert number 46\n","code":"ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN"},"message":"0078CF68367F0000:error:0A000416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1586:SSL alert number 46\n"}

{"type":"log","@timestamp":"2026-01-29T16:25:18Z","tags":["error","plugins","securityDashboards"],"pid":126111,"message":"Failed to get saml header: Error: Error: failed parsing SAML config"}

{"type":"error","@timestamp":"2026-01-29T16:25:18Z","tags":[],"pid":126111,"level":"error","error":{"message":"Internal Server Error","name":"Error","stack":"Error: Internal Server Error\n    at HapiResponseAdapter.toError (/usr/share/opensearch-dashboards/src/core/server/http/router/response_adapter.js:127:19)\n    at HapiResponseAdapter.toHapiResponse (/usr/share/opensearch-dashboards/src/core/server/http/router/response_adapter.js:83:19)\n    at HapiResponseAdapter.handle (/usr/share/opensearch-dashboards/src/core/server/http/router/response_adapter.js:79:17)\n    at Router.handle (/usr/share/opensearch-dashboards/src/core/server/http/router/router.js:175:34)\n    at processTicksAndRejections (node:internal/process/task_queues:95:5)\n    at handler (/usr/share/opensearch-dashboards/src/core/server/http/router/router.js:140:50)\n    at exports.Manager.execute (/usr/share/opensearch-dashboards/node_modules/@hapi/hapi/lib/toolkit.js:60:28)\n    at Object.internals.handler (/usr/share/opensearch-dashboards/node_modules/@hapi/hapi/lib/handler.js:46:20)\n    at exports.execute (/usr/share/opensearch-dashboards/node_modules/@hapi/hapi/lib/handler.js:31:20)\n    at Request._lifecycle (/usr/share/opensearch-dashboards/node_modules/@hapi/hapi/lib/request.js:371:32)\n    at Request._execute (/usr/share/opensearch-dashboards/node_modules/@hapi/hapi/lib/request.js:281:9)"},"url":"https://10.101.3.152:5601/auth/saml/login?redirectHash=false","message":"Internal Server Error"}

{"type":"response","@timestamp":"2026-01-29T16:25:18Z","tags":[],"pid":126111,"method":"get","statusCode":500,"req":{"url":"/auth/saml/login?redirectHash=false","method":"get","headers":{"host":"10.101.3.152:5601","connection":"keep-alive","sec-ch-ua":"\"Not(A:Brand\";v=\"8\", \"Chromium\";v=\"144\", \"Google Chrome\";v=\"144\"","sec-ch-ua-mobile":"?0","sec-ch-ua-platform":"\"macOS\"","upgrade-insecure-requests":"1","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/144.0.0.0 Safari/537.36","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7","sec-fetch-site":"same-origin","sec-fetch-mode":"navigate","sec-fetch-user":"?1","sec-fetch-dest":"document","referer":"https://10.101.3.152:5601/auth/saml/captureUrlFragment","accept-encoding":"gzip, deflate, br, zstd","accept-language":"en-US,en;q=0.9"},"remoteAddress":"10.101.2.182","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/144.0.0.0 Safari/537.36","referer":"https://10.101.3.152:5601/auth/saml/captureUrlFragment"},"res":{"statusCode":500,"responseTime":15,"contentLength":9},"message":"GET /auth/saml/login?redirectHash=false 500 15ms - 9.0B"}

{"type":"error","@timestamp":"2026-01-29T16:25:18Z","tags":["connection","client","error"],"pid":126111,"level":"error","error":{"message":"0078CF68367F0000:error:0A000416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1586:SSL alert number 46\n","name":"Error","stack":"Error: 0078CF68367F0000:error:0A000416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1586:SSL alert number 46\n","code":"ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN"},"message":"0078CF68367F0000:error:0A000416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1586:SSL alert number 46\n"}

{"type":"response","@timestamp":"2026-01-29T16:25:18Z","tags":[],"pid":126111,"method":"get","statusCode":401,"req":{"url":"/favicon.ico","method":"get","headers":{"host":"10.101.3.152:5601","connection":"keep-alive","sec-ch-ua-platform":"\"macOS\"","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/144.0.0.0 Safari/537.36","sec-ch-ua":"\"Not(A:Brand\";v=\"8\", \"Chromium\";v=\"144\", \"Google Chrome\";v=\"144\"","sec-ch-ua-mobile":"?0","accept":"image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8","sec-fetch-site":"same-origin","sec-fetch-mode":"no-cors","sec-fetch-dest":"image","referer":"https://10.101.3.152:5601/auth/saml/login?redirectHash=false","accept-encoding":"gzip, deflate, br, zstd","accept-language":"en-US,en;q=0.9"},"remoteAddress":"10.101.2.182","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/144.0.0.0 Safari/537.36","referer":"https://10.101.3.152:5601/auth/saml/login?redirectHash=false"},"res":{"statusCode":401,"responseTime":2,"contentLength":9},"message":"GET /favicon.ico 401 2ms - 9.0B"}

Each node in the cluster has a nearly identical opensearch.yml configuration, just the node certificates are different:

cluster.name: MyOrg-flow
node.name: "support-aflow1"
node.roles: [master,data,data_content,data_hot,data_warm,data_cold,data_frozen,ingest,ml,remote_cluster_client,transform]
path.data: /mnt/data1/opensearch
path.logs: /var/log/opensearch
network.host: 0.0.0.0
http.port: 9200
http.compression: true
cluster.initial_cluster_manager_nodes: ["support-aflow1","support-aflow2","support-aflow3"]
discovery.seed_hosts: ["10.101.3.150","10.101.3.151","10.101.3.152"]
plugins.security.allow_unsafe_democertificates: false
plugins.security.allow_default_init_securityindex: true
plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
plugins.security.ssl.transport.pemcert_filepath: support-aflow1.pem
plugins.security.ssl.transport.pemkey_filepath: support-aflow1-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: support-aflow1.pem
plugins.security.ssl.http.pemkey_filepath: support-aflow1-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: root-ca.pem
plugins.security.audit.type: internal_opensearch
plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [".plugins-ml-config", ".plugins-ml-connector", ".plugins-ml-model-group", ".plugins-ml-model", ".plugins-ml-task", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".ql-datasources", ".opendistro-asynchronous-search-response*", ".replication-metadata-store", ".opensearch-knn-models"]
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.restapi.password_validation_regex: '(?=.*[A-Z])(?=.*[^a-zA-Z\d])(?=.*[0-9])(?=.*[a-z]).{8,}'
plugins.security.restapi.password_validation_error_message: "Password must be minimum 8 characters long and must contain at least one uppercase letter, one lowercase letter, one digit, and one special character."
plugins.security.authcz.admin_dn:
  - "CN=admin,OU=support,O=MyOrgFlow,L=Nocona,ST=Texas,C=US"

# Update nodes_dn to match the same style (No spaces around =)
plugins.security.nodes_dn:
  - "CN=support-aflow1.lab.local,OU=support,O=MyOrgFlow,L=Nocona,ST=Texas,C=US"
  - "CN=support-aflow2.lab.local,OU=support,O=MyOrgFlow,L=Nocona,ST=Texas,C=US"
  - "CN=support-aflow3.lab.local,OU=support,O=MyOrgFlow,L=Nocona,ST=Texas,C=US"

Each node has an identical config.yml and the securityadmin.sh was successfully run to push the changes:

---
_meta:
  type: "config"
  config_version: 2
config:
  dynamic:
    http:
      anonymous_auth_enabled: false
      xff:
        enabled: false
        internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern
    authc:
      basic_internal_auth_domain:
        description: "Authenticate via HTTP Basic against internal users database"
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: basic
          challenge: true
        authentication_backend:
          type: intern
      saml_auth_domain:
        description: "Authenticate via SAML"
        http_enabled: true
        transport_enabled: false
        order: 1
        http_authenticator:
          type: saml
          challenge: true
          config:
            idp:
              entity_id: https://sts.windows.net/xxxxxxxxxxxxxxxxxx/
              metadata_file: /etc/opensearch/azure-metadata.xml
            sp:
              entity_id: apstra-flow-opensearch
            kibana_url: https://10.101.3.152:5601
            exchange_key: 34ee1dc97007b3e97a313e54bf3827c3100e1abe0732409174122a4fe68c7994
            roles_key: http://schemas.microsoft.com/ws/2008/06/identity/claims/groups
        authentication_backend:
          type: noop
    authz:
      roles_from_myldap:
        description: "Authorize via LDAP or Active Directory"
        http_enabled: false
        transport_enabled: false
        authorization_backend:
          type: ldap
          config:
            enable_ssl: false
            enable_start_tls: false
            enable_ssl_client_auth: false
            verify_hostnames: true
            hosts:
            - localhost:8389
            bind_dn: null
            password: null
            rolebase: 'ou=groups,dc=example,dc=com'
            rolesearch: '(member={0})'
            userroleattribute: null
            userrolename: disabled
            rolename: cn
            resolve_nested_roles: true
            userbase: 'ou=people,dc=example,dc=com'
            usersearch: '(uid={0})'
      roles_from_another_ldap:
        description: "Authorize via another Active Directory"
        http_enabled: false
        transport_enabled: false
        authorization_backend:
          type: ldap

What other information do you need to help me troubleshoot/test?

This has been an ongoing issue for a while and I really need to get it resolve so any help appreciated.

Thanks!

2

@dxturner Could you share your opensearch_dashboads.yml file?
Are you getting redirected to Azure UI, or is it failing once you hit the OpenSearch Dashboards URL?

3 
---
server.port: 5601
server.host: "0.0.0.0"
server.maxPayloadBytes: 8388608
server.name: "apstra-flow"

# --- Backend Connection ---
# Listing all nodes ensures high availability
#opensearch.hosts: ["https://10.101.3.150:9200","https://10.101.3.151:9200","https://10.101.3.152:9200"]
opensearch.hosts: ["https://support-aflow3.lab.local:9200"]
opensearch.username: "kibanaserver"
opensearch.password: "Apstra-Flow5"

# --- SSL Settings ---
server.ssl.enabled: true
server.ssl.certificate: /etc/opensearch-dashboards/support-aflow3.pem
server.ssl.key: /etc/opensearch-dashboards/support-aflow3-key.pem
server.ssl.certificateAuthorities: /etc/opensearch-dashboards/root-ca.pem

# --- SSL Settings for Backend Cluster ---
opensearch.ssl.certificateAuthorities: [ "/etc/opensearch-dashboards/root-ca.pem" ]
opensearch.ssl.certificate: /etc/opensearch-dashboards/support-aflow3.pem
opensearch.ssl.key: /etc/opensearch-dashboards/support-aflow3-key.pem
opensearch.ssl.verificationMode: certificate
opensearch.ssl.alwaysPresentCertificate: true

# --- Security Plugin Settings ---
opensearch_security.auth.type: ["basicauth", "saml"]
opensearch_security.auth.multiple_auth_enabled: true
opensearch_security.cookie.secure: true
opensearch_security.cookie.isSameSite: "None"


# --- SAML Specifics ---
# This must match the IP in your Azure Redirect URI
# and the kibana_url in your OpenSearch config.yml
#server.xsrf.allowlist: ["/_opendistro/_security/saml/acs", "/_opendistro/_security/saml/logout"]
server.xsrf.allowlist:
  - "/_plugins/_security/saml/acs"
  - "/_plugins/_security/saml/logout"
  - "/_plugins/_security/api/authtype"
  - "/api/v1/auth/type"

# --- Multi-tenancy ---
opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.preferred: [Global, Private]
opensearch_security.readonly_mode.roles: [kibana_read_only]

# --- Headers & Timeouts ---
#opensearch.requestHeadersWhitelist: [authorization, securitytenant]
opensearch.requestHeadersAllowlist: ["authorization", "securitytenant", "osd-xsrf"]
opensearch.requestTimeout: 132000
opensearch.shardTimeout: 120000

# --- Logging ---
logging.quiet: false
logging.verbose: false
logging.dest: /var/log/opensearch-dashboards/opensearch-dashboards.log

When I load the dashboard login page, I see some 400 errors, though I think that might be normal? It’s when I click the ‘Log in with single sign-on’ button that I get the 500 error.

Screenshot 2026-02-04 at 06.34.53
Screenshot 2026-02-04 at 06.34.53878×680 24.1 KB

As soon as I click that I get the following in the dashboards log:

{“type”:“response”,“@timestamp”:“2026-02-03T17:47:23Z”,“tags”:
,“pid”:22743,“method”:“get”,“statusCode”:200,“req”:{“url”:“/auth/saml/captureUrlFragment.js”,“method”:“get”,“headers”:{“host”:“10.101.3.152:5601”,“connection”:“keep-alive”,“sec-ch-ua-platform”:“"macOS"”,“user-agent”:“Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/144.0.0.0 Safari/537.36”,“sec-ch-ua”:“"Not(A:Brand";v="8", "Chromium";v="144", "Google Chrome";v="144"”,“sec-ch-ua-mobile”:“?0”,“accept”:“/”,“sec-fetch-site”:“same-origin”,“sec-fetch-mode”:“no-cors”,“sec-fetch-dest”:“script”,“referer”:“https://10.101.3.152:5601/auth/saml/captureUrlFragment",“accept-encoding”:"gzip, deflate, br, zstd”,“accept-language”:“en-US,en;q=0.9”},“remoteAddress”:“10.101.2.182”,“userAgent”:“Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/144.0.0.0 Safari/537.36”,“referer”:“https://10.101.3.152:5601/auth/saml/captureUrlFragment"},“res”:{“statusCode”:200,“responseTime”:3,“contentLength”:9},“message”:"GET /auth/saml/captureUrlFragment.js 200 3ms - 9.0B”}
{“type”:“error”,“@timestamp”:“2026-02-03T17:47:23Z”,“tags”:
,“pid”:22743,“level”:“error”,“error”:{“message”:“Internal Server Error”,“name”:“Error”,“stack”:“Error: Internal Server Error\n    at HapiResponseAdapter.toError (/usr/share/opensearch-dashboards/src/core/server/http/router/response_adapter.js:127:19)\n    at HapiResponseAdapter.toHapiResponse (/usr/share/opensearch-dashboards/src/core/server/http/router/response_adapter.js:83:19)\n    at HapiResponseAdapter.handle (/usr/share/opensearch-dashboards/src/core/server/http/router/response_adapter.js:79:17)\n    at Router.handle (/usr/share/opensearch-dashboards/src/core/server/http/router/router.js:175:34)\n    at processTicksAndRejections (node:internal/process/task_queues:95:5)\n    at handler (/usr/share/opensearch-dashboards/src/core/server/http/router/router.js:140:50)\n    at exports.Manager.execute (/usr/share/opensearch-dashboards/node_modules/@hapi/hapi/lib/toolkit.js:60:28)\n    at Object.internals.handler (/usr/share/opensearch-dashboards/node_modules/@hapi/hapi/lib/handler.js:46:20)\n    at exports.execute (/usr/share/opensearch-dashboards/node_modules/@hapi/hapi/lib/handler.js:31:20)\n    at Request._lifecycle (/usr/share/opensearch-dashboards/node_modules/@hapi/hapi/lib/request.js:371:32)\n    at Request._execute (/usr/share/opensearch-dashboards/node_modules/@hapi/hapi/lib/request.js:281:9)”},“url”:“https://10.101.3.152:5601/auth/saml/login?redirectHash=false",“message”:"Internal Server Error”}
{“type”:“response”,“@timestamp”:“2026-02-03T17:47:23Z”,“tags”:
,“pid”:22743,“method”:“get”,“statusCode”:500,“req”:{“url”:“/auth/saml/login?redirectHash=false”,“method”:“get”,“headers”:{“host”:“10.101.3.152:5601”,“connection”:“keep-alive”,“sec-ch-ua”:“"Not(A:Brand";v="8", "Chromium";v="144", "Google Chrome";v="144"”,“sec-ch-ua-mobile”:“?0”,“sec-ch-ua-platform”:“"macOS"”,“upgrade-insecure-requests”:“1”,“user-agent”:“Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/144.0.0.0 Safari/537.36”,“accept”:“text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7”,“sec-fetch-site”:“same-origin”,“sec-fetch-mode”:“navigate”,“sec-fetch-dest”:“document”,“referer”:“https://10.101.3.152:5601/auth/saml/captureUrlFragment",“accept-encoding”:"gzip, deflate, br, zstd”,“accept-language”:“en-US,en;q=0.9”},“remoteAddress”:“10.101.2.182”,“userAgent”:“Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/144.0.0.0 Safari/537.36”,“referer”:“https://10.101.3.152:5601/auth/saml/captureUrlFragment"},“res”:{“statusCode”:500,“responseTime”:38,“contentLength”:9},“message”:"GET /auth/saml/login?redirectHash=false 500 38ms - 9.0B”}
{“type”:“response”,“@timestamp”:“2026-02-03T17:47:23Z”,“tags”:
,“pid”:22743,“method”:“get”,“statusCode”:401,“req”:{“url”:“/favicon.ico”,“method”:“get”,“headers”:{“host”:“10.101.3.152:5601”,“connection”:“keep-alive”,“sec-ch-ua-platform”:“"macOS"”,“user-agent”:“Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/144.0.0.0 Safari/537.36”,“sec-ch-ua”:“"Not(A:Brand";v="8", "Chromium";v="144", "Google Chrome";v="144"”,“sec-ch-ua-mobile”:“?0”,“accept”:“image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8”,“sec-fetch-site”:“same-origin”,“sec-fetch-mode”:“no-cors”,“sec-fetch-dest”:“image”,“referer”:“https://10.101.3.152:5601/auth/saml/login?redirectHash=false",“accept-encoding”:"gzip, deflate, br, zstd”,“accept-language”:“en-US,en;q=0.9”},“remoteAddress”:“10.101.2.182”,“userAgent”:“Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/144.0.0.0 Safari/537.36”,“referer”:“https://10.101.3.152:5601/auth/saml/login?redirectHash=false"},“res”:{“statusCode”:401,“responseTime”:2,“contentLength”:9},“message”:"GET /favicon.ico 401 2ms - 9.0B”}
{“type”:“ops”,“@timestamp”:“2026-02-03T17:47:26Z”,“tags”:
,“pid”:22743,“os”:{“load”:[0.02,0.02,0],“mem”:{“total”:16764915712,“free”:4440453120},“uptime”:91538.08},“proc”:{“uptime”:115.007880667,“mem”:{“rss”:208216064,“heapTotal”:144023552,“heapUsed”:124070168,“external”:2531224,“arrayBuffers”:1138027},“delay”:0.17056599259376526},“load”:{“requests”:{“5601”:{“total”:4,“disconnects”:0,“statusCodes”:{“200”:2,“401”:1,“500”:1}}},“responseTimes”:{“5601”:{“avg”:11.75,“max”:38}},“sockets”:{“http”:{“total”:0},“https”:{“total”:0}}},“message”:“memory: 118.3MB uptime: 0:01:55 load: [0.02 0.02 0.00] delay: 0.171”}
4

As per the OpenSearch Documentation, you must use _opendistro/_security

server.xsrf.allowlist: ["/_opendistro/_security/saml/acs/idpinitiated", "/_opendistro/_security/saml/acs", "/_opendistro/_security/saml/logout"]

Do you use that URL when accessing OpenSearch Dashboards or its FQDN?

Can your OpenSearch access this file? Did you consider using metadata_url instead?

Last question, when you get HTTP 500, do you get any errors in OpenSearch logs?

5

This turned out to be a misconfiguration in the /etc/opensearch/opensearch-security/config.yml.

The entity_id was incorrect (typo), there was an unnecessary entry for clientcert_auth_domain section. The corrected/simplified/santized contents for both opensearch_dashboards.yml and config.yml are included below for reference.

---
server.port: 5601
server.host: "0.0.0.0"
server.maxPayloadBytes: 8388608
server.name: "lab-server"
opensearch.hosts: ["https://192.168.XX.XX:9200","https://192.168.XX.XX:9200","https://192.168.XX.XX:9200"]
opensearch.username: kibanaserver
opensearch.password: kibanaserver
server.ssl.enabled: true
server.ssl.certificate: /etc/opensearch-dashboards/dashnode.pem
server.ssl.key: /etc/opensearch-dashboards/dashnode-key.pem
server.ssl.certificateAuthorities: /etc/opensearch-dashboards/root-ca.pem
opensearch.ssl.verificationMode: none
opensearch.requestTimeout: 132000
opensearch.requestHeadersWhitelist: [authorization, securitytenant]
opensearch.shardTimeout: 120000
logging.quiet: false
logging.verbose: false
logging.dest: /var/log/opensearch-dashboards/opensearch-dashboards.log
opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.preferred: [Global, Private]
opensearch_security.readonly_mode.roles: [kibana_read_only]
opensearch_security.cookie.secure: true
opensearch_security.auth.type: ["basicauth", "saml"]
opensearch_security.auth.multiple_auth_enabled: true
server.xsrf.allowlist: ["/_opendistro/_security/saml/acs","/_opendistro/_security/saml/logout"]


---
_meta:
  type: "config"
  config_version: 2

config:
  dynamic:
    http:
      anonymous_auth_enabled: false
      xff:
        enabled: false
        internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern
    authc:
      basic_internal_auth_domain:
        description: "Authenticate via HTTP Basic against internal users database"
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: basic
          challenge: false
        authentication_backend:
          type: internal
      saml_auth_domain:
        http_enabled: true
        transport_enabled: false
        order: 1
        http_authenticator:
          type: saml
          challenge: true
          config:
            idp:
              entity_id: https://sts.windows.net/XXXXXXXXXXXXXXXXXXXXXXXX/
              metadata_file: azure-metadata.xml
            sp:
              entity_id: my-entity-id-from-metadata
            kibana_url: https://192.168.XX.XX:5601
            exchange_key: 9f1a3d5ef2d1c4ac6b907c1d2e7bfae9206d7d03254c6d7e8e8db3f2172db91f
            roles_key: http://schemas.microsoft.com/ws/2008/06/identity/claims/groups
        authentication_backend:
          type: noop
    authz:
      roles_from_myldap:
        description: "Authorize via LDAP or Active Directory"
        http_enabled: false
        transport_enabled: false
        authorization_backend:
          type: ldap
          config:
            enable_ssl: false
            enable_start_tls: false
            enable_ssl_client_auth: false
            verify_hostnames: true
            hosts:
            - localhost:8389
            bind_dn: null
            password: null
            rolebase: 'ou=groups,dc=example,dc=com'
            rolesearch: '(member={0})'
            userroleattribute: null
            userrolename: disabled
            rolename: cn
            resolve_nested_roles: true
            userbase: 'ou=people,dc=example,dc=com'
            usersearch: '(uid={0})'
      roles_from_another_ldap:
        description: "Authorize via another Active Directory"
        http_enabled: false
        transport_enabled: false
        authorization_backend:
          type: ldap