SAML integration with OpenSearch and OPensearch Dashboard

Security
1

Hi Community ,

After spending 4 to 5 days working on SAML integration OF Opnesearch , dashboard with the Azure ad , i am facing below error.
It would be really helpful if you help or if you have any step by step configuration for the same.

I am running opensearch and dashboard on the AKS cluster.
Error:

Error: failed parsing SAML config
at SecurityClient.getSamlHeader (/usr/share/opensearch-dashboards/plugins/securityDashboards/server/backend/opensearch_security_client.ts:176:15)
at process._tickCallback (internal/process/next_tick.js:68:7)
{“type”:“log”,“@timestamp”:“2022-03-10T11:55:57Z”,“tags”:[“error”,“plugins”,“securityDashboards”],“pid”:1,“message”:“Failed to get saml header: Error: Error: failed parsing SAML config”}
{“type”:“error”,“@timestamp”:“2022-03-10T11:55:57Z”,“tags”:,“pid”:1,“level”:“error”,“error”:{“message”:“Internal Server Error”,“name”:“Error”,“stack”:"Error: Internal Server Error\n

And my config.yml is:

_meta:
type: “config”
config_version: 2
config:
dynamic:
http:
anonymous_auth_enabled: false
authc:
basic_internal_auth_domain:
description: “Authenticate via HTTP Basic against internal users database”
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: internal
saml_auth_domain:
order: 1
description: “Azure AAD SAML provider”
http_enabled: true
transport_enabled: false
http_authenticator:
type: saml
challenge: true
config:
idp:
metadata_file: /usr/share/opensearch/config/metadata.xml
entity_id: ‘id’
sp:
entity_id: id_id
forceAuthn: true
kibana_url: url
exchange_key: 1a2a3a4a5a6a7a8a9a0a1b2b3b4b5b6b
authentication_backend:
type: noop

Do let me know for any other infromation.

2

@persi would you be able to provide the config in script tags, and can you provide the opensearh-dashboards.yml config.

Alternatively if you are using helm charts, can you provide copy of the values.yaml file with sensitive values redacted.

3 
config.yml

---
_meta:
  type: "config"
  config_version: 2
config:
  dynamic:
    http:
      anonymous_auth_enabled: false
    authc:
      basic_internal_auth_domain:
        description: "Authenticate via HTTP Basic against internal users database"
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: basic
          challenge: false
        authentication_backend:
          type: internal
      saml_auth_domain:
        order: 1
        description: "Azure AAD SAML provider"
        http_enabled: true
        transport_enabled: false
        http_authenticator:
          type: saml
          challenge: true
          config:
            idp:
              metadata_file: /usr/share/opensearch/config/metadata_file.xml
              entity_id: 'entity_id'
            sp:
              entity_id: entityid
              forceAuthn: true
            kibana_url: https://ingress_url/opensearch
            exchange_key: 1a2a3a4a.......1b......
        authentication_backend:
          type: noop

and

opensearch_dashboard.yml

  opensearch_dashboards.yml:
    server:
      basePath: "/opensearch"
      rewriteBasePath: true
      xsrf.whitelist: ["/_plugins/_security/api/authtoken", "/_opendistro/_security/api/authtoken", "/_opendistro/_security/saml/acs/idpinitiated", "/_opendistro/_security/saml/acs", "/_opendistro/_security/saml/logout", "/_plugins/_security/saml/acs/idpinitiated", "/_plugins/_security/saml/acs", "/_plugins/_security/saml/logout"]
    opensearch:
      username: "serverusername"
      password: "serverpassword"
      requestHeadersWhitelist: ["securitytenant","Authorization"]
      ssl:
        verificationMode: none
    opensearch_security:
      multitenancy.enabled: true
      multitenancy.tenants.enable_global: true
      multitenancy.tenants.enable_private: true
      multitenancy.tenants.preferred: ["Private", "Global"]
      multitenancy.enable_filter: false
      auth.type: "saml"