SAML logout don't work

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
2.14

Describe the issue:
We using Microsoft ADFS as SAML authentication. Login woks fine. But logout doesn’t. While logout user in browser see error: “An error occurred. Contact your administrator for more information”. On SAML server side we see: “MSIS7084: SAML logout request and logout response messages must be signed when using SAML HTTP Redirect or HTTP POST binding”, but signature in our configuration is disabled.

Configuration:

opensearch.requestTimeout: 240000
opensearch.pingTimeout: 6000
opensearch.hosts:
- https://hostname:9200
opensearch.username: opensearch_dashboards
opensearch.password: password
opensearch.ssl.certificateAuthorities:
- "/path/to/ca"
logging.dest: "/var/log/opensearch-dashboards/opensearch-dashboards.log"
opensearch.logQueries: false
logging.verbose: false
opensearch_security.ui.basicauth.login.title: Login message
opensearch_security.auth.type:
- basicauth
- saml
opensearch_security.auth.multiple_auth_enabled: true
server.xsrf.allowlist:
- "/_opendistro/_security/saml/acs/idpinitiated"
- "/_opendistro/_security/saml/acs"
- "/_opendistro/_security/saml/logout"

Relevant Logs or Screenshots:
Don’t see any errors in logs:

{"type":"response","@timestamp":"2024-07-17T10:59:57Z","tags":[],"pid":173713,"method":"get","statusCode":302,"req":{"url":"/auth/saml/logout","method":"get","headers":{"host":"dashboard.domain","x-real-ip":"10.48.2.154","connection":"close","sec-ch-ua":"\"Not/A)Brand\";v=\"8\", \"Chromium\";v=\"126\", \"Brave\";v=\"126\"","sec-ch-ua-mobile":"?0","sec-ch-ua-platform":"\"Windows\"","upgrade-insecure-requests":"1","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0Safari/537.36","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8","sec-gpc":"1","sec-fetch-site":"same-origin","sec-fetch-mode":"navigate","sec-fetch-user":"?1","sec-fetch-dest":"document","referer":"https://dashboard.domain/app/home","accept-encoding":"gzip, deflate, br, zstd","accept-language":"en-US,en;q=0.9,ru;q=0.8","priority":"u=0, i"},"remoteAddress":"127.0.0.1","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36","referer":"https://dashboard.domain/app/home"},"res":{"statusCode":302,"responseTime":24,"contentLength":9},"message":"GET /auth/saml/logout 302 24ms - 9.0B"}

image

hey @ComBin

I had that logout issue. This is how I fixed it.

@ComBin This is a very old issue. I get the same error and I couldn’t find solution yet.
Soultion suggested by @Gsmitt works for 404 but in this case it will never log you out.

Hello all. I know about your solution @Gsmitt and use it now, thank you very much for it! But it’s not OK to change code manually. At least it’s not comfortable do it every update. So it must be solution via changing configuration or via changing code on developers side.

I created issue ([BUG] SAML logout don't work · Issue #1788 · opensearch-project/security-dashboards-plugin · GitHub), but it was closed by derek-ho with remark “This sounds like a support request”, so i’m here.

1 Like