Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
2.14
Describe the issue:
We using Microsoft ADFS as SAML authentication. Login woks fine. But logout doesn’t. While logout user in browser see error: “An error occurred. Contact your administrator for more information”. On SAML server side we see: “MSIS7084: SAML logout request and logout response messages must be signed when using SAML HTTP Redirect or HTTP POST binding”, but signature in our configuration is disabled.
Configuration:
opensearch.requestTimeout: 240000
opensearch.pingTimeout: 6000
opensearch.hosts:
- https://hostname:9200
opensearch.username: opensearch_dashboards
opensearch.password: password
opensearch.ssl.certificateAuthorities:
- "/path/to/ca"
logging.dest: "/var/log/opensearch-dashboards/opensearch-dashboards.log"
opensearch.logQueries: false
logging.verbose: false
opensearch_security.ui.basicauth.login.title: Login message
opensearch_security.auth.type:
- basicauth
- saml
opensearch_security.auth.multiple_auth_enabled: true
server.xsrf.allowlist:
- "/_opendistro/_security/saml/acs/idpinitiated"
- "/_opendistro/_security/saml/acs"
- "/_opendistro/_security/saml/logout"
Relevant Logs or Screenshots:
Don’t see any errors in logs:
{"type":"response","@timestamp":"2024-07-17T10:59:57Z","tags":[],"pid":173713,"method":"get","statusCode":302,"req":{"url":"/auth/saml/logout","method":"get","headers":{"host":"dashboard.domain","x-real-ip":"10.48.2.154","connection":"close","sec-ch-ua":"\"Not/A)Brand\";v=\"8\", \"Chromium\";v=\"126\", \"Brave\";v=\"126\"","sec-ch-ua-mobile":"?0","sec-ch-ua-platform":"\"Windows\"","upgrade-insecure-requests":"1","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0Safari/537.36","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8","sec-gpc":"1","sec-fetch-site":"same-origin","sec-fetch-mode":"navigate","sec-fetch-user":"?1","sec-fetch-dest":"document","referer":"https://dashboard.domain/app/home","accept-encoding":"gzip, deflate, br, zstd","accept-language":"en-US,en;q=0.9,ru;q=0.8","priority":"u=0, i"},"remoteAddress":"127.0.0.1","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36","referer":"https://dashboard.domain/app/home"},"res":{"statusCode":302,"responseTime":24,"contentLength":9},"message":"GET /auth/saml/logout 302 24ms - 9.0B"}