SAML parsing error in Openseach Dashboard Application [ Dashboard version : 2.9.0 Image ]

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

Unable to login to the Opensearch dashboard… Once hit the url getting the below error logs…

Dashboard version : 2.9.0 Image

Error: failed parsing SAML config
at SecurityClient.getSamlHeader (/usr/share/opensearch-dashboards/plugins/securityDashboards/server/backend/opensearch_security_client.ts:176:15)
at processTicksAndRejections (internal/process/task_queues.js:95:5)
at /usr/share/opensearch-dashboards/plugins/securityDashboards/server/auth/types/saml/routes.ts:65:30
at Router.handle (/usr/share/opensearch-dashboards/src/core/server/http/router/router.js:163:44)
at handler (/usr/share/opensearch-dashboards/src/core/server/http/router/router.js:124:50)
at exports.Manager.execute (/usr/share/opensearch-dashboards/node_modules/@hapi/hapi/lib/toolkit.js:60:28)
at Object.internals.handler (/usr/share/opensearch-dashboards/node_modules/@hapi/hapi/lib/handler.js:46:20)
at exports.execute (/usr/share/opensearch-dashboards/node_modules/@hapi/hapi/lib/handler.js:31:20)
at Request._lifecycle (/usr/share/opensearch-dashboards/node_modules/@hapi/hapi/lib/request.js:371:32)
at Request._execute (/usr/share/opensearch-dashboards/node_modules/@hapi/hapi/lib/request.js:281:9)
{“type”:“log”,“@timestamp”:“2023-08-14T10:58:09Z”,“tags”:[“error”,“plugins”,“securityDashboards”],“pid”:1,“message”:“Failed to get saml header: Error: Error: failed parsing SAML config”}
{“type”:“error”,“@timestamp”:“2023-08-14T10:58:09Z”,“tags”:,“pid”:1,“level”:“error”,“error”:{“message”:“Internal Server Error”,“name”:“Error”,“stack”:"Error: Internal Server Error\n at HapiResponseAdapter.toError (/usr/share/opensearch-dashboards/src/core/server/http/router/response_adapter.js:143:19)\n at HapiResponseAdapter.toHapiResponse (/usr/share/opensearch-dashboards/src/core/server/http/router/response_adapter.js:97:19)\n

Describe the issue:

Configuration:

Relevant Logs or Screenshots:

@bhanu1 Please share your config.yml and opensearch_dahsboards.yml files.

How did you deploy the cluster?

What is the SAML IdP?

opensearch_dashboards.yml: |
server:
#basePath: “/opnesearch”
rewriteBasePath: false
xsrf.whitelist: [“/_plugins/_security/api/authtoken”, “/_opendistro/_security/api/authtoken”, “/_opendistro/_security/saml/acs/idpinitiated”, “/_opendistro/_security/saml/acs”, “/_opendistro/_security/saml/logout”, “/_plugins/_security/saml/acs/idpinitiated”, “/_plugins/_security/saml/acs”, “/_plugins/_security/saml/logout”]
opensearch:
username: “kibanaserver”
password: “kibanaserver”
requestHeadersWhitelist: [“securitytenant”,“Authorization”]
ssl:
verificationMode: certificate
certificateAuthorities: /usr/share/opensearch-dashboards/certs/opensearch-complete-cert.pem
opensearch_security:
multitenancy.enabled: true
multitenancy.tenants.enable_global: true
multitenancy.tenants.enable_private: true
multitenancy.tenants.preferred: [“Private”, “Global”]
multitenancy.enable_filter: false
auth.type: “saml”

Thanks for responding, yes using saml only

@bhanu1 Please also share config.yml.

please fidn the below config yaml file

config.yml: |-

_meta:
type: “config”
config_version: 2
config:
dynamic:
http:
anonymous_auth_enabled: false
authc:
basic_internal_auth_domain:
description: “Authenticate via HTTP Basic against internal users database”
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: internal
saml_auth_domain:
order: 1
description: “Azure AAD SAML provider”
http_enabled: true
transport_enabled: false
http_authenticator:
type: saml
challenge: true
config:
idp:
metadata_file: /usr/share/opensearch/config/SAML_UAT.xml
entity_id: ‘https://sts.windows.net*********’

                sp:
                  entity_id: eagle-opensearch-saml-uat
                  forceAuthn: true
                kibana_url: https://*****************************
                roles_key: "roles"
                exchange_key: V2VkLCBN
            authentication_backend:
              type: noop

@bhanu1 Have you tried to use the metadata_url instead of the metadata_file? It is more efficient as any change in the Azure SAML configuration requires copying a new XML config file from Azure to your OpenSearch environment.

Have you noticed any errors in the OpenSearch logs during the start-up?
What permission, user and group did you assign to SAML_UAT.xml file?

Also, as per documentation, the exchange_key should have at least 32 characters.

Thanks for your prompt response @pablo , as you suggested we tried in cluser.
But getting below error.

@bhanu1 This error is epexted as the OpenSearch service didn’t fully started yet.
Do you see node initilized in the logs?

Do you have any errors or info messages related to SAML?

@pablo Still getting same SAML parsing error…

Hi @pablo , Yeah still i am getting saml parsing error.

When I upgrade from 1.2.4 opensearch version to 2.3.0 or 2.9.0 its working.

But when I am doing fresh deployment of 2.3.0 or 2.9.0 version, getting saml parsing error in opensearch dashboard pod logs. I am using same yaml configuration code for 1.2.4 version and 2.3.0/2.9.0 version, why I am getting this error still not understanding

@bhanu1 Could you run the below command and share the output?

curl --insecure -u admin:admin -XGET https://<OpenSearch_node_IP_or_FQDN>:9200/_plugins/_security/api/securityconfig?pretty