Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
OS - 2.10
Describe the issue:
We have enabled Azure SSO for opensearch, when we try sso login from opensearch login page it works fine.
but when we try to open the opensearch app from myapplications microsoft we are getting the below error.
https://opeansearch.org.com/_dashboards
{
-
statusCode: 401,
-
error: “Unauthorized”,
-
message: “Unauthorized”
}
Configuration:
below is our ipd configuration
Reply URL (Assertion Consumer Service URL)
https://opensearch.org.com/_opendistro/_security/saml/acs
Sign on URL
https://opensearch.org.com/_dashboards
even we tried sign on url with /auth/saml instead of /_dashboards
now the redirection happened to /auth/saml but stll the same error.
can someone guide me on this.
Hi @arun_udaiyar
Do you have access to the following files: config/opensearch-security/config.yml and opensearch_dashboards.yml ? If yes, please share their configurations.
Hi @Eugene7,
Thanks for your promt response.
You can find the config below.
config.yaml
config.yml: |-
_meta:
type: "config"
config_version: "2"
config:
dynamic:
http:
anonymous_auth_enabled: false
authc:
basic_internal_auth_domain:
description: "Authenticate via HTTP Basic against internal users database"
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: intern
saml_auth_domain:
order: 1
description: "SAML provider"
http_enabled: true
transport_enabled: false
http_authenticator:
type: saml
challenge: true
config:
idp:
metadata_url: https://login.microsoftonline.com/xxxx
entity_id: https://sts.windows.net/xxxx
sp:
entity_id: os-gcp-prod
kibana_url: https://os-dashboard.org.net
exchange_key: "35b55689a8348e94909c59c26b971f874e6660484c291569a570b0ac073ec29f"
roles_key: http://schemas.microsoft.com/ws/2008/06/identity/claims/groups
authentication_backend:
type: noop
opensearch_dashboards.yml
config:
opensearch_dashboards.yml: |
server:
host: “0”
ssl:
enabled: “false”
xsrf:
allowlist: [“/_plugins/_security/api/authtoken”, “/_opendistro/_security/api/authtoken”, “/_opendistro/_security/saml/acs/idpinitiated”, “/_opendistro/_security/saml/acs”, “/_opendistro/_security/saml/logout”, “/_plugins/_security/saml/acs/idpinitiated”, “/_plugins/_security/saml/acs”, “/_plugins/_security/saml/logout”]
opensearch_security:
multitenancy:
enabled: “true”
tenants:
preferred: [“Private”, “Global”]
auth:
type: [“basicauth”,“saml”]
multiple_auth_enabled: “true”
opensearch:
ssl:
verificationMode: "none"
hosts: ["https://opensearch-cluster-master:9200"]
requestHeadersAllowlist: ["securitytenant", "security_tenant", "Authorization"]
Hi @Eugene7 , @pablo
Any advice on this.
@arun_udaiyar Could you share your OpenSearch logs?
getting a 401 error at opensearch dashboard side, no logs at opensearch end.
referer : https://login.microsoftonline.com/
statusCode : 401
responseTime : 10
contentLength : 9
message : GET /_dashboard 401 10ms - 9.0B
“referer”:“https://os-dashboard.org.net/_dashboard"},“res”:{“statusCode”:401,“responseTime”:3,“contentLength”:9},“message”:"GET /favicon.ico 401 3ms - 9.0B”}
Could you please share screenshots from Microsoft MyApplication along with the steps you took?