SSO Integration with ADFS

Lord_Zetas · December 6, 2022, 2:00pm

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

OpenSearch 1.2 (Dashboard same version)
CentOS 7
Any browser (Private session also)

Describe the issue:
Hello Team,
I am receiving this error when the SAML is performed:

{"statusCode":500,"error":"Internal Server Error","message":"Internal Error"}

In the OpenSearch Dashboard I can see these errors:

Dec 06 03:03:54 wazuh-server opensearch-dashboards[9410]: {"type":"error","@timestamp":"2022-12-06T03:03:54Z","tags":["connection","client","error"],"pid":9410,"level":"error","error":{"message":"140539448248192:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 140539448248192:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"},"message":"140539448248192:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"}
Dec 06 03:03:54 wazuh-server opensearch-dashboards[9410]: { Error: Authentication Exception
Dec 06 03:03:54 wazuh-server opensearch-dashboards[9410]: at respond (/usr/share/wazuh-dashboard/node_modules/elasticsearch/src/lib/transport.js:349:15)
Dec 06 03:03:54 wazuh-server opensearch-dashboards[9410]: at checkRespForFailure (/usr/share/wazuh-dashboard/node_modules/elasticsearch/src/lib/transport.js:306:7)
Dec 06 03:03:54 wazuh-server opensearch-dashboards[9410]: at HttpConnector.<anonymous> (/usr/share/wazuh-dashboard/node_modules/elasticsearch/src/lib/connectors/http.js:173:7)
Dec 06 03:03:54 wazuh-server opensearch-dashboards[9410]: at IncomingMessage.wrapper (/usr/share/wazuh-dashboard/node_modules/lodash/lodash.js:4991:19)
Dec 06 03:03:54 wazuh-server opensearch-dashboards[9410]: at IncomingMessage.emit (events.js:203:15)
Dec 06 03:03:54 wazuh-server opensearch-dashboards[9410]: at endReadableNT (_stream_readable.js:1145:12)
Dec 06 03:03:54 wazuh-server opensearch-dashboards[9410]: at process._tickCallback (internal/process/next_tick.js:63:19)
Dec 06 03:03:54 wazuh-server opensearch-dashboards[9410]: status: 401,
Dec 06 03:03:54 wazuh-server opensearch-dashboards[9410]: displayName: 'AuthenticationException',
Dec 06 03:03:54 wazuh-server opensearch-dashboards[9410]: message: 'Authentication Exception',
Dec 06 03:03:54 wazuh-server opensearch-dashboards[9410]: path: '/_plugins/_security/api/authtoken',
Dec 06 03:03:54 wazuh-server opensearch-dashboards[9410]: query: {},
Dec 06 03:03:54 wazuh-server opensearch-dashboards[9410]: body: 'Unauthorized',
Dec 06 03:03:54 wazuh-server opensearch-dashboards[9410]: statusCode: 401,
Dec 06 03:03:54 wazuh-server opensearch-dashboards[9410]: response: 'Unauthorized',
Dec 06 03:03:54 wazuh-server opensearch-dashboards[9410]: wwwAuthenticateDirective: 'Basic realm="OpenSearch Security"',
Dec 06 03:03:54 wazuh-server opensearch-dashboards[9410]: toString: [Function],
Dec 06 03:03:54 wazuh-server opensearch-dashboards[9410]: toJSON: [Function],
Dec 06 03:03:54 wazuh-server opensearch-dashboards[9410]: isBoom: true,
Dec 06 03:03:54 wazuh-server opensearch-dashboards[9410]: isServer: false,
Dec 06 03:03:54 wazuh-server opensearch-dashboards[9410]: data: null,
Dec 06 03:03:54 wazuh-server opensearch-dashboards[9410]: output:
Dec 06 03:03:54 wazuh-server opensearch-dashboards[9410]: { statusCode: 401,
Dec 06 03:03:54 wazuh-server opensearch-dashboards[9410]: payload:
Dec 06 03:03:54 wazuh-server opensearch-dashboards[9410]: { statusCode: 401,
Dec 06 03:03:54 wazuh-server opensearch-dashboards[9410]: error: 'Unauthorized',
Dec 06 03:03:54 wazuh-server opensearch-dashboards[9410]: message: 'Authentication Exception' },
Dec 06 03:03:54 wazuh-server opensearch-dashboards[9410]: headers:
Dec 06 03:03:54 wazuh-server opensearch-dashboards[9410]: { 'WWW-Authenticate': 'Basic realm="Authorization Required"' } },
Dec 06 03:03:54 wazuh-server opensearch-dashboards[9410]: reformat: [Function],
Dec 06 03:03:54 wazuh-server opensearch-dashboards[9410]: [Symbol(OpenSearchError)]: 'OpenSearch/notAuthorized' }
Dec 06 03:03:54 wazuh-server opensearch-dashboards[9410]: {"type":"log","@timestamp":"2022-12-06T03:03:54Z","tags":["error","plugins","securityDashboards"],"pid":9410,"message":"SAML IDP initiated authentication workflow failed: Error: failed to get token"}
Dec 06 03:03:54 wazuh-server opensearch-dashboards[9410]: {"type":"error","@timestamp":"2022-12-06T03:03:54Z","tags":[],"pid":9410,"level":"error","error":{"message":"Internal Server Error","name":"Error","stack":"Error: Internal Server Error\n    at HapiResponseAdapter.toError (/usr/share/wazuh-dashboard/src/core/server/http/router/response_adapter.js:145:19)\n    at HapiResponseAdapter.toHapiResponse (/usr/share/wazuh-dashboard/src/core/server/http/router/response_adapter.js:99:19)\n    at HapiResponseAdapter.handle (/usr/share/wazuh-dashboard/src/core/server/http/router/response_adapter.js:94:17)\n    at Router.handle (/usr/share/wazuh-dashboard/src/core/server/http/router/router.js:164:34)\n    at process._tickCallback (internal/process/next_tick.js:68:7)"},"url":{"protocol":null,"slashes":null,"auth":null,"host":null,"port":null,"hostname":null,"hash":null,"search":null,"query":{},"pathname":"/_opendistro/_security/saml/acs/idpinitiated","path":"/_opendistro/_security/saml/acs/idpinitiated","href":"/_opendistro/_security/saml/acs/idpinitiated"},"message":"Internal Server Error"}
Dec 06 03:03:54 wazuh-server opensearch-dashboards[9410]: {"type":"response","@timestamp":"2022-12-06T03:03:54Z","tags":[],"pid":9410,"method":"post","statusCode":500,"req":{"url":"/_opendistro/_security/saml/acs/idpinitiated","method":"post","headers":{"host":"10.10.10.115","connection":"keep-alive","content-length":"6575","cache-control":"max-age=0","sec-ch-ua":"\"Google Chrome\";v=\"107\", \"Chromium\";v=\"107\", \"Not=A?Brand\";v=\"24\"","sec-ch-ua-mobile":"?0","sec-ch-ua-platform":"\"Windows\"","upgrade-insecure-requests":"1","origin":"https://naboo.galaxy.com","content-type":"application/x-www-form-urlencoded","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9","sec-fetch-site":"cross-site","sec-fetch-mode":"navigate","sec-fetch-dest":"document","referer":"https://naboo.galaxy.com/","accept-encoding":"gzip, deflate, br","accept-language":"en"},"remoteAddress":"192.168.0.171","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36","referer":"https://naboo.galaxy.com/"},"res":{"statusCode":500,"responseTime":40,"contentLength":9},"message":"POST /_opendistro/_security/saml/acs/idpinitiated 500 40ms - 9.0B"}
Dec 06 03:03:54 wazuh-server opensearch-dashboards[9410]: {"type":"response","@timestamp":"2022-12-06T03:03:54Z","tags":[],"pid":9410,"method":"get","statusCode":401,"req":{"url":"/favicon.ico","method":"get","headers":{"host":"10.10.10.115","connection":"keep-alive","sec-ch-ua":"\"Google Chrome\";v=\"107\", \"Chromium\";v=\"107\", \"Not=A?Brand\";v=\"24\"","sec-ch-ua-mobile":"?0","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36","sec-ch-ua-platform":"\"Windows\"","accept":"image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8","sec-fetch-site":"same-origin","sec-fetch-mode":"no-cors","sec-fetch-dest":"image","referer":"https://10.10.10.115/_opendistro/_security/saml/acs/idpinitiated","accept-encoding":"gzip, deflate, br","accept-language":"en"},"remoteAddress":"192.168.0.171","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36","referer":"https://10.10.10.115/_opendistro/_security/saml/acs/idpinitiated"},"res":{"statusCode":401,"responseTime":4,"contentLength":9},"message":"GET /favicon.ico 401 4ms - 9.0B"}
Dec 06 12:15:12 wazuh-server opensearch-dashboards[9410]: {"type":"error","@timestamp":"2022-12-06T12:15:12Z","tags":["connection","client","error"],"pid":9410,"level":"error","error":{"message":"140539448248192:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 140539448248192:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"},"message":"140539448248192:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"}
Dec 06 12:15:13 wazuh-server opensearch-dashboards[9410]: {"type":"log","@timestamp":"2022-12-06T12:15:13Z","tags":["error","plugins","securityDashboards"],"pid":9410,"message":"SAML IDP initiated authentication workflow failed: SyntaxError: Unexpected token d in JSON at position 51"}
Dec 06 12:15:13 wazuh-server opensearch-dashboards[9410]: {"type":"error","@timestamp":"2022-12-06T12:15:12Z","tags":[],"pid":9410,"level":"error","error":{"message":"Internal Server Error","name":"Error","stack":"Error: Internal Server Error\n    at HapiResponseAdapter.toError (/usr/share/wazuh-dashboard/src/core/server/http/router/response_adapter.js:145:19)\n    at HapiResponseAdapter.toHapiResponse (/usr/share/wazuh-dashboard/src/core/server/http/router/response_adapter.js:99:19)\n    at HapiResponseAdapter.handle (/usr/share/wazuh-dashboard/src/core/server/http/router/response_adapter.js:94:17)\n    at Router.handle (/usr/share/wazuh-dashboard/src/core/server/http/router/router.js:164:34)\n    at process._tickCallback (internal/process/next_tick.js:68:7)"},"url":{"protocol":null,"slashes":null,"auth":null,"host":null,"port":null,"hostname":null,"hash":null,"search":null,"query":{},"pathname":"/_opendistro/_security/saml/acs/idpinitiated","path":"/_opendistro/_security/saml/acs/idpinitiated","href":"/_opendistro/_security/saml/acs/idpinitiated"},"message":"Internal Server Error"}
Dec 06 12:15:13 wazuh-server opensearch-dashboards[9410]: {"type":"response","@timestamp":"2022-12-06T12:15:12Z","tags":[],"pid":9410,"method":"post","statusCode":500,"req":{"url":"/_opendistro/_security/saml/acs/idpinitiated","method":"post","headers":{"host":"10.10.10.115","connection":"keep-alive","content-length":"6575","cache-control":"max-age=0","sec-ch-ua":"\"Google Chrome\";v=\"107\", \"Chromium\";v=\"107\", \"Not=A?Brand\";v=\"24\"","sec-ch-ua-mobile":"?0","sec-ch-ua-platform":"\"Windows\"","upgrade-insecure-requests":"1","origin":"https://naboo.galaxy.com","content-type":"application/x-www-form-urlencoded","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9","sec-fetch-site":"cross-site","sec-fetch-mode":"navigate","sec-fetch-dest":"document","referer":"https://naboo.galaxy.com/","accept-encoding":"gzip, deflate, br","accept-language":"en"},"remoteAddress":"192.168.0.171","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36","referer":"https://naboo.galaxy.com/"},"res":{"statusCode":500,"responseTime":479,"contentLength":9},"message":"POST /_opendistro/_security/saml/acs/idpinitiated 500 479ms - 9.0B"}
Dec 06 12:15:13 wazuh-server opensearch-dashboards[9410]: {"type":"response","@timestamp":"2022-12-06T12:15:13Z","tags":[],"pid":9410,"method":"get","statusCode":401,"req":{"url":"/favicon.ico","method":"get","headers":{"host":"10.10.10.115","connection":"keep-alive","sec-ch-ua":"\"Google Chrome\";v=\"107\", \"Chromium\";v=\"107\", \"Not=A?Brand\";v=\"24\"","sec-ch-ua-mobile":"?0","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36","sec-ch-ua-platform":"\"Windows\"","accept":"image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8","sec-fetch-site":"same-origin","sec-fetch-mode":"no-cors","sec-fetch-dest":"image","referer":"https://10.10.10.115/_opendistro/_security/saml/acs/idpinitiated","accept-encoding":"gzip, deflate, br","accept-language":"en"},"remoteAddress":"192.168.0.171","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36","referer":"https://10.10.10.115/_opendistro/_security/saml/acs/idpinitiated"},"res":{"statusCode":401,"responseTime":2,"contentLength":9},"message":"GET /favicon.ico 401 2ms - 9.0B"}
Dec 06 13:45:29 wazuh-server opensearch-dashboards[9410]: {"type":"error","@timestamp":"2022-12-06T13:45:29Z","tags":["connection","client","error"],"pid":9410,"level":"error","error":{"message":"140539448248192:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 140539448248192:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"},"message":"140539448248192:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"}
Dec 06 13:45:29 wazuh-server opensearch-dashboards[9410]: {"type":"log","@timestamp":"2022-12-06T13:45:29Z","tags":["error","plugins","securityDashboards"],"pid":9410,"message":"SAML IDP initiated authentication workflow failed: SyntaxError: Unexpected token d in JSON at position 51"}
Dec 06 13:45:29 wazuh-server opensearch-dashboards[9410]: {"type":"error","@timestamp":"2022-12-06T13:45:29Z","tags":[],"pid":9410,"level":"error","error":{"message":"Internal Server Error","name":"Error","stack":"Error: Internal Server Error\n    at HapiResponseAdapter.toError (/usr/share/wazuh-dashboard/src/core/server/http/router/response_adapter.js:145:19)\n    at HapiResponseAdapter.toHapiResponse (/usr/share/wazuh-dashboard/src/core/server/http/router/response_adapter.js:99:19)\n    at HapiResponseAdapter.handle (/usr/share/wazuh-dashboard/src/core/server/http/router/response_adapter.js:94:17)\n    at Router.handle (/usr/share/wazuh-dashboard/src/core/server/http/router/router.js:164:34)\n    at process._tickCallback (internal/process/next_tick.js:68:7)"},"url":{"protocol":null,"slashes":null,"auth":null,"host":null,"port":null,"hostname":null,"hash":null,"search":null,"query":{},"pathname":"/_opendistro/_security/saml/acs/idpinitiated","path":"/_opendistro/_security/saml/acs/idpinitiated","href":"/_opendistro/_security/saml/acs/idpinitiated"},"message":"Internal Server Error"}
Dec 06 13:45:29 wazuh-server opensearch-dashboards[9410]: {"type":"response","@timestamp":"2022-12-06T13:45:29Z","tags":[],"pid":9410,"method":"post","statusCode":500,"req":{"url":"/_opendistro/_security/saml/acs/idpinitiated","method":"post","headers":{"host":"10.10.10.115","connection":"keep-alive","content-length":"6575","cache-control":"max-age=0","sec-ch-ua":"\"Google Chrome\";v=\"107\", \"Chromium\";v=\"107\", \"Not=A?Brand\";v=\"24\"","sec-ch-ua-mobile":"?0","sec-ch-ua-platform":"\"Windows\"","upgrade-insecure-requests":"1","origin":"https://naboo.galaxy.com","content-type":"application/x-www-form-urlencoded","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9","sec-fetch-site":"cross-site","sec-fetch-mode":"navigate","sec-fetch-dest":"document","referer":"https://naboo.galaxy.com/","accept-encoding":"gzip, deflate, br","accept-language":"en"},"remoteAddress":"192.168.0.171","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36","referer":"https://naboo.galaxy.com/"},"res":{"statusCode":500,"responseTime":43,"contentLength":9},"message":"POST /_opendistro/_security/saml/acs/idpinitiated 500 43ms - 9.0B"}
Dec 06 13:45:29 wazuh-server opensearch-dashboards[9410]: {"type":"response","@timestamp":"2022-12-06T13:45:29Z","tags":[],"pid":9410,"method":"get","statusCode":401,"req":{"url":"/favicon.ico","method":"get","headers":{"host":"10.10.10.115","connection":"keep-alive","sec-ch-ua":"\"Google Chrome\";v=\"107\", \"Chromium\";v=\"107\", \"Not=A?Brand\";v=\"24\"","sec-ch-ua-mobile":"?0","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36","sec-ch-ua-platform":"\"Windows\"","accept":"image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8","sec-fetch-site":"same-origin","sec-fetch-mode":"no-cors","sec-fetch-dest":"image","referer":"https://10.10.10.115/_opendistro/_security/saml/acs/idpinitiated","accept-encoding":"gzip, deflate, br","accept-language":"en"},"remoteAddress":"192.168.0.171","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36","referer":"https://10.10.10.115/_opendistro/_security/saml/acs/idpinitiated"},"res":{"statusCode":401,"responseTime":2,"contentLength":9},"message":"GET /favicon.ico 401 2ms - 9.0B"}

In OpenSearch I see these errors:

[2022-12-06T12:15:13,359][WARN ][o.o.s.h.HTTPBasicAuthenticator] [node-1] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'
[2022-12-06T13:45:29,453][WARN ][o.o.s.h.HTTPBasicAuthenticator] [node-1] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'

The metadata file is being loaded correctly:

[2022-12-06T12:14:26,400][INFO ][o.o.s.m.r.i.AbstractReloadingMetadataResolver] [node-1] Metadata Resolver SamlFilesystemMetadataResolver com.amazon.dlic.auth.http.saml.HTTPSamlAuthenticator_3: Next refresh cycle for metadata provider '/usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/FederationMetadata.xml' will occur on '2022-12-06T15:14:26.339Z' ('2022-12-06T15:14:26.339Z' local time)

I am follwinf this guide and adapting it to OpenSearch configurations: Add Single Sign-On to Open Distro for Elasticsearch Kibana Using SAML and ADFS | AWS Open Source Blog

Configuration:
config.yml

---
_meta:
  type: "config"
  config_version: 2
config:
  dynamic:
    http:
      anonymous_auth_enabled: false
      xff:
        enabled: false
        internalProxies: "192\\.168\\.0\\.10|192\\.168\\.0\\.11"
    authc:
      basic_internal_auth_domain:
        description: "Authenticate via HTTP Basic against internal users database"
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: "basic"
          challenge: false
        authentication_backend:
          type: "intern"
      saml_auth_domain:
        http_enabled: true
        transport_enabled: true
        order: 1
        http_authenticator:
          type: saml
          challenge: true
          config:
            idp:
              metadata_file: "/usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/FederationMetadata.xml"
              entity_id: "http://naboo.galaxy.com/adfs/services/trust"
            sp:
              entity_id: wazuh-saml
            kibana_url: https://10.10.10.115
            roles_key: Roles
            exchange_key: 'MIIE3DCC...'
        authentication_backend:
          type: noop

ADFS Configuration
imagen
imagen

Log on sequence

SAML Response

POST https://10.10.10.115/_opendistro/_security/saml/acs/idpinitiated HTTP/1.1
sec-ch-ua: "Google Chrome";v="107", "Chromium";v="107", "Not=A?Brand";v="24"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: https://naboo.galaxy.com
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: navigate
Sec-Fetch-Dest: document
Referer: https://naboo.galaxy.com/
Accept-Encoding: gzip, deflate, br
Accept-Language: en

HTTP/1.1 500 Internal Server Error
keep-alive: timeout=120
osd-name: wazuh-server
x-frame-options: sameorigin
content-type: application/json; charset=utf-8
cache-control: private, no-cache, no-store, must-revalidate
content-length: 77
Date: Tue, 06 Dec 2022 13:45:29 GMT
Connection: keep-alive

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                ID="_52a3884b-5220-4d0e-903e-f9ec5071e20d"
                Version="2.0"
                IssueInstant="2022-12-06T13:45:36.702Z"
                Destination="https://10.10.10.115/_opendistro/_security/saml/acs/idpinitiated"
                Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
                >
    <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://naboo.galaxy.com/adfs/services/trust</Issuer>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </samlp:Status>
    <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
               ID="_ac93c441-395e-43fa-b02b-b61a90bbf86d"
               IssueInstant="2022-12-06T13:45:36.702Z"
               Version="2.0"
               >
        <Issuer>http://naboo.galaxy.com/adfs/services/trust</Issuer>
        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo>
                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
                <ds:Reference URI="#_ac93c441-395e-43fa-b02b-b61a90bbf86d">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                    <ds:DigestValue>+f41zM7F3e7He4njf/alKxKfDWnRiMQslcBGatXXWOk=</ds:DigestValue>
                </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>qgKay...</ds:SignatureValue>
            <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                <ds:X509Data>
                    <ds:X509Certificate>MIIE3DCC...</ds:X509Certificate>
                </ds:X509Data>
            </KeyInfo>
        </ds:Signature>
        <Subject>
            <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">GALAXY\dariommr</NameID>
            <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <SubjectConfirmationData NotOnOrAfter="2022-12-06T13:50:36.702Z"
                                         Recipient="https://10.10.10.115/_opendistro/_security/saml/acs/idpinitiated"
                                         />
            </SubjectConfirmation>
        </Subject>
        <Conditions NotBefore="2022-12-06T13:45:36.593Z"
                    NotOnOrAfter="2022-12-06T14:45:36.593Z"
                    >
            <AudienceRestriction>
                <Audience>wazuh-saml</Audience>
            </AudienceRestriction>
        </Conditions>
        <AttributeStatement>
            <Attribute Name="Roles">
                <AttributeValue>Domain Users</AttributeValue>
                <AttributeValue>Jedis</AttributeValue>
            </Attribute>
        </AttributeStatement>
        <AuthnStatement AuthnInstant="2022-12-06T13:45:36.546Z"
                        SessionIndex="_ac93c441-395e-43fa-b02b-b61a90bbf86d"
                        >
            <AuthnContext>
                <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef>
            </AuthnContext>
        </AuthnStatement>
    </Assertion>
</samlp:Response>

Please let me know if there is something I have to change, because it seems to be ok, but it is not working.
Thank you in advance!

pablo · December 6, 2022, 3:05pm

@Lord_Zetas 10.10.10.115 is your OpenSearch Dashboards or reverse proxy?

Could you share OpenSearch logs?

Could you remove https://10.10.10.115/_opendistro/_security/saml/acs/idpinitiated?
You should have only https://10.10.10.115/_opendistro/_security/saml/acs.

Lord_Zetas · December 6, 2022, 3:25pm

Hello @pablo
Already tried without the /idpinitiated in the URL.
Yes 10.10.10.115 is the OpenSearch Dashboards IP, and it is working on 443 port.
This is the only line logged when the authentication is made:

[2022-12-06T15:24:33,694][WARN ][o.o.s.h.HTTPBasicAuthenticator] [node-1] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'

Thank you for your help.

Lord_Zetas · December 6, 2022, 3:39pm

This is my opensearch_dashboards.yml file:

server.host: 0.0.0.0
opensearch.hosts: https://127.0.0.1:9200
server.port: 443
opensearch.ssl.verificationMode: certificate
opensearch.requestHeadersWhitelist: ["securitytenant","Authorization"]
opensearch_security.multitenancy.enabled: false
opensearch_security.readonly_mode.roles: ["kibana_read_only"]
server.ssl.enabled: true
server.ssl.key: "/etc/wazuh-dashboard/certs/wazuh-dashboard-key.pem"
server.ssl.certificate: "/etc/wazuh-dashboard/certs/wazuh-dashboard.pem"
opensearch.ssl.certificateAuthorities: ["/etc/wazuh-dashboard/certs/root-ca.pem"]
uiSettings.overrides.defaultRoute: /app/wazuh
opensearch_security.cookie.secure: true

opensearch_security.auth.type: "saml"
server.xsrf.whitelist: ["/_plugins/_security/saml/acs", "/_plugins/_security/saml/logout", "/_opendistro/_security/saml/acs", "/_opendistro/_security/saml/logout", "/_opendistro/_security/saml/acs/idpinitiated", "/_plugins/_security/api/authtoken"]

pablo · December 6, 2022, 5:04pm

@Lord_Zetas I’ve reproduced your issue. Just noticed you’re using OpenSearch 1.2.
I’ve tested with 1.3, 2.3 and 2.4. The reported issue seems to be gone there.

Is there any reason why you’re running such an old version of OS?

Lord_Zetas · December 6, 2022, 5:13pm

Hello @pablo
That is the version compatible with the Wazuh App plugin. We need to run that version until the new Wazuh Version can support OpenSearch 2.x.

On the other hand, are my configurations correct? do you see any outplaced configuration?

pablo · December 6, 2022, 6:38pm

@Lord_Zetas I think I’ve found the solution/workaround for you. It was in the original case.

It looks like the OS 1.2 doesn’t like the subject from the JWT token.
In my example, it is “PABLO\ldapuser1”.

This is caused by the incoming claim type in the transform rule.

I’ve changed that to UPN and then it worked.

Just a small note about SAML in 2.x. In version 2.1, SAML authentication is broken, so either choose 2.0 or 2.2+. I always suggest the latest version for an upgrade.

github.com/opensearch-project/security

SAML auth uses legacy `_opendistro` route

opened 02:48PM - 30 Aug 22 UTC

cwperks

bug v3.0.0 triaged

OpenSearch Security 2.1.0 release broke SAML authentication when a change in [se…curity-dashboards-plugin](https://github.com/opensearch-project/security-dashboards-plugin) (https://github.com/opensearch-project/security-dashboards-plugin/pull/895) to replace SAML routes from using legacy `/_opendistro/_security/...` to using `/_plugins/_security` was included without a corresponding change in this repo. The change in `security-dashboards-plugin` has since been reverted (https://github.com/opensearch-project/security-dashboards-plugin/pull/1035) and the documentation website was changed to refer back to the legacy urls (https://github.com/opensearch-project/documentation-website/pull/877). There is an open PR to support the `/_plugins/_security/...` route for SAML in this repo (https://github.com/opensearch-project/security/pull/1936).

Lord_Zetas · December 6, 2022, 8:46pm

Hello @pablo
Just to confirm, I tested this with OpenSearch 2.3 and it worked like charm.
Installed again an OpenSearch 1.2 and using the User Principal Name (UPN) instead of the Windows Account Name it is working. I installed Again OpenSearch 1.2 because I tried before with the UPN and it was the same result. Not this time.
This time it is working, thank you Pablo!

Just one more thing, how can I configure this to make it work making the login throu the IDP (IDP initiated login)??

pablo · December 7, 2022, 8:47pm

@Lord_Zetas I’m not an expert in ADFS. However, I’ve got it working by adding the second SAML Assertion Consumer Endpoint as you had in your config

Your config.
imagen

The only difference I’ve found is the fact that it IDP initiated signon doesn’t redirect to your custom /app/wazuh

Topic		Replies	Views
"Internal Server Error" for unauthorized users OpenSearch Dashboards	7	137	August 1, 2024
Error in the SAML Authentication in Opensearch Dashoards Security	11	655	May 5, 2024
SAML integration with OpenSearch and OPensearch Dashboard Security troubleshoot	2	959	March 10, 2022
AWS IAM as IDP for SSO fails with a 500 Internal Server Error Security troubleshoot , configure , security-issue	9	85	November 7, 2024
Opensearch-dashboards Error: failed parsing SAML config OpenSearch troubleshoot , configure	6	1471	August 12, 2022

SSO Integration with ADFS

Related topics