Unable to configure SAML using IDP_Metadata File

dmallick19 · February 13, 2023, 10:05am

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
Opesearch/Dashboards - 2.5.0

Describe the issue:
I have trying to configure SAML auth using IDP file provided by my organization and its been going on since a long time and achieved the success of it. Need your help to fix the issue.

Configuration:
Opensearch SAML Config -

saml_auth_domain:
description: “SAML Auth”
http_enabled: true
transport_enabled: false
order: 2
http_authenticator:
type: saml
challenge: true
config:
idp:
metadata_file: /usr/share/opensearch/config/idp-elk-r2.xml
entity_id: “Dell.UAT.SAML2.0”
sp:
entity_id: “https://elk-r2.dell.com”
acs: “https://elk-r2.dell.com/_plugins/_security/saml/acs”
#logout: “https://elk-r2.dell.com/_plugins/_security/saml/logout”
kibana_url: “https://elk-r2.dell.com”
subject_key: UserID
roles_key: Role
exchange_key: “32alphanumeric”
authentication_backend:
type: noop

Note - I have tried the acs option with both _opendistro/ & _plugins, both are not working it seems.

Opensearch Dashboard Config

server.name: xxxxx
opensearch.hosts: [“https://xxxxx:9200”, “https://xxxxxx:9200”, “https://xxxxx:9200”]
opensearch.ssl.verificationMode: none
opensearch.username: xxxxx
opensearch.password: xxxxx
opensearch.requestHeadersWhitelist: [authorization, securitytenant]
opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.enable_global: true
opensearch_security.multitenancy.tenants.enable_private: true
opensearch_security.multitenancy.tenants.preferred: [Private, Global]
opensearch_security.readonly_mode.roles: [kibana_read_only]
opensearch_security.multitenancy.enable_filter: false

Use this setting if you are running opensearch-dashboards without https

opensearch_security.cookie.secure: false
opensearch_security.auth.type: “saml”
server.xsrf.allowlist: [/_plugins/_security/saml/acs,/_opendistro/_security/saml/acs,/_plugins/_security/saml/acs/idpinitiated,/_opendistro/_security/saml/acs/idpinitiated,/_plugins/_security/saml/logout,/_opendistro/_security/saml/logout]

Relevant Logs or Screenshots:

The error from Opensearch Dashboards -

Please help me in fixing this issue.

Thanks for helping me.

Regards,
Debashis

pablo · February 13, 2023, 10:30am

@dmallick19 Does your IDP use self-signed certs? If yes, try to add the cert to config.yml.

dmallick19 · February 13, 2023, 11:47am

Hi @pablo,

I don’t think, we are using the SSL Certs for IDP but I have it handy, so I have used it and got the same error.

Feb 13 05:44:56 elknlr2cr2kb01.us.dell.com opensearch-dashboards[109940]: {“type”:“log”,“@timestamp”:“2023-02-13T11:44:56Z”,“tags”:[“error”,“plugins”,“securityDashboards”],“pid”:109940,“message”:“Failed to get saml header: Authentication Exception :: {"path":"/_plugins/_security/authinfo","query":{},"statusCode":401,"response":"Authentication finally failed"}”}
Feb 13 05:44:56 elknlr2cr2kb01.us.dell.com opensearch-dashboards[109940]: {“type”:“error”,“@timestamp”:“2023-02-13T11:44:56Z”,“tags”:,“pid”:109940,“level”:“error”,“error”:{“message”:“Internal Server Error”,“name”:“Error”,“stack”:“Error: Internal Server Error\n at HapiResponseAdapter.toError (/apps/data/usr_share_opensearch-dashboards/src/core/server/http/router/response_adapter.js:143:19)\n at HapiResponseAdapter.toHapiResponse (/apps/data/usr_share_opensearch-dashboards/src/core/server/http/router/response_adapter.js:97:19)\n at HapiResponseAdapter.handle (/apps/data/usr_share_opensearch-dashboards/src/core/server/http/router/response_adapter.js:92:17)\n at Router.handle (/apps/data/usr_share_opensearch-dashboards/src/core/server/http/router/router.js:164:34)\n at runMicrotasks ()\n at processTicksAndRejections (internal/process/task_queues.js:95:5)\n at handler (/apps/data/usr_share_opensearch-dashboards/src/core/server/http/router/router.js:124:50)\n at exports.Manager.execute (/apps/data/usr_share_opensearch-dashboards/node_modules/@hapi/hapi/lib/toolkit.js:60:28)\n at Object.internals.handler (/apps/data/usr_share_opensearch-dashboards/node_modules/@hapi/hapi/lib/handler.js:46:20)\n at exports.execute (/apps/data/usr_share_opensearch-dashboards/node_modules/@hapi/hapi/lib/handler.js:31:20)\n at Request._lifecycle (/apps/data/usr_share_opensearch-dashboards/node_modules/@hapi/hapi/lib/request.js:371:32)\n at Request._execute (/apps/data/usr_share_opensearch-dashboards/node_modules/@hapi/hapi/lib/request.js:281:9)”},“url”:“http://elk-r2.dell.com/auth/saml/login?nextUrl=%2Fkibana%2F&redirectHash=false",“message”:"Internal Server Error”}

Regards,
Debashis

pablo · February 17, 2023, 11:37pm

@dmallick19 Where did you find this option?

acs: “https://elk-r2.dell.com/_plugins/_security/saml/acs”

Can’t find it in the documentation. Please take a look at the configuration example.

Also, Opensearch uses _opendistro/_security/saml/acs instead of _plugins/_security/saml/acs

dmallick19 · February 20, 2023, 7:25am

Hi @pablo ,

Not using the acs option any more and I have tried using _opendistro/_security?saml/acs and also tried configuring saml using both Okta and Dell SAML and it seems like, it is failing at request_id by cookies. Kindly help me fixing this issue.

Thankd & Regards,
Debashis

rhtbansal · February 20, 2023, 7:32am

check the indentation in your config file everything does not comes left alligned. check SAML documentation arrange everything according to spacing there

dmallick19 · February 20, 2023, 7:54am

Hi @rhtbansal,

The given config in this thread was just copy pate of the original config, where the indentations are properly aligned. And no error found while running security_adming.sh.

Thanks,
Debashis

pablo · February 20, 2023, 1:27pm

@dmallick19 Did you check the logs in your reverse proxy? Do you pass a full response from the IDP to OpenSearch? What is your reverse proxy? Have you tried to bypass it just for testing?

dmallick19 · February 20, 2023, 2:05pm

Hi @pablo ,

We are using nginx as reverse proxy in the Opensearch Dashboards Server, and enabling SSL for the same server.

Thanks,
Debashis

pablo · February 20, 2023, 3:23pm

@dmallick19 Do you use HTTP or HTTPS between nginx and OpenSearch Dashboards?

dmallick19 · February 20, 2023, 5:06pm

Hi @pablo ,

There is actually SSL between nginx and Opensearch Dashboards. Nginx running on port 443 and Opensearch Dashboards running on http://localhost:5601.

Thanks,
Debashis

pablo · February 20, 2023, 5:54pm

@dmallick19 Would be there any chance to see nginx config file?

dmallick19 · February 21, 2023, 7:52am

Hi @pablo ,

Please find the nginx configuration below -

server {
listen 443;
server_name elk-r2.dell.com, xxxx.us.dell.com;

ssl_certificate           /etc/nginx/elk-r2.pem;
ssl_certificate_key       /etc/nginx/elk-r2.key;


ssl on;
ssl_session_cache  builtin:1000  shared:SSL:10m;
ssl_protocols  TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;
access_log  /var/log/nginx/access.log  main;

location ~ ^/(.*)$ {
    rewrite /kibana/(.*) /$1 break;
    proxy_pass http://localhost:5601;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection 'upgrade';
    proxy_set_header host $host;
    proxy_cache_bypass $http_upgrade;
}

}

Topic		Replies	Views
Unable to configure SAML using idp file Security configure	8	374	November 16, 2022
Azure sso with saml issue OpenSearch troubleshoot	3	1145	November 30, 2022
Microsoft Entra ID: failed parsing SAML config OpenSearch Dashboards troubleshoot , configure , security-issue	2	360	April 11, 2024
Fail at configuring Google Workspace SAML Authentication on Opensearch Dashboard Security troubleshoot	1	89	October 21, 2024
Unable to perform SAML Security	3	1748	February 27, 2020

Unable to configure SAML using IDP_Metadata File

Use this setting if you are running opensearch-dashboards without https

Related topics