Hello pablo,
why do you say that " server.xsrf.allowlist are incorrect " ? yes, looking at the saml configuration instructions it says that it should start with " /_opendistro/
"
but the troubleshooting guide as well the bug below:
opened 07:24PM - 05 Oct 21 UTC
bug
triaged
**Describe the bug**
Opensearch-Desktop does not operate as expected using sa… ml authentication. It is still referring to the _opendistro endpoint instead of the _plugins endpoint.
The documentation [link](https://opensearch.org/docs/security-plugin/configuration/saml/#opensearch-dashboards-configuration) explains to use the /_plugins/_security/saml/acs endpoint to whitelist / configure sp metadata in the idp. This does not work at the moment. Dashboards produces a saml request using opendistro endpoints instead: `https://dashboards.domain.com/_plugins/_security/saml/acs`
This causes a browser error:
`{
statusCode: 400,
error: "Bad Request",
message: "Request must contain a osd-xsrf header."
}`
The idp logs an error since the opendistro endpoint does not exist in it's configuration:
`auth request:AssertionConsumerServiceURL="https://dashboards.domain.com/_opendistro/_security/saml/acs"`
However, configuring everything the opendistro way somewhat works. It causes 401 errors when trying to refresh the cookie at times but initial authentication works.
**To Reproduce**
Migrate from latest opendistro to opensearch 1.0.1 (In this case using the the official docker containers).
Configure saml integration as per new plugin documentation.
Check saml assertion in browser using the "SAML message decoder" extension.
Notice that it referrers to the _opendistro endpoint and not the _plugins endpoint.
**Expected behavior**
SAML to use the /_plugins/_security/saml/acs endpoint instead of the /_opendistro/_security/saml/acs one as described in the documentation.
**OpenSearch Version**
docker 1.0.1
**Dashboards Version**
docker 1.0.1
**Plugins**
as per docker 1.0.1
Please list all plugins currently enabled.
default docker setup
**Host/Environment (please complete the following information):**
- OS: docker image
- Browser and version: Chrome 94
**Additional context**
We have a discussion in the forum about this and saml related issues
[https://discuss.opendistrocommunity.dev/t/saml-cookie-refresh-sso-redirect-issue-worked-before-upgrade](https://discuss.opendistrocommunity.dev/t/saml-cookie-refresh-sso-redirect-issue-worked-before-upgrade)
the endpoint changed from /_opendistro/
to /_plugins/
therefore it seems to be a miss in the documentation… i can add them both of course, but i need to know which one is the correct one as i need to configure that on the azure side as well
the exchange_key right now is a 64chars long string
i will try a different roles_key as you suggest the one i use is based on the following two links
Hello,
I believe your issue is in roles_key.
Since you are using azure app registration as IDP try add http://schemas.microsoft.com/ws/2008/06/identity/claims/role as values to roles_key and re-deploy to see if that works. Dont forget to run securityadmin.sh
The issue basically could be that no roles are fetch from the SAML assertion , if you debug the SAML request you can see what is sent from azure.
Please redeploy opensearch and opensearch-dashboards.
thanks for your feedback, i’ll go try
BTW, i’m running version 2.4.0, you?