Unable to Enable Dual Authentication (SAML + Basic) in AWS OpenSearch Managed Service

shahf · January 7, 2025, 12:38am

Hello OpenSearch Community,

I am currently working with an AWS-managed OpenSearch domain and have SAML authentication enabled for users. However, I am looking to enable dual authentication (SAML and basic auth) to facilitate admin testing using internal user accounts alongside SAML Single Sign-On (SSO).

Additionally, I need to be able to access OpenSearch Dashboards in a browser’s incognito mode or through another mechanism to bypass SAML and log in directly using admin credentials for troubleshooting and testing purposes—without disabling SAML in the security configuration.

I understand that enabling dual authentication typically involves updating the configuration with a payload like the one below:

{
  "authc": {
    "basic_internal_auth_domain": {
      "http_enabled": true,
      "order": 0,
      "transport_enabled": true,
      "authentication_backend": {
        "type": "intern"
      }
    },
    "saml_auth_domain": {
      "http_enabled": true,
      "order": 1,
      "transport_enabled": true,
      "authentication_backend": {
        "type": "noop"
      }
    }
  }
}

However, when I try to make the required changes via the _plugins/_security/api/securityconfig endpoint using the Dev Tools console, I receive the following error message:

Your request /_plugins/_security/api/securityconfig is not allowed.

I am logged in with an SSO account that has security_manager and all_access roles, which should grant high-level permissions. On inspecting the security_manager role, I noticed it has no explicit cluster_permissions defined.

This raises a few questions:

Is the /securityconfig API restricted in AWS OpenSearch, even for users with admin roles?
If restricted, is there any supported way to enable dual authentication in AWS OpenSearch managed service?
Are there any recommended workarounds for temporarily bypassing SAML (e.g., using incognito mode) to log in as an admin for testing and troubleshooting purposes—without disabling SAML in the security configuration?

I would appreciate any guidance or best practices on addressing this issue, particularly for environments using AWS’s managed service.

Thank you in advance for your help!

shahf · January 10, 2025, 2:05am

I find the doc looks relevant to what I need
Configuring Dashboards sign-in for multiple authentication
Configuring sign-in options - OpenSearch Documentation

As we do not have access to the opensearch_dashboards.yml file, as we are using AWS service instead, we are not sure how can apply below to my config file
opensearch_security.auth.type: [“basicauth”, “saml”]
opensearch_security.auth.multiple_auth_enabled: true

Topic		Replies	Views
Configuration for SAML login in OpenSearch with Keycloak Security	20	462	February 7, 2025
How to add backend role or admin permissions for SAML authenticated user Security	18	1679	August 25, 2022
AWS IAM as IDP for SSO fails with a 500 Internal Server Error Security troubleshoot , configure , security-issue	9	164	November 7, 2024
SAML and http authentication at the same time Security	1	387	August 9, 2022
OpenSearch SAML/AD: working but with No 'Basic Authorization' header warning Security	4	1815	May 11, 2023

Unable to Enable Dual Authentication (SAML + Basic) in AWS OpenSearch Managed Service

Related topics