Closed cwperks closed 5 months ago
[Triage] Hi @cwperks thanks for filing this issue. This seems like a good edge case to correct. Thanks for point this out. We can close this issue when we have a fix to let the SAML and anonymous auth features be used side by side.
Anonymous logout flow seems to be not working as expected. Here's how you can reproduce:
Upon further debugging, I found that enabling anonymous auth in config.yml without adding the flag in opensearch_dashboards.yml is causing the saml redirect to fail with 500 status code.
If config.dynamic.http.anonymous_auth_enabled: false
then SAML works fine.
TLDR; This bug is not solvable at the moment.
Reason:
In current implementation, anonymous auth + any IdP call, expect credentials to be empty in order to follow correct path, and the current implementation skips check over auth domains if anonymous auth is enabled. Once the for loop completes it then enters this else block to assume anonymous user identity.
To solve this problem, we need to identify whether the request is coming as anonymous user or not. Following options were considered:
Thus, at the moment, SAML auth is broken when anonymous auth is enabled as there is no way to identify whether the login request is coming as anonymous user or for SAML login since both requests are expected to have null credentials, and there is no way to fix it without a breaking change. (require an identifier header i.e. credentials OR rewrite backend to expect a new AuthType called anonymous).
Update: A new approach has been proposed via https://github.com/opensearch-project/security/pull/4152/ and https://github.com/opensearch-project/security-dashboards-plugin/pull/1839 where instead of modifying Anonymous auth related request we instead modify SAML login requests.
This is done by passing a parameter ?auth_request_type=saml
when fetching authinfo for SAML login. On backend, a check is added to ensure that a login request containing this parameter in the uri is not considered an anonymous request. This would allow a Saml IdP redirect location to be passed in www-authenticateDrive
attribute of the initial error response to then eventually be redirected to SAML login page. More details can be found in the associated PRs.
What is the bug?
Its possible to configure OpenSearch Dashboards to use multiple sign in options including Sign in as Anonymous and Sign in with Single Sign on (SAML).
When both of SAML and Anonymous are enabled as sign in options, the SAML authentication will not work and does not redirect to the SAML IdP.
How can one reproduce the bug?
Configure OpenSearch-Dashboards to use Anonymous and SAML:
Sample opensearch_dashboards.yml
```yml opensearch_security.auth.type: ["basicauth", "saml"] opensearch_security.auth.multiple_auth_enabled: true opensearch_security.auth.anonymous_auth_enabled: true opensearch.hosts: [https://host.docker.internal:9200] opensearch.ssl.verificationMode: none opensearch.username: kibanaserver opensearch.password: kibanaserver opensearch.requestHeadersWhitelist: [authorization, securitytenant] # opensearch_security.multitenancy.enabled: true # opensearch_security.multitenancy.tenants.preferred: [Private, Global] opensearch_security.readonly_mode.roles: [kibana_read_only] # Use this setting if you are running opensearch-dashboards without https opensearch_security.cookie.secure: false server.host: '0.0.0.0' ```Configure OpenSearch with SAML and anonymous enabled.
Sample config/opensearch-security/config.yml
```yml _meta: type: "config" config_version: 2 config: dynamic: kibana: # Kibana multitenancy #multitenancy_enabled: true #server_username: kibanaserver #index: '.kibana' http: anonymous_auth_enabled: true xff: enabled: false internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern authc: basic_internal_auth_domain: description: "Authenticate via HTTP Basic against internal users database" http_enabled: true transport_enabled: true order: 0 http_authenticator: type: basic challenge: false authentication_backend: type: intern saml_auth_domain: http_enabled: true transport_enabled: false order: 1 http_authenticator: type: saml challenge: true config: idp: entity_id: http://localhost:8080/simplesaml/saml2/idp/metadata.php metadata_file: "/path/to/metadata" # metadata_url:What is the expected behavior?
SAML and Login with Anonymous
Do you have any screenshots?
Do you have any additional context?
The fundamental problem is that Login with SAML relies on the authinfo request failing here. The unauthenticated response includes the information to dashboards on how to redirect to the SAML.
For example:
When anonymous is enabled, this request does not fail and dashboards never redirects.
On inspection, another endpoint
_plugins/security/api/authtoken
may also need a special carve out when anonymous is enabled on the backend.