search

opensearch-project / security-dashboards-plugin

🔐 Manage your internal users, roles, access control, and audit logs from OpenSearch Dashboards
https://opensearch.org/docs/latest/security-plugin/index/
Apache License 2.0
70 stars 151 forks source link

[BUG] Default Route not applying with SAML #2081

Open kclinden opened 1 month ago

kclinden commented 1 month ago

I have OpenSearch Dashboards configured to go to /app/wazuh which works with Internal User logins, but when using SAML users are directed to /app/home

SAML Users not directed to default route

To Reproduce Steps to reproduce the behavior:

  1. Configure Default Route
  2. Configure SAML
  3. Login to OS Dashboards

Expected behavior All users are redirected to the default route.

OpenSearch Version Version: 2.8.0, Build: rpm/db90a415ff2fd428b4f7b3f800a51dc229287cb4/2023-06-03T06:24:25.112415503Z, JVM: 17.0.7

Dashboards Version OpenSearch Dashboards 2.8.0 - Revision 02

Plugins n/a

Host/Environment (please complete the following information):

NAME="Amazon Linux"
VERSION="2"
ID="amzn"
ID_LIKE="centos rhel fedora"
VERSION_ID="2"
PRETTY_NAME="Amazon Linux 2"
ANSI_COLOR="0;33"
CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2"
HOME_URL="https://amazonlinux.com/"
SUPPORT_END="2025-06-30"

Configuration

uiSettings.overrides.defaultRoute: "/app/wazuh"
opensearch_security.auth.type: ["basicauth","saml"]
opensearch_security.auth.multiple_auth_enabled: true
server.xsrf.allowlist: ["/_opendistro/_security/saml/acs", "/_opendistro/_security/saml/logout", "/_opendistro/_security/saml/acs/idpinitiated"]

Google Chrome Dev Tools: Request Headers

:authority: <url>
:method: POST
:path: /_opendistro/_security/saml/acs/idpinitiated

Response Headers

location: /app/opensearch-dashboards
ruanyl commented 1 month ago

This might relate to the behaviour of security-dashboards-plugin https://github.com/opensearch-project/security-dashboards-plugin/blob/main/server/auth/types/saml/saml_auth.ts#L64

kclinden commented 1 month ago

This might relate to the behaviour of security-dashboards-plugin https://github.com/opensearch-project/security-dashboards-plugin/blob/main/server/auth/types/saml/saml_auth.ts#L64

That looks to be exactly the issue.

kavilla commented 1 month ago

@opensearch-project/admin can we redirect this to security dashboards plugin repo?

stephen-crawford commented 1 month ago

[Triage] Hi @kclinden, thank you for filing this issue. It looks like this issue is similar to some previous work done supporting OIDC: https://github.com/opensearch-project/security-dashboards-plugin/pull/1899. I will go ahead and mark this as triaged and encourage you to replicate the change I linked for SAML to see the fastest support of this use case.

kclinden commented 1 month ago

There are a lot of changes there and since Wazuh manages the configuration I am going to create a ticket in their project for now.