spicycanary91
commented
2 years ago Hello!
Just to update, this appears to be the same in 1.1.0
Thank you
Open spicycanary91 opened 2 years ago
spicycanary91
commented
2 years ago Hello!
Just to update, this appears to be the same in 1.1.0
Thank you
thoro
commented
2 years ago Still in 1.2.0
yagosalva
commented
2 years ago Found a way to avoid this issue:
server.xsrf.whitelist: ["/_plugins/_security/saml/acs", "/_plugins/_security/saml/logout", "/_opendistro/_security/saml/acs", "/_opendistro/_security/saml/logout"]
You should add both enpoints to the whitelist and it will work. Though it is still a way around.
kefaaaz
commented
2 years ago @yagosalva i have both endpoints added but still seeing the issue
server.xsrf.whitelist: ["/_plugins/_security/api/authtoken", "/_opendistro/_security/api/authtoken", "/_opendistro/_security/saml/acs/idpinitiated", "/_opendistro/_security/saml/acs", "/_opendistro/_security/saml/logout", "/_plugins/_security/saml/acs/idpinitiated", "/_plugins/_security/saml/acs", "/_plugins/_security/saml/logout"]
pc-jedi
commented
2 years ago Issue come from those 3 places https://github.com/opensearch-project/security-dashboards-plugin/blob/fe12aaaeb416352fe31bf3fdd7982c3f8de5da83/server/auth/types/saml/routes.ts#L87
I think either it should be changed in the routes.ts or the documentation needs to be adapted.
@kefaaaz You also have to then change the POST URL in your IdP to <dashboards-url>/_opendistro/_security/saml/acs.
JustinasKO
commented
2 years ago Seems like after version 2.1.0 both enpoints: /_opendistro/_security/saml/acs and /_plugins/_security/saml/acs not working.
If using first-one as IDP acs URL getting: {"statusCode":404,"error":"Not Found","message":"Not Found"} - probbably expected after #895
But if switching to 2nd one /_plugins/_security/saml/acs getting {"statusCode":500,"error":"Internal Server Error","message":"Internal Error"}
Rolling back Kibana to version 2.0.1 but leaving Opensearch version: 2.1.0 helps the issue a bit as /_opendistro/_security/saml/acs starts to work again
hpkuppuraj
commented
2 years ago @JustinasKO , I am having the same issue. v2.1.0 sets the acsendpoints with /_opendistro/_security/saml/acs. Even though the team says they have updated routes.ts in the 2.1.0 to point /_plugin/_security/saml/acs. Somewhere in the code, the acsendpoints is set with _opendistro.
I have created a bug ticket here https://github.com/opensearch-project/security-dashboards-plugin/issues/1031
axl8652
commented
2 years ago @JustinasKO , I have observed the same issue , cannot upgrade to opensearch-dashboards v2.1.0 with saml auth. Had to revert back to v2.0.1
llermaly
commented
1 year ago News on this? @axl8652 could you upgrade?
axl8652
commented
1 year ago Yes I was able to upgrade and use saml in 2.2.0 and now it's working in 2.3.0 as well.
llermaly
commented
1 year ago Confirming version 2.3.0 works with the /_opendistro/_security/saml/acs endpoint, was expecting the _plugin one but this is fair enough
mrsiejas
commented
1 year ago Getting 401s when running 2.3 on Amazon OpenSearch for /_dashboards/_opendistro/_security/saml/acs
{"statusCode":401,"error":"Unauthorized","message":"Unauthorized"}and for /_plugins/_security/saml/acs
{"Message":"Your request: '/_plugins/_security/saml/acs' is not allowed."}
shcohen2002
commented
1 year ago Just tried _opendistro/_security/saml/acs , _opendistro/_security/saml/acs/idpinitiated Using helm versions: CHART APP VERSION opensearch-2.8.0 2.4.0 opensearch-dashboards-2.6.0 2.4.0
And got the following error: {"statusCode":400,"error":"Bad Request","message":"Request must contain a osd-xsrf header."}
Trying /_plugins/_security/saml/acs ,_plugins/_security/saml/acs/idpinitiated And got the following error: {"statusCode":404,"error":"Not Found","message":"Not Found"}
anubisg1
commented
1 year ago I'm running version 2.4.0 and i am similar problems
https://forum.opensearch.org/t/unable-to-configure-saml-with-azure-ad/11659
what's the current endpoint? configuration guide shows /_opendistro/ , troubleshooting is using /_plugins/
cwperks
commented
1 year ago @anubisg1 The route to use is / _opendistro/. Thank you for pointing out the discrepancy on the documentation website.
anubisg1
commented
1 year ago I'm running version 2.4.0 and i am similar problems
https://forum.opensearch.org/t/unable-to-configure-saml-with-azure-ad/11659
what's the current endpoint? configuration guide shows /_opendistro/ , troubleshooting is using /_plugins/
thanks , i changed that ... i still can't figure out why it's not working though .. i must have something wrong sice i get message":"Failed to get saml header: Error: Invalid SAML configuration."} but i don't seem to be able to find what it is that is invalid
cwperks
commented
1 year ago @anubisg1 In my experience setting up SAML in docker with SimpleSAML I received that error when the kibana_url was incorrect. The other items I would check is to make sure the entity_id for the idp matches what is in the metadata.
anubisg1
commented
1 year ago @anubisg1 In my experience setting up SAML in docker with SimpleSAML I received that error when the
kibana_urlwas incorrect. The other items I would check is to make sure theentity_idfor theidpmatches what is in the metadata.
Thanks. the entity_id indeed matches (btw, why don't we just read it from the metadata instead of asking to configure it? :)
the only thing then it could be the kibana_url.. this is a pod running in kubernetes behing nginx ingress... i tried both the ingress url and the internal kubernetes service url ... in both cases i had the same issue and no joy ...
any way, this might not be the best place for this kind of troubleshooting...
Describe the bug
Opensearch-Desktop does not operate as expected using saml authentication. It is still referring to the _opendistro endpoint instead of the _plugins endpoint. The documentation link explains to use the /_plugins/_security/saml/acs endpoint to whitelist / configure sp metadata in the idp. This does not work at the moment. Dashboards produces a saml request using opendistro endpoints instead:
https://dashboards.domain.com/_plugins/_security/saml/acsThis causes a browser error:{ statusCode: 400, error: "Bad Request", message: "Request must contain a osd-xsrf header." }The idp logs an error since the opendistro endpoint does not exist in it's configuration:auth request:AssertionConsumerServiceURL="https://dashboards.domain.com/_opendistro/_security/saml/acs"However, configuring everything the opendistro way somewhat works. It causes 401 errors when trying to refresh the cookie at times but initial authentication works.
To Reproduce Migrate from latest opendistro to opensearch 1.0.1 (In this case using the the official docker containers). Configure saml integration as per new plugin documentation. Check saml assertion in browser using the "SAML message decoder" extension. Notice that it referrers to the _opendistro endpoint and not the _plugins endpoint.
Expected behavior SAML to use the /_plugins/_security/saml/acs endpoint instead of the /_opendistro/_security/saml/acs one as described in the documentation.
OpenSearch Version docker 1.0.1 Dashboards Version docker 1.0.1 Plugins as per docker 1.0.1 Please list all plugins currently enabled. default docker setup
Host/Environment (please complete the following information):
Additional context
We have a discussion in the forum about this and saml related issues https://discuss.opendistrocommunity.dev/t/saml-cookie-refresh-sso-redirect-issue-worked-before-upgrade