[BUG] After upgrade from 4.8.2 to 4.9.0-2 on Debian 12 Google SAML integration stops working with "internal server error" and "Failed to get saml header"

[awmol]

After upgrade from 4.8.2 to 4.9.0-2 on Debian 12 Google SAML integration stops working with "internal server error" and "Failed to get saml header"

Steps to reproduce the behavior:

Upgrade wazuh-dashboard 4.9.0-2 (from 4.8.2) on Debian 12
Choose "single sign-on" login (multiple auth activated, basicauth works without issues)
Instead of redirect to SAML IDP we immediately get a {"statusCode":500,"error":"Internal Server Error","message":"Internal Error"}

Wazuh dashboard logs show:

2024-09-10T11:05:18.878159+02:00 wazuhdash01 opensearch-dashboards[2079]: {"type":"log","@timestamp":"2024-09-10T09:05:18Z","tags":["error","plugins","securityDashboards"],"pid":2079,"message":"Failed to get saml header: Authentication Exception :: {\"path\":\"/_plugins/_security/authinfo\",\"query\":{},\"statusCode\":401,\"response\":\"Authentication finally failed\"}"}

2024-09-10T11:05:18.881592+02:00 wazuhdash01 opensearch-dashboards[2079]: {"type":"error","@timestamp":"2024-09-10T09:05:18Z","tags":[],"pid":2079,"level":"error","error":{"message":"Internal Server Error","name":"Error","stack":"Error: Internal Server Error\n at HapiResponseAdapter.toError (/usr/share/wazuh-dashboard/src/core/server/http/router/response_adapter.js:127:19)\n at HapiResponseAdapter.toHapiResponse (/usr/share/wazuh-dashboard/src/core/server/http/router/response_adapter.js:83:19)\n at HapiResponseAdapter.handle (/usr/share/wazuh-dashboard/src/core/server/http/router/response_adapter.js:79:17)\n at Router.handle (/usr/share/wazuh-dashboard/src/core/server/http/router/router.js:175:34)\n at processTicksAndRejections (node:internal/process/task_queues:95:5)\n at handler (/usr/share/wazuh-dashboard/src/core/server/http/router/router.js:140:50)\n at exports.Manager.execute (/usr/share/wazuh-dashboard/node_modules/@hapi/hapi/lib/toolkit.js:60:28)\n at Object.internals.handler (/usr/share/wazuh-dashboard/node_modules/@hapi/hapi/lib/handler.js:46:20)\n at exports.execute (/usr/share/wazuh-dashboard/node_modules/@hapi/hapi/lib/handler.js:31:20)\n at Request._lifecycle (/usr/share/wazuh-dashboard/node_modules/@hapi/hapi/lib/request.js:371:32)\n at Request._execute (/usr/share/wazuh-dashboard/node_modules/@hapi/hapi/lib/request.js:281:9)"},"url":"https://wazuhdash.domain.com/auth/saml/login?nextUrl=%2F&redirectHash=false","message":"Internal Server Error"}

Tried to redo everyting at https://documentation.wazuh.com/current/user-manual/user-administration/single-sign-on/administrator/google.html again but makes no difference.

There were not issues at all with the SAML integration when using Wazuh 4.8.2

Expected behavior Expected redirect to SAML IDP to get a ticket to POST at ACS url but never gets that far.

OpenSearch Version Using Wazuh 4.9.0-2 indexers

Dashboards Version 4.9.0-2

Plugins Out of the box

Host/Environment (please complete the following information):

• OS: Debian 12 on servers, windows on clients
• Browser and version [e.g. 22]: Does not seem relevant

[asteriscos]

Hi @awmol could you please provide the /etc/wazuh-indexer/opensearch-security/config.yml file obfuscating all sensitive information? It would also be useful to know if you have any backup of the mentioned file to compare both of them.

[zeddD1abl0]

I don't want to steal this issue, but I am having this issue, and on the Wazuh Indexer, during reboot:

`[2024-09-11T10:37:40,728][ERROR][c.a.d.a.h.s.HTTPSamlAuthenticator] [wazuh-index] Error creating HTTPSamlAuthenticator. SAML authentication will not work java.lang.IllegalArgumentException: Illegal base64 character 20 at java.base/java.util.Base64$Decoder.decode0(Base64.java:852) ~[?:?] at java.base/java.util.Base64$Decoder.decode(Base64.java:570) ~[?:?] at java.base/java.util.Base64$Decoder.decode(Base64.java:593) ~[?:?] at com.amazon.dlic.auth.http.saml.AuthTokenProcessorHandler.createJwkFromSettings(AuthTokenProcessorHandler.java:245) ~[opensearch-security-2.13.0.0.jar:2.13.0.0] at com.amazon.dlic.auth.http.saml.AuthTokenProcessorHandler.(AuthTokenProcessorHandler.java:113) ~[opensearch-security-2.13.0.0.jar:2.13.0.0] at com.amazon.dlic.auth.http.saml.HTTPSamlAuthenticator.(HTTPSamlAuthenticator.java:148) [opensearch-security-2.13.0.0.jar:2.13.0.0] at java.base/jdk.internal.reflect.DirectConstructorHandleAccessor.newInstance(DirectConstructorHandleAccessor.java:62) ~[?:?] at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:502) ~[?:?] at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:486) ~[?:?] at org.opensearch.security.support.ReflectionHelper.instantiateAAA(ReflectionHelper.java:62) [opensearch-security-2.13.0.0.jar:2.13.0.0] at org.opensearch.security.securityconf.DynamicConfigModelV7.lambda$newInstance$1(DynamicConfigModelV7.java:426) [opensearch-security-2.13.0.0.jar:2.13.0.0] at java.base/java.security.AccessController.doPrivileged(AccessController.java:319) [?:?] at org.opensearch.security.securityconf.DynamicConfigModelV7.newInstance(DynamicConfigModelV7.java:424) [opensearch-security-2.13.0.0.jar:2.13.0.0] at org.opensearch.security.securityconf.DynamicConfigModelV7.buildAAA(DynamicConfigModelV7.java:323) [opensearch-security-2.13.0.0.jar:2.13.0.0] at org.opensearch.security.securityconf.DynamicConfigModelV7.(DynamicConfigModelV7.java:101) [opensearch-security-2.13.0.0.jar:2.13.0.0] at org.opensearch.security.securityconf.DynamicConfigFactory.onChange(DynamicConfigFactory.java:285) [opensearch-security-2.13.0.0.jar:2.13.0.0] at org.opensearch.security.configuration.ConfigurationRepository.notifyAboutChanges(ConfigurationRepository.java:430) [opensearch-security-2.13.0.0.jar:2.13.0.0] at org.opensearch.security.configuration.ConfigurationRepository.reloadConfiguration0(ConfigurationRepository.java:419) [opensearch-security-2.13.0.0.jar:2.13.0.0] at org.opensearch.security.configuration.ConfigurationRepository.reloadConfiguration(ConfigurationRepository.java:402) [opensearch-security-2.13.0.0.jar:2.13.0.0] at org.opensearch.security.configuration.ConfigurationRepository.initalizeClusterConfiguration(ConfigurationRepository.java:227) [opensearch-security-2.13.0.0.jar:2.13.0.0] at org.opensearch.security.configuration.ConfigurationRepository.lambda$initOnNodeStart$0(ConfigurationRepository.java:318) [opensearch-security-2.13.0.0.jar:2.13.0.0] at java.base/java.lang.Thread.run(Thread.java:1583) [?:?]

[2024-09-11T10:37:40,736][WARN ][o.o.s.s.ReflectionHelper ] [wazuh-index] Unable to enable 'com.amazon.dlic.auth.http.saml.HTTPSamlAuthenticator' due to java.lang.reflect.InvocationTargetException

[2024-09-11T10:37:40,739][ERROR][o.o.s.s.DynamicConfigModelV7] [wazuh-index] Unable to initialize auth domain saml_auth_domain=AuthcDomain [http_enabled=true, order=1, http_authenticator=HttpAuthenticator [challenge=true, type=saml, config={idp={configuration details, authentication_backend=AuthcBackend [type=noop, config={}], description=null] due to OpenSearchException[java.lang.reflect.InvocationTargetException]; nested: InvocationTargetException; nested: RuntimeException[java.lang.IllegalArgumentException: Illegal base64 character 20]; nested: IllegalArgumentException[Illegal base64 character 20]; org.opensearch.OpenSearchException: java.lang.reflect.InvocationTargetException at org.opensearch.security.support.ReflectionHelper.instantiateAAA(ReflectionHelper.java:73) ~[opensearch-security-2.13.0.0.jar:2.13.0.0] at org.opensearch.security.securityconf.DynamicConfigModelV7.lambda$newInstance$1(DynamicConfigModelV7.java:426) ~[opensearch-security-2.13.0.0.jar:2.13.0.0] at java.base/java.security.AccessController.doPrivileged(AccessController.java:319) ~[?:?] at org.opensearch.security.securityconf.DynamicConfigModelV7.newInstance(DynamicConfigModelV7.java:424) ~[opensearch-security-2.13.0.0.jar:2.13.0.0] at org.opensearch.security.securityconf.DynamicConfigModelV7.buildAAA(DynamicConfigModelV7.java:323) [opensearch-security-2.13.0.0.jar:2.13.0.0] at org.opensearch.security.securityconf.DynamicConfigModelV7.(DynamicConfigModelV7.java:101) [opensearch-security-2.13.0.0.jar:2.13.0.0] at org.opensearch.security.securityconf.DynamicConfigFactory.onChange(DynamicConfigFactory.java:285) [opensearch-security-2.13.0.0.jar:2.13.0.0] at org.opensearch.security.configuration.ConfigurationRepository.notifyAboutChanges(ConfigurationRepository.java:430) [opensearch-security-2.13.0.0.jar:2.13.0.0] at org.opensearch.security.configuration.ConfigurationRepository.reloadConfiguration0(ConfigurationRepository.java:419) [opensearch-security-2.13.0.0.jar:2.13.0.0] at org.opensearch.security.configuration.ConfigurationRepository.reloadConfiguration(ConfigurationRepository.java:402) [opensearch-security-2.13.0.0.jar:2.13.0.0] at org.opensearch.security.configuration.ConfigurationRepository.initalizeClusterConfiguration(ConfigurationRepository.java:227) [opensearch-security-2.13.0.0.jar:2.13.0.0] at org.opensearch.security.configuration.ConfigurationRepository.lambda$initOnNodeStart$0(ConfigurationRepository.java:318) [opensearch-security-2.13.0.0.jar:2.13.0.0] at java.base/java.lang.Thread.run(Thread.java:1583) [?:?] Caused by: java.lang.reflect.InvocationTargetException at java.base/jdk.internal.reflect.DirectConstructorHandleAccessor.newInstance(DirectConstructorHandleAccessor.java:74) ~[?:?] at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:502) ~[?:?] at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:486) ~[?:?] at org.opensearch.security.support.ReflectionHelper.instantiateAAA(ReflectionHelper.java:62) ~[opensearch-security-2.13.0.0.jar:2.13.0.0] ... 12 more Caused by: java.lang.RuntimeException: java.lang.IllegalArgumentException: Illegal base64 character 20 at com.amazon.dlic.auth.http.saml.HTTPSamlAuthenticator.(HTTPSamlAuthenticator.java:154) ~[opensearch-security-2.13.0.0.jar:2.13.0.0] at java.base/jdk.internal.reflect.DirectConstructorHandleAccessor.newInstance(DirectConstructorHandleAccessor.java:62) ~[?:?] at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:502) ~[?:?] at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:486) ~[?:?] at org.opensearch.security.support.ReflectionHelper.instantiateAAA(ReflectionHelper.java:62) ~[opensearch-security-2.13.0.0.jar:2.13.0.0] ... 12 more Caused by: java.lang.IllegalArgumentException: Illegal base64 character 20 at java.base/java.util.Base64$Decoder.decode0(Base64.java:852) ~[?:?] at java.base/java.util.Base64$Decoder.decode(Base64.java:570) ~[?:?] at java.base/java.util.Base64$Decoder.decode(Base64.java:593) ~[?:?] at com.amazon.dlic.auth.http.saml.AuthTokenProcessorHandler.createJwkFromSettings(AuthTokenProcessorHandler.java:245) ~[opensearch-security-2.13.0.0.jar:2.13.0.0] at com.amazon.dlic.auth.http.saml.AuthTokenProcessorHandler.(AuthTokenProcessorHandler.java:113) ~[opensearch-security-2.13.0.0.jar:2.13.0.0] at com.amazon.dlic.auth.http.saml.HTTPSamlAuthenticator.(HTTPSamlAuthenticator.java:148) ~[opensearch-security-2.13.0.0.jar:2.13.0.0] at java.base/jdk.internal.reflect.DirectConstructorHandleAccessor.newInstance(DirectConstructorHandleAccessor.java:62) ~[?:?] at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:502) ~[?:?] at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:486) ~[?:?] at org.opensearch.security.support.ReflectionHelper.instantiateAAA(ReflectionHelper.java:62) ~[opensearch-security-2.13.0.0.jar:2.13.0.0] ... 12 more`

Key point being: Unable to enable 'com.amazon.dlic.auth.http.saml.HTTPSamlAuthenticator' due to java.lang.reflect.InvocationTargetException

[zeddD1abl0]

Oh yeah, I should add, this comes from the "wazuh-cluster.log" file, which lives on the Wazuh Indexer node.

[awmol]

config.yml.txt config.yml.original.txt

Had to change file type to txt, obfuscated fqdns and key even though they are not really sensitive, not sure what you mean with a backup, like the original config.yml before I edited? That should just be the out-of-the-box config.yml i guess, i'v uploaded that one as well. I did not get an option to overwrite config.yml when upgrading the indexer to 4.9.0-2 and there is no config.yml.dpkg-dist.

[awmol]

I'm also noticing similar errors as zeeddD1abl0 but "Illegal base64 character 2f" instead of "character 20" errors in the indexer logfiles. I have validated the x509 certificate string and it is valid base64 so something else is going on..

2f in ascii is forward slash 20 in ascii is space

[awmol]

I just noticed that in https://documentation.wazuh.com/current/user-manual/user-administration/single-sign-on/administrator/google.html for 4.9 it says:

Generate a 64-character long random key using the following command. openssl rand -hex 32 The output will be used as the exchange_key in the /etc/wazuh-indexer/opensearch-security/config.yml file.

But in 4.8 it says to use the x509 certificate from the metadata file. By generating a random key instead everything works fine again. Not sure what that exchange_key is actually used for.