[BUG]SAML and http authentication at the same time

[nomopo45]

Hello,

I managed to have my SAML working, but now i don't have choice but to use SAML i would like to be able to connect through username, password or by using SAML is it possible ?

I'm deploying Opensearch and dashboards with Helm here is the interesting values for your reference :

    data:
      config.yml: |-
        _meta:
          type: "config"
          config_version: "2"
        config:
          dynamic:
            http:
              anonymous_auth_enabled: false
            authc:
              basic_internal_auth_domain:
                description: "Authenticate via HTTP Basic against internal users database"
                http_enabled: true
                transport_enabled: true
                order: 0
                http_authenticator:
                  type: basic
                  challenge: false
                authentication_backend:
                  type: internal
              saml_auth_domain:
                order: 1
                description: "SAML provider"
                http_enabled: true
                transport_enabled: false
                http_authenticator:
                  type: saml
                  challenge: true
                  config:
                    idp:
                      metadata_file: "/usr/share/opensearch/config/opensearch-security/gsuite.xml"
                      entity_id: "https://accounts.google.com/o/saml2?idpid=xxxxxxxxxx"
                    sp:
                      entity_id: "kibana-saml"
                    kibana_url: "https://kibana.mydomain.com"
                    exchange_key : "xxxxxxxxx"
                    roles_key: Role
                authentication_backend:
                  type: noop

and for the dashboard:

config:
  # Default OpenSearch Dashboards configuration from docker image of Dashboards
   opensearch_dashboards.yml: |
    timelion:
      ui:
        enabled: "true"
    server:
      host: "https://kibana.mydomain.com/"
      ssl: 
        enabled: "false"
      xsrf:
        allowlist: ["/_plugins/_security/api/authtoken", "/_opendistro/_security/api/authtoken", "/_opendistro/_security/saml/acs/idpinitiated", "/_opendistro/_security/saml/acs", "/_opendistro/_security/saml/logout", "/_plugins/_security/saml/acs/idpinitiated", "/_plugins/_security/saml/acs", "/_plugins/_security/saml/logout"]
    opensearch_security:
      auth:
        type: "saml"
      multitenancy:
        enabled: "true"
        tenants:
          preferred: ["Private", "Global"]
    opensearch:
      ssl:
        verificationMode: "none"
      hosts: ["${var.elasticsearch-host}:9200"]
      username: "kibanaserver"
      password: "mypassword"
      requestHeadersAllowlist: ["securitytenant", "security_tenant", "Authorization"]

[kavilla]

Hello @nomopo45, thanks for opening. I believe this will relate to how the security plugin impacts OpenSearch and OpenSearch Dashboards in it's current state. So re-routed to the security plugin repo, we have an issue to reinvent security so we have noted it as a follow-up issue on the feature proposal: opensearch-project/OpenSearch-Dashboards#2100 but that will be for future versions and for users that would like to migrate to that experience when released.

[nomopo45]

Hello,

Thanks a lot for the very fast reply.

In response to that i have a small question : How to link role to a SAML account ?

is the only way to use :

roles_key: Role

Or i can create some of my SAML account in the internal_users.yml file and assign them a role ?

[peternied]

This is related to #1055

[peternied]

Thanks for filing this issue

[cliu123]

@nomopo45 There is a feature proposal for this.

[nomopo45]

Hello,

Thank you all for the replies, so for the moment is there a way to choose the role of a SAML user ?

Or the only way is to use :

roles_key: Role

Because i would like to not use this attribute if possible, i would even prefer to assign a role by changing an entry in the db, or any other solution if you know any.

Thanks a lot !

[peternied]

i would like to not use this [roles_key: Role] attribute if possible

@nomopo45 If the identity of the user is in the internal database and it matches the user from the SAML provider, the backend roles will be collected from both sources, see https://opensearch.org/docs/latest/security-plugin/configuration/concepts/ for details. If you have trouble with this, please reach out to our forums that are suited for support requests https://forum.opensearch.org/c/security/3

[jimishs]

HI @nomopo45 , Yes you can use SAML and basic auth at the same time. But once you enable SAML, OpenSearch Dashboards automatically redirects to your SAML IdP for authentication. That said you can use the REST APIs with basic auth credentials to make any necessary changes to your configuration. Would that help alleviate the issue?

[linuxboyng]

HI @nomopo45 , Yes you can use SAML and basic auth at the same time. But once you enable SAML, OpenSearch Dashboards automatically redirects to your SAML IdP for authentication. That said you can use the REST APIs with basic auth credentials to make any necessary changes to your configuration. Would that help alleviate the issue?

I've ran into this same issue and have had to put the saml as "order": 0 and the basic internal auth as "order": 1 to make the saml actually work. But now I can't issue any REST APIs via the basic auth. The REST API endpoints are now not available via basic auth or no auth. So I am experiencing the opposite of what you stated.

[linuxboyng]

What happened to this plugin from 1.x to 2.x that made this break? I was able to have basic internal auth with an order of 0 and saml with an order of 1 enabled in 1.x. Then in 2.x I have to set saml as order 0 to even get it to work. But now I can't interact with the cluster via the REST API using the internal db with basic auth.

--- Below is my config that won't get SAML to work. If I hit http://localhost:5601 I get a 500 internal server error and Kibana says: "Invalid SAML config".

    "basic_internal_auth_domain": {
        "http_enabled": true,
        "transport_enabled": true,
        "order": 0,
        "http_authenticator": {
            "challenge": true,
            "type": "basic",
            "config": {}
        },
        "authentication_backend": {
            "type": "intern",
            "config": {}
        },
        "description": "Authenticate via HTTP Basic against internal users database"
    },
    "saml_auth": {
            "order": 1,
            "description": "SAML provider",
            "http_enabled": true,
            "transport_enabled": false,
            "http_authenticator": {
                    "type": "saml",
                    "challenge": true,
                    "config": {
                            "idp": {
                                    "metadata_file": "meatadata.xml",
                                    "entity_id": "bobloblaw"
                            },
                            "sp": {
                                    "entity_id": "bobloblaw2"										},
                            "kibana_url": "http://localhost:5601",
                            "subject_key": "UserID",
                            "roles_key": "Roles",
                            "exchange_key": "myexchangekey"
                    }
            },
            "authentication_backend": {
                    "type": "noop"
            }
    }
}

But if I change to the saml to order 0 and internal to 1 SAML will work but now I'm completely locked-out of the cluster via the REST API:

    "basic_internal_auth_domain": {
        "http_enabled": true,
        "transport_enabled": true,
        "order": 1,
        "http_authenticator": {
            "challenge": true,
            "type": "basic",
            "config": {}
        },
        "authentication_backend": {
            "type": "intern",
            "config": {}
        },
        "description": "Authenticate via HTTP Basic against internal users database"
    },
    "saml_auth": {
            "order": 0,
            "description": "SAML provider",
            "http_enabled": true,
            "transport_enabled": false,
            "http_authenticator": {
                    "type": "saml",
                    "challenge": true,
                    "config": {
                            "idp": {
                                    "metadata_file": "meatadata.xml",
                                    "entity_id": "bobloblaw"
                            },
                            "sp": {
                                    "entity_id": "bobloblaw2"										},
                            "kibana_url": "http://localhost:5601",
                            "subject_key": "UserID",
                            "roles_key": "Roles",
                            "exchange_key": "myexchangekey"
                    }
            },
            "authentication_backend": {
                    "type": "noop"
            }
    }
}

I certainly hope there is a way to get this to work (tested in every 2.x branch up to 2.3.0) as without this (having SAML for Kibana and internal auth for REST API) I'm stuck.

[cliu123]

@nomopo45 @linuxboyng The featue allowing users to configure multiple authentication types(basic auth, SAML and OIDC) will be available in 2.4.0.0. Please try the feature and see if that is the solution that you are looking for.