-
Notifications
You must be signed in to change notification settings - Fork 158
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG]SAML and http authentication at the same time #1059
Comments
Hello @nomopo45, thanks for opening. I believe this will relate to how the security plugin impacts OpenSearch and OpenSearch Dashboards in it's current state. So re-routed to the security plugin repo, we have an issue to reinvent security so we have noted it as a follow-up issue on the feature proposal: opensearch-project/OpenSearch-Dashboards#2100 but that will be for future versions and for users that would like to migrate to that experience when released. |
Hello, Thanks a lot for the very fast reply. In response to that i have a small question : How to link role to a SAML account ? is the only way to use :
Or i can create some of my SAML account in the internal_users.yml file and assign them a role ? |
This is related to #1055 |
Thanks for filing this issue |
@nomopo45 There is a feature proposal for this. |
Hello, Thank you all for the replies, so for the moment is there a way to choose the role of a SAML user ? Or the only way is to use :
Because i would like to not use this attribute if possible, i would even prefer to assign a role by changing an entry in the db, or any other solution if you know any. Thanks a lot ! |
@nomopo45 If the identity of the user is in the internal database and it matches the user from the SAML provider, the backend roles will be collected from both sources, see https://opensearch.org/docs/latest/security-plugin/configuration/concepts/ for details. If you have trouble with this, please reach out to our forums that are suited for support requests https://forum.opensearch.org/c/security/3 |
HI @nomopo45 , Yes you can use SAML and basic auth at the same time. But once you enable SAML, OpenSearch Dashboards automatically redirects to your SAML IdP for authentication. That said you can use the REST APIs with basic auth credentials to make any necessary changes to your configuration. Would that help alleviate the issue? |
I've ran into this same issue and have had to put the saml as "order": 0 and the basic internal auth as "order": 1 to make the saml actually work. But now I can't issue any REST APIs via the basic auth. The REST API endpoints are now not available via basic auth or no auth. So I am experiencing the opposite of what you stated. |
What happened to this plugin from 1.x to 2.x that made this break? I was able to have basic internal auth with an order of 0 and saml with an order of 1 enabled in 1.x. Then in 2.x I have to set saml as order 0 to even get it to work. But now I can't interact with the cluster via the REST API using the internal db with basic auth. --- Below is my config that won't get SAML to work. If I hit http://localhost:5601 I get a 500 internal server error and Kibana says: "Invalid SAML config".
But if I change to the saml to order 0 and internal to 1 SAML will work but now I'm completely locked-out of the cluster via the REST API:
I certainly hope there is a way to get this to work (tested in every 2.x branch up to 2.3.0) as without this (having SAML for Kibana and internal auth for REST API) I'm stuck. |
@nomopo45 @linuxboyng The featue allowing users to configure multiple authentication types(basic auth, SAML and OIDC) will be available in 2.4.0.0. Please try the feature and see if that is the solution that you are looking for. |
Hello,
I managed to have my SAML working, but now i don't have choice but to use SAML i would like to be able to connect through username, password or by using SAML is it possible ?
I'm deploying Opensearch and dashboards with Helm here is the interesting values for your reference :
and for the dashboard:
The text was updated successfully, but these errors were encountered: