-
Notifications
You must be signed in to change notification settings - Fork 158
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] Having Anonymous and SAML as sign in options does not work. SAML Login fails when Anonymous is enabled #1731
Comments
[Triage] Hi @cwperks thanks for filing this issue. This seems like a good edge case to correct. Thanks for point this out. We can close this issue when we have a fix to let the SAML and anonymous auth features be used side by side. |
Anonymous logout flow seems to be not working as expected. Here's how you can reproduce:
Upon further debugging, I found that enabling anonymous auth in config.yml without adding the flag in opensearch_dashboards.yml is causing the saml redirect to fail with 500 status code. If |
TLDR; This bug is not solvable at the moment. Reason: In current implementation, anonymous auth + any IdP call, expect credentials to be empty in order to follow correct path, and the current implementation skips check over auth domains if anonymous auth is enabled. Once the for loop completes it then enters this else block to assume anonymous user identity. To solve this problem, we need to identify whether the request is coming as anonymous user or not. Following options were considered:
Thus, at the moment, SAML auth is broken when anonymous auth is enabled as there is no way to identify whether the login request is coming as anonymous user or for SAML login since both requests are expected to have null credentials, and there is no way to fix it without a breaking change. (require an identifier header i.e. credentials OR rewrite backend to expect a new AuthType called anonymous). |
Update: A new approach has been proposed via opensearch-project/security#4152 and #1839 where instead of modifying Anonymous auth related request we instead modify SAML login requests. This is done by passing a parameter |
What is the bug?
Its possible to configure OpenSearch Dashboards to use multiple sign in options including Sign in as Anonymous and Sign in with Single Sign on (SAML).
When both of SAML and Anonymous are enabled as sign in options, the SAML authentication will not work and does not redirect to the SAML IdP.
How can one reproduce the bug?
Configure OpenSearch-Dashboards to use Anonymous and SAML:
Sample opensearch_dashboards.yml
Configure OpenSearch with SAML and anonymous enabled.
Sample config/opensearch-security/config.yml
What is the expected behavior?
SAML and Login with Anonymous
Do you have any screenshots?
Do you have any additional context?
The fundamental problem is that Login with SAML relies on the authinfo request failing here. The unauthenticated response includes the information to dashboards on how to redirect to the SAML.
For example:
When anonymous is enabled, this request does not fail and dashboards never redirects.
On inspection, another endpoint
_plugins/security/api/authtoken
may also need a special carve out when anonymous is enabled on the backend.The text was updated successfully, but these errors were encountered: