Adds saml auth header to differentiate saml requests and prevents auto login as anonymous user when basic authentication fails

[DarshitChanpura]

Description

This PR fixes a bug where SAML and Anonymous auth cannot co-exist. At present, enabling SAML along with anonymous auth causes SAML Login to fail before it hits the IdP because both SAML and anonymous auth are wired to not have credentials on the first login attempt, causing the authn check against the auth domains to be skipped (see here). This, eventually, results in setting the default user as anonymous (see here) since anonymous auth is enabled.

This PR also resolves another bug involving anonymous auth where a user would be automatically logged in as anonymous user upon failed basic authentication if anonymous auth is enabled.

• Category: Bug fix
• Why these changes are required?
  • To allow SAML auth to work when anonymous auth is enabled
  • To prevent auto login as anonymous user upon failed basic authentication

Security-dashboards companion PR: opensearch-project/security-dashboards-plugin#1839

Issues Resolved

• Related [BUG] Having Anonymous and SAML as sign in options does not work. SAML Login fails when Anonymous is enabled security-dashboards-plugin#1731

Testing

• Automated

Check List

• New functionality includes testing
  - [ ] New functionality has been documented
• Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[codecov]

Codecov Report

Attention: Patch coverage is 53.84615% with 6 lines in your changes are missing coverage. Please review.

Project coverage is 66.20%. Comparing base (4e8297a) to head (4a6dff7).
Report is 4 commits behind head on main.

❗ Current head 4a6dff7 differs from pull request most recent head 5174654. Consider uploading reports for the commit 5174654 to get more accurate results

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #4152   +/-   ##
=======================================
  Coverage   66.19%   66.20%           
=======================================
  Files         301      301           
  Lines       21709    21712    +3     
  Branches     3505     3505           
=======================================
+ Hits        14371    14375    +4     
+ Misses       5580     5578    -2     
- Partials     1758     1759    +1     

Files	Coverage Δ
.../org/opensearch/security/auth/BackendRegistry.java	61.58% <53.84%> (-0.96%)	⬇️

... and 5 files with indirect coverage changes

[derek-ho]

I don't have any concerns with the implementation of this change, since I think it preserves functionality, but trying to understand more about @peternied's concern with the headers

[stephen-crawford]

Looks good to me!

[DarshitChanpura]

All failures caused by:

java.lang.NoSuchMethodError: 'void org.opensearch.transport.TcpTransport.inboundMessage(org.opensearch.transport.TcpChannel, org.opensearch.transport.ProtocolInboundMessage)'

Root-cause is likely this upstream change: opensearch-project/OpenSearch#12967.

Update: This issue has been resolved.

[stephen-crawford]

Looks good to me