security-dashboards-plugin icon indicating copy to clipboard operation
security-dashboards-plugin copied to clipboard

Published 20 hours ago verified publisher icon opensearch-project

SAML - "/_opendistro/_security/saml/logout" not found

Open maron546 opened this issue 4 years ago • 8 comments

Environment

Ubuntu 18.0.4

Products version

elasticsearch-oss 7.9.1 amd64 opendistroforelasticsearch 1.11.0-1 amd64 opendistro-security 1.11.0.0-0 amd64 opendistroforelasticsearch-kibana 1.11.0 amd64

Issue

We configured authentication through an external identity provider via SAML. In previous versions (Elasticsearch 7.6.1, Security Plugin 1.6.0.0), the logout link was: <kibana_url>/_opendistro/_security/saml/logout but it seems missing and responds with: {"statusCode":404,"error":"Not Found","message":"Not Found"} even if it's still present in the current documentation.

maron546 avatar Dec 09 '20 14:12 maron546

@maron546 can you share your kibana.yml config file?

zengyan-amazon avatar Jan 04 '21 23:01 zengyan-amazon

and btw, we change the HTTP verb of /_opendistro/_security/saml/logout from POST to GET since 1.10, maybe that is the reason?

zengyan-amazon avatar Jan 04 '21 23:01 zengyan-amazon

Below the configurations in kibana.yml:

server.host: "x.x.x.x"
logging.quiet: true

elasticsearch.hosts: http://x.x.x.x:9200
elasticsearch.ssl.verificationMode: none
elasticsearch.username: kibanaserver
elasticsearch.password: xxxxx
elasticsearch.requestHeadersWhitelist: ["securitytenant","Authorization"]

opendistro_security.multitenancy.enabled: true
opendistro_security.multitenancy.tenants.preferred: ["Private", "Global"]
opendistro_security.readonly_mode.roles: ["kibana_read_only"]

# SAML configurations
opendistro_security.auth.type: "saml"
server.xsrf.whitelist: ["/_opendistro/_security/saml/acs/idpinitiated", "/_opendistro/_security/saml/acs", "/_opendistro/_security/saml/logout"]

# Use this setting if you are running kibana without https
opendistro_security.cookie.secure: false

newsfeed.enabled: false
telemetry.optIn: false
telemetry.enabled: false

Now, we have two environments, one installed on a virtual machine (the configuration file has been taken from this), the other is an Amazon ES Domain. Both have the same issue.

maron546 avatar Jan 05 '21 09:01 maron546

I am encountering the same issue.

quad2524 avatar Jan 15 '21 05:01 quad2524

Any news about this?

maron546 avatar Feb 08 '21 15:02 maron546

We are doing some "spring cleaning in the fall", and to make sure we focus our energies on the right issues and we get a better picture of the state of the repo, we are closing all issues that we are carrying over from the ODFE era (ODFE is no longer supported/maintained, see post here).

If you believe this issue should still be considered for current versions of OpenSearch, apologies! Please let us know by re-opening it.

Thanks!

davidlago avatar Sep 13 '22 13:09 davidlago

@davidlago this is still happening to us in Openserach 2.3.0. The logout URL does not seem to exist, and the logout functionality does not work, crashing opensearch-dashboards.

gdiazlo avatar Sep 26 '22 08:09 gdiazlo

Thanks @gdiazlo, reopening issue.

davidlago avatar Oct 10 '22 13:10 davidlago