Update SAML Endpoint #1936
Update SAML Endpoint #1936
Conversation
|
@hpkuppuraj Thanks for this pull request, could you please see about fixing the DCO errors, link? |
|
Note; I said that this changed was set against the 2.1 branch, lets merge this against main and then the maintainers will backport the change to the next release version |
|
@hpkuppuraj Thank you so much for the finding and the PR! |
|
@peternied , Thanks for highlighting the signoff part which i have missed at commits. I think i have signed the commits that I have made. Looks like still DCO error there. |
Codecov Report
@@ Coverage Diff @@
## main #1936 +/- ##
============================================
- Coverage 61.00% 60.99% -0.02%
Complexity 3233 3233
============================================
Files 256 256
Lines 18088 18088
Branches 3224 3224
============================================
- Hits 11035 11033 -2
- Misses 5470 5471 +1
- Partials 1583 1584 +1
Help us with your feedback. Take ten seconds to tell us how you rate us. |
|
@hpkuppuraj I see there are 93 file changes here and some of them are from other PRs. Can you please rebase your branch against |
|
Maybe better to make both endpoints working? Doesn't seem to be much work and then it would not be breaking change. and in version 3.0 remove |
I would prefer this approach as suggested by @JustinasKO. @hpkuppuraj is this something you'd be able to pick up or would you like to take this on? Note; there is another change like this in flight - #1949 |
Yes sure, let me explore on this and keep both the endpoints working. |
@hpkuppuraj Would you please follow up with this comment? |
|
@cliu123 , I am trying to figure how the PR gets the changes from other commits, but my local branch has just my changes. Could you please help on this. Shall i cancel this PR? and raise a new PR |
|
@hpkuppuraj just rebase your branch from main branch and only your changes will remain. |
|
@cliu123 , could you please confirm the changes. I believe now only one file change is shown. Also i am seeing DCO author signature mismatch now |
| @@ -212,11 +212,11 @@ private SingleLogoutService findSingleLogoutService(IDPSSODescriptor idpSsoDescr | |||
| } | |||
|
|
|||
| private String buildAssertionConsumerEndpoint(String dashboardsRoot) { | |||
|
|
|||
| // Changed to fix bug in 2.1 | |||
There was a problem hiding this comment.
There is no need to have such comment in the source file, it belongs to the commit message.
I can confirm that I see only 1 file change now. You can fix the DCO error by executing this command: |
|
@DarshitChanpura , i dont have access to the account(company) i used to commit the first change, hence switched to the personal github account. Hence there is a discrepancy in the signature. The commit that impacts is 4c432a4 which is not the 2 commit and signoff using different email id. With the rebase signoff to this commit i am not able to signoff with current github account. |
Updated the ACS endpoint builder code components. [BUG] v2.1 security plugin is still using _opendistro/_security/saml/acs opensearch-project#1031 Signed-off-by: hari prasad <prasad.hari@lotuss.com> Signed-off-by: Peter Nied <petern@amazon.com>
|
@hpkuppuraj Thanks for your hard work on this pull request, I've cleaned up the commit history and fixed the DCO issues and pushed an update onto your fork, as soon as CI passes this can be merged. |
There was a problem hiding this comment.
Thanks for the PR!
I have a few questions here:
- Should this PR be closed if merging this one?
- How was this change tested? Please provide information about testing in the PR description.
- With this change, how would the existing clusters built with the old
ACS endpoint(/_opendistro/_security/saml/acs) work after upgrading to the version with this change?
|
@hpkuppuraj Can you please update on the requested changes? Once they are addressed we can go ahead and merge this PR. Once again, thank you for your contribution! |
|
@cliu123 Can you shepherd this change along with the frontend to make sure everything is in alignment? |
|
@hpkuppuraj Could you please address @cliu123 's Requested Changes so we can move forward with this PR |
|
Hi, apologies I am outstation and will be back to workstation tomorrow. Will resolve the code conflicts
Get Outlook for iOS<https://aka.ms/o0ukef>
…________________________________
From: Chang Liu ***@***.***>
Sent: Wednesday, July 20, 2022 3:27:25 AM
To: opensearch-project/security ***@***.***>
Cc: Hari Prasad Kuppuraj ***@***.***>; Mention ***@***.***>
Subject: Re: [opensearch-project/security] Update SAML Endpoint (PR #1936)
@hpkuppuraj<https://github.com/hpkuppuraj> I see there are 93 file changes here and some of them are from other PRs. Can you please rebase your branch against main so that the changes you intended to make are the only ones included.
@hpkuppuraj<https://github.com/hpkuppuraj> Would you please follow up with this comment?
—
Reply to this email directly, view it on GitHub<#1936 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AMIZCPFUOUXPR7PFDBOMYY3VU36R3ANCNFSM53OEUBPA>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
|
@opensearch-project/security this is a breaking change we've been considering for a while how do you feel about us taking it? I'm leaning towards no, while it would be nice to have consistent URLs, I would prefer we don't break folks in a hard to detect way. Please vote 👍 👎 or comment on this issue, lets revisit this during our next triage. |
peternied
added
the
untriaged
|
I'm closing this pull request out as we aren't taking steps to get this merged. Thanks again for the contribution sorry it didn't work out on this change. |
|
Pity. Then |
|
@nerijus from your comment it sounds SAML is broken in security-dashboards-plugin without this change? Can you create an issue |
|
Of course it is broken, that's why this PR was created. I'd still suggest applying this PR instead of changing dashboards. Edit: I see it is no longer broken in opensearch-dashboards 2.3.0. |
|
@cliu123 Could you shepherd this PR and determine how to follow up? This seems very bad (tm) and I'm out of the loop on the state of the SAML configuration in dashboards. |
|
@cliu123 As per discussion, Endpoint: |
|
This is a documentation issue that I'm creating. Users follow the documentation to configure _plugins/_security/saml/acs in IDP, but in plugins, it still uses /_opendistro/_security/saml/acs. |
|
@cliu123 The documentation website was reverted to reflect this: opensearch-project/documentation-website#877 There was a breaking change to SAML introduced in 2.2 that was reverted in 2.3 with this PR: opensearch-project/security-dashboards-plugin#895 The frontend switched to using Security dashboards plugin reverted to using |
I am setting up v2.1 cluster with saml authentication, all the configuration seems to be correct however when i try to login and found out that saml authrequest still builds ACS URL with _opendistro/_security/saml/acs instead of /_plugin/_security/saml/acs.
Below is what we extracted from the saml tracer plugin.
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="ONELOGIN_XYZ"
Version="2.0"
IssueInstant="2022-07-13T08:55:10Z"
Destination="https://domain/trust/saml2/http-redirect/sso/"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
AssertionConsumerServiceURL="https://domain/_opendistro/_security/saml/acs"
>
saml:Issueropensearch-saml</saml:Issuer>
<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
AllowCreate="true"
/>
</samlp:AuthnRequest>
Seems like after version 2.1.0 both enpoints: /_opendistro/_security/saml/acs and /_plugins/_security/saml/acs not working.
If using first-one as IDP acs URL getting: {"statusCode":404,"error":"Not Found","message":"Not Found"} - probbably expected after opensearch-project/security-dashboards-plugin#895
But if switching to 2nd one /_plugins/_security/saml/acs getting {"statusCode":500,"error":"Internal Server Error","message":"Internal Error"}
Rolling back Kibana to version 2.0.1 but leaving Opensearch version: 2.1.0 helps the issue a bit as /_opendistro/_security/saml/acs starts to work again
Description
[Describe what this change achieves]
Issues Resolved
[List any issues this PR will resolve]
Is this a backport? If so, please add backport PR # and/or commits #
Testing
[Please provide details of testing done: unit testing, integration testing and manual testing]
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.