Internal Server Error from OpenSearch Dashboard after integrating with SAML (KeyCloak)

After integrating with KeyCloak, SAML post is giving 500 response. Nothing in logs. What is the best way to debug/log the error?

Topics

Serverless Analytics AWS Well-Architected Framework

Tags

Amazon OpenSearch Service Security

Language

English

CITS

asked 2 years ago336 views

1 Answer

Newest
Most votes
Most comments

Are these answers helpful? Upvote the correct answer to help the community benefit from your knowledge.

Hello,

I have exactly the same problem, do you have find a way to get this works ?

Currently I'm trying to map my user against the group "all_access" but I have no other error than this. An example of my assertion:

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                Destination="https://xxxxxx/_dashboards/_opendistro/_security/saml/acs"
                ID="ID_f2e7e757-2c9c-4904-8336-ddd809a6d4b0"
                InResponseTo="ONELOGIN_c48844cf-c1b3-47e1-9242-ffe508c269b8"
                IssueInstant="2022-07-15T07:08:21.365Z"
                Version="2.0"
                >
    <saml:Issuer>https://xxxxx/auth/realms/xxxxx</saml:Issuer>
    <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
        <dsig:SignedInfo>
            <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <dsig:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
            <dsig:Reference URI="#ID_f2e7e757-2c9c-4904-8336-ddd809a6d4b0">
                <dsig:Transforms>
                    <dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                    <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                </dsig:Transforms>
                <dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                <dsig:DigestValue>xxxxx</dsig:DigestValue>
            </dsig:Reference>
        </dsig:SignedInfo>
        <dsig:SignatureValue>xxxxx</dsig:SignatureValue>
        <dsig:KeyInfo>
            <dsig:KeyName>xxxx</dsig:KeyName>
            <dsig:X509Data>
                <dsig:X509Certificate>xxxxxxxx</dsig:X509Certificate>
            </dsig:X509Data>
            <dsig:KeyValue>
                <dsig:RSAKeyValue>
                    <dsig:Modulus>xxxxxxx</dsig:Modulus>
                    <dsig:Exponent>AQAB</dsig:Exponent>
                </dsig:RSAKeyValue>
            </dsig:KeyValue>
        </dsig:KeyInfo>
    </dsig:Signature>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </samlp:Status>
    <saml:Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
                    ID="ID_5d953166-ef46-48c5-bd54-a9adfce95fe0"
                    IssueInstant="2022-07-15T07:08:21.365Z"
                    Version="2.0"
                    >
        <saml:Issuer>https://xxxx/auth/realms/xxxx</saml:Issuer>
        <saml:Subject>
            <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">xxxx@xxxx.com</saml:NameID>
            <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml:SubjectConfirmationData InResponseTo="ONELOGIN_c48844cf-c1b3-47e1-9242-ffe508c269b8"
                                              NotOnOrAfter="2022-07-15T07:13:19.365Z"
                                              Recipient="https://xxxxx/_dashboards/_opendistro/_security/saml/acs"
                                              />
            </saml:SubjectConfirmation>
        </saml:Subject>
        <saml:Conditions NotBefore="2022-07-15T07:08:19.365Z"
                         NotOnOrAfter="2022-07-15T07:09:19.365Z"
                         >
            <saml:AudienceRestriction>
                <saml:Audience>https://xxxx</saml:Audience>
            </saml:AudienceRestriction>
        </saml:Conditions>
        <saml:AuthnStatement AuthnInstant="2022-07-15T07:08:21.365Z"
                             SessionIndex="3256b6e5-fdf3-492d-8089-038c06b7fa3c::43aacbea-219e-4210-a258-ccca424f990f"
                             SessionNotOnOrAfter="2022-07-15T17:08:21.365Z"
                             >
            <saml:AuthnContext>
                <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
            </saml:AuthnContext>
        </saml:AuthnStatement>
        <saml:AttributeStatement>
            <saml:Attribute Name="groups"
                            NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
                            >
                <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                     xsi:type="xs:string"
                                     >all_access</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="email"
                            NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
                            >
                <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                     xsi:type="xs:string"
                                     >xxxx@xxx.xxx</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute FriendlyName="audience"
                            NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
                            >
                <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                     xsi:type="xs:string"
                                     >https://xxxxx</saml:AttributeValue>
            </saml:Attribute>
        </saml:AttributeStatement>
    </saml:Assertion>
</samlp:Response>

rePost-User-3668023

answered 2 years ago

Relevant content

integrate AWS Cognito with Google Workspace using SAML integration
AWS-User-2452855
asked 2 years ago
What is the best way to integrate AWS Secret Manager with EKS?
Accepted Answer
EXPERT
MaxCloud
asked 2 years ago
500 Internal Server Error from OPTIONS method in REST API integration with S3
Accepted Answer
jedrek
asked a year ago
Configure local opensearch dashboard with saml
bgarcia
asked 4 months ago
How do I capture and analyze the SAML response to troubleshoot common errors when I use SAML 2.0 federation with AWS?
AWS OFFICIALUpdated 3 days ago
How can I troubleshoot 500 errors with VPC link integration for API Gateway?
AWS OFFICIALUpdated 6 months ago
How do I troubleshoot an "invalid SAML response" error for Okta and AWS IAM Federation?
AWS OFFICIALUpdated 2 years ago
How can I troubleshoot the "internal server" error with status code 500 for API Gateway endpoints that integrate with Lambda?
AWS OFFICIALUpdated a year ago
How to e-mail OpenSearch reports and dashboards via opensearch-reporting-cli
EXPERT
Sohaib Katariwala
published 2 months ago
Tableau Integration with Kerberos EMR Cluster
SUPPORT ENGINEER
Yokesh NK
published a month ago