By using AWS re:Post, you agree to the AWS re:Post Terms of Use

Internal Server Error from OpenSearch Dashboard after integrating with SAML (KeyCloak)

0

After integrating with KeyCloak, SAML post is giving 500 response. Nothing in logs. What is the best way to debug/log the error?

1 Answer
0

Hello,

I have exactly the same problem, do you have find a way to get this works ?

Currently I'm trying to map my user against the group "all_access" but I have no other error than this. An example of my assertion:

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                Destination="https://xxxxxx/_dashboards/_opendistro/_security/saml/acs"
                ID="ID_f2e7e757-2c9c-4904-8336-ddd809a6d4b0"
                InResponseTo="ONELOGIN_c48844cf-c1b3-47e1-9242-ffe508c269b8"
                IssueInstant="2022-07-15T07:08:21.365Z"
                Version="2.0"
                >
    <saml:Issuer>https://xxxxx/auth/realms/xxxxx</saml:Issuer>
    <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
        <dsig:SignedInfo>
            <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <dsig:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
            <dsig:Reference URI="#ID_f2e7e757-2c9c-4904-8336-ddd809a6d4b0">
                <dsig:Transforms>
                    <dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                    <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                </dsig:Transforms>
                <dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                <dsig:DigestValue>xxxxx</dsig:DigestValue>
            </dsig:Reference>
        </dsig:SignedInfo>
        <dsig:SignatureValue>xxxxx</dsig:SignatureValue>
        <dsig:KeyInfo>
            <dsig:KeyName>xxxx</dsig:KeyName>
            <dsig:X509Data>
                <dsig:X509Certificate>xxxxxxxx</dsig:X509Certificate>
            </dsig:X509Data>
            <dsig:KeyValue>
                <dsig:RSAKeyValue>
                    <dsig:Modulus>xxxxxxx</dsig:Modulus>
                    <dsig:Exponent>AQAB</dsig:Exponent>
                </dsig:RSAKeyValue>
            </dsig:KeyValue>
        </dsig:KeyInfo>
    </dsig:Signature>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </samlp:Status>
    <saml:Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
                    ID="ID_5d953166-ef46-48c5-bd54-a9adfce95fe0"
                    IssueInstant="2022-07-15T07:08:21.365Z"
                    Version="2.0"
                    >
        <saml:Issuer>https://xxxx/auth/realms/xxxx</saml:Issuer>
        <saml:Subject>
            <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">xxxx@xxxx.com</saml:NameID>
            <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml:SubjectConfirmationData InResponseTo="ONELOGIN_c48844cf-c1b3-47e1-9242-ffe508c269b8"
                                              NotOnOrAfter="2022-07-15T07:13:19.365Z"
                                              Recipient="https://xxxxx/_dashboards/_opendistro/_security/saml/acs"
                                              />
            </saml:SubjectConfirmation>
        </saml:Subject>
        <saml:Conditions NotBefore="2022-07-15T07:08:19.365Z"
                         NotOnOrAfter="2022-07-15T07:09:19.365Z"
                         >
            <saml:AudienceRestriction>
                <saml:Audience>https://xxxx</saml:Audience>
            </saml:AudienceRestriction>
        </saml:Conditions>
        <saml:AuthnStatement AuthnInstant="2022-07-15T07:08:21.365Z"
                             SessionIndex="3256b6e5-fdf3-492d-8089-038c06b7fa3c::43aacbea-219e-4210-a258-ccca424f990f"
                             SessionNotOnOrAfter="2022-07-15T17:08:21.365Z"
                             >
            <saml:AuthnContext>
                <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
            </saml:AuthnContext>
        </saml:AuthnStatement>
        <saml:AttributeStatement>
            <saml:Attribute Name="groups"
                            NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
                            >
                <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                     xsi:type="xs:string"
                                     >all_access</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="email"
                            NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
                            >
                <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                     xsi:type="xs:string"
                                     >xxxx@xxx.xxx</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute FriendlyName="audience"
                            NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
                            >
                <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                     xsi:type="xs:string"
                                     >https://xxxxx</saml:AttributeValue>
            </saml:Attribute>
        </saml:AttributeStatement>
    </saml:Assertion>
</samlp:Response>

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions