Skip to content

SAML Authenticator using Eliatra Suite Dashboards Plugin specific URIs creates compat issue

We have now updated refs to Dashboard plugin URIs in the SAML Authenticator: https://git.eliatra.com/eliatra-suite/eliatra-opensearch-plugin/-/merge_requests/27/diffs

However this poses a compat issue on mixed clusters when Kibana with the Search Guard Kibana plugin is still running. The Eliatra Suite plugin will then already try to reference the Eliatra Suite endpoints, which are not available in the Search Guard Kibana plugin.

Proposed solution:

Add a config option to configure the base URI of the ACS endpoint.

We cannot use this solution as in a mixed cluster with Search Guard nodes, these would not recognize this option and transition to a failing state.

New proposal:

The ACS is needed by the endpoints /_searchguard/auth/config resp /_eliatra/security/auth/config (class GetActivatedFrontendConfigAction) and /_searchguard/auth/config resp /eliatra/security/auth/session ( class SessionApi) (internally in SAML delegated to SamlAuthenticator.activateFrontendConfig() and SamlAuthenticator.extractCredentials()).

When the Kibana plugin calls the endpoints, it will use the endpoints with the searchguard prefix. When the Dashboards plugin calls the endpoints, it will use the endpoints with the eliatra prefix.

Thus - indirectly - we already know whether Kibana plugin or the Dashboards plugin is calling here.

We could extract this information and pass it on to the respective SamlAuthenticator methods. Then, the SamlAuthenticator can decide whether to use SG or Eliatra ACS endpoints.

This change is ONLY needed for the compat edition. We do not need it for the final edition.

Edited by Nils Bandener