Session timeout in Kibana SAML

[snarmaev]

Hello, I have the same issue with the expiring session time in Kibana. However, I have set options to keep session for 24 hours in kibana.yml

opendistro_security.cookie.ttl: 86400000
opendistro_security.session.ttl: 86400000
opendistro_security.session.keepalive: true

Could you please help with this issue?

[thoro]

It seems SAML does not adhere to the set session timeouts and always uses 1 h by default, and disabled keepalive ...https://github.com/opendistro-for-elasticsearch/security-kibana-plugin/blob/88f7dd343e53fabc466f92b90a9165db105d9b7b/lib/auth/types/saml/Saml.js#L70

Edit: After further debugging and reading of the code I came to the following conclusions:

1. The expiration time of the session is based on BACKEND, not kibana!
2. The expiration is defined here: https://github.com/opendistro-for-elasticsearch/security/blob/167acc0769397b765fa52fd68a4d555524915deb/src/main/java/com/amazon/dlic/auth/http/saml/AuthTokenProcessorHandler.java#L351
3. You need to configure the expiration of the jwt token via an option in the config.yml of the security plugin, specifically:

...
          config:
            jwt:
              expiry: AUTO+1440

whereas the 1440 is the minutes, possible values for the first part are AUTO, SESSION and NOW.

NOW => always takes now as the session basis
SESSION => always takes the sessionNotOnOrAfter value from the saml response as basis
AUTO => if sessionNotOrAfter exists it takes that, otherwise NOW

To any of those values the expiry is added (default value is 60 for 1 h)

[snarmaev]

@thoro Thank you for your suggestion. However, I am getting the following error:

ERR: Seems /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/config.yml is not in Open Distro Security 7 format: com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: Unrecognized field "jwt" (class com.amazon.opendistroforelasticsearch.security.securityconf.impl.v7.ConfigV7), not marked as ignorable (one known property: "dynamic"])

[thoro]

should look like that:

    authc:
      basic_internal_auth_domain:
        http_enabled: true
        order: 0
        http_authenticator:
          type: basic
          challenge: false
        authentication_backend:
          type: internal
      saml_auth_domain:
        http_enabled: true
        transport_enabled: false
        order: 1
        http_authenticator:
          type: saml
          challenge: true
          config:
            idp:
              metadata_file: /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/metadata.xml
              enable_ssl: true
              verify_hostnames: true
              entity_id: https://xxxx
            sp:
              entity_id: https://xxxx
            kibana_url: https://xxxx
            roles_key: Role
            exchange_key:xxxx
            jwt:
              expiry: AUTO+1440
        authentication_backend:
          type: noop

[smalltown]

I also encountered the same issue, adding the configuration doesn't work...

[julianbarnett]

Is there a fix for this yet? Currently experiencing the same issues

[jonbev]

Same here

[bbrendon]

might be a duplicate of https://github.com/opendistro-for-elasticsearch/security-kibana-plugin/issues/71

[mvanderlee]

This is actually a defect with the security project. Relevant code here: https://github.com/opensearch-project/security/blob/main/src/main/java/com/amazon/dlic/auth/http/saml/AuthTokenProcessorHandler.java#L330

In my case it's related to the fact that Auth0 does not store the SessionNotOnOrAfter in the AuthnStatement Which is where the OneLogin library that OpenSearch uses expects it.
https://github.com/onelogin/java-saml/blob/master/core/src/main/java/com/onelogin/saml2/authn/SamlResponse.java#L832

This breaks the AUTO behaviour in our case.

[mhoydis13]

This is still an active issue for anyone using openid_auth_domain

[DarshitChanpura]

[Triage] We'd love to see a pull request that addresses this issue.

[sushovan23]

any update on this? We are facing same issue using openid_auth_domain -> type: openid

[taltsafrirpx]

any update on this?
im using saml with okta and my session is expired after 60 minutes

[hm2thr33]

HI!
I am using Azure AD and had the same problem.
To extend the session timeout, add the following settings in dashboard.yml:

# Extend the session timeout
opensearch_security.session.ttl: 28800000
opensearch_security.cookie.ttl: 28800000
opensearch_security.session.keepalive: true

Indicate the length of time you want in milliseconds, for example, 8 hours as in the example above.

Tested on 2 clusters of OpenSearch 2.7.0 version.
Cluster A with this settings and another one cluster B without this settings.

Cluster A - work without session timeout
Cluster B - session timeout after 1 hour

[hobti01]

We are seeing this issue with openid_auth_domain, regardless of session cookie settings.
Do we need another issue for Opensearch Dashboards/OIDC vs. Kibana/SAML?

[StefanStroebel]

HI! I am using Azure AD and had the same problem. To extend the session timeout, add the following settings in dashboard.yml:

# Extend the session timeout
opensearch_security.session.ttl: 28800000
opensearch_security.cookie.ttl: 28800000
opensearch_security.session.keepalive: true

Indicate the length of time you want in milliseconds, for example, 8 hours as in the example above.

Tested on 2 clusters of OpenSearch 2.7.0 version. Cluster A with this settings and another one cluster B without this settings.

Cluster A - work without session timeout Cluster B - session timeout after 1 hour

So I have made all these setting changes and still getting logged out exactly at 60 minutes. Is all users can login just fine, but exactly at 60 min whether active or not they get redirected to login screen. Click the SSO button and are back in. My latest update was to change the order so that OpenID was order: 0 and internal auth was order :1

authc:
kerberos_auth_domain:
http_enabled: false
transport_enabled: false
order: 6
http_authenticator:
type: kerberos
challenge: false
config:
# If true a lot of kerberos/security related debugging output will be logged to standard out
krb_debug: false
# If true then the realm will be stripped from the user name
strip_realm_from_principal: true
authentication_backend:
type: noop
basic_internal_auth_domain:
description: "Authenticate via HTTP Basic against internal users database"
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: intern
openid_auth_domain:
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: openid
challenge: false
config:
subject_key: preferred_username
roles_key: roles
openid_connect_url: https://login.microsoftonline.com/xxxxxxxxxxxxxxxx/v2.0/.well-known/openid-configuration
authentication_backend:
type: noop

[K3ndu]

Any plans to fix this issue? We are also having this problem and it's quite annoying.

[hobti01]

FYI this issue persists with opensearch 2.8.0

[StefanStroebel]

It seems this isnt a config issue as many users are experiencing it. WIll there be a defect opened?

[dominik-paiha-auva]

After digging deeper into the config I came to the conclusion that the reason for the behaviour is based on the default access-token-lifetime of the IdP.

I evaluated that with an Entra-ID (formerly Azure AD)-based system with a custom based token lifetime policy (details can be seen at https://learn.microsoft.com/en-us/azure/active-directory/develop/configure-token-lifetimes). The following pwsh has been used by me and resulted in a session-life-time of 8hours. To be sure that the access token lifetime is the reason for the behavior I configured the session-cookie-lifetime to 24hours. i.e. opensearch_security.session.ttl: 86400000.
Can someone try to validate my findings?

Install-Module Microsoft.Graph
Connect-MgGraph -Scopes  "Policy.ReadWrite.ApplicationConfiguration","Policy.Read.All","Application.ReadWrite.All"

# Create a token lifetime policy
$params = @{
      Definition = @('{"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"8:00:00"}}')
    DisplayName = "WebPolicyScenario"
      IsOrganizationDefault = $false
}
$tokenLifetimePolicyId=(New-MgPolicyTokenLifetimePolicy -BodyParameter $params).Id

# Display the policy
Get-MgPolicyTokenLifetimePolicy -TokenLifetimePolicyId $tokenLifetimePolicyId

# Assign the token lifetime policy to an app
$params = @{
      "@odata.id" = "https://graph.microsoft.com/v1.0/policies/tokenLifetimePolicies/$tokenLifetimePolicyId"
}

# ATTENTION - place the OBJECT ID of the application, NOT the AppID in the following variable !!!
# the obj ID can be seen with the following statement
#   Get-MgApplication
# i.e. to filter for an App with the Displayname "LOGGING-DEV/INT"
#   PS D:\...\Opensearch-Policy> get-mgapplication -Filter "DisplayName eq 'Logging-Dev/Int'"
#   DisplayName     Id                                   AppId                                SignInAudience PublisherDomain
#   -----------     --                                   -----                                -------------- ---------------
#   LOGGING-DEV/INT b6xxxxxx-xxxx-xxxx-xxxx-xxxxxxxx3fb2 d1xxxxxx-xxxx-xxxx-xxxx-xxxxxxxx948e AzureADMyOrg   remov.ed
#
 
$applicationObjectId="b6xxxxxx-xxxx-xxxx-xxxx-xxxxxxxx3fb2"
New-MgApplicationTokenLifetimePolicyByRef -ApplicationId $applicationObjectId -BodyParameter $params

[elnoxgdl]

Bump! I'm facing this issue as well. Running Dashboards 2.8.0 using SAML. Logs user out after exactly 60 minutes even when the session is not that short i tried everything described here but still not honoring the TTL.

[tomuk5]

same here, running Dashboards 2.9.0 using SAML (Google as IDP) the user is logged out exactly after 60 minutes even when custom settings for TTL are set in the yaml config.

[dominik-paiha-auva]

same here, running Dashboards 2.9.0 using SAML (Google as IDP) the user is logged out exactly after 60 minutes even when custom settings for TTL are set in the yaml config.

Seem's to be the same issue with Google-IdP. You need to change the default lifetime of the access token. Look at https://cloud.google.com/docs/authentication/token-types#at-lifetime

[tomuk5]

same here, running Dashboards 2.9.0 using SAML (Google as IDP) the user is logged out exactly after 60 minutes even when custom settings for TTL are set in the yaml config.

Seem's to be the same issue with Google-IdP. You need to change the default lifetime of the access token. Look at https://cloud.google.com/docs/authentication/token-types#at-lifetime

big caveat: You can't create access tokens with an extended lifetime for user credentials or external identities. so not a solution for users at all.

[danielwhatmuff]

bump

[skbinwal]

Any Update on this issue? We have used all the suggested options. We are using Ping ID (OIDC) and facing forced session timeout of 15 min irrespective of the configuration we add in security plugins for dashboard or OpenSearch PODs.
Here is our configuration.

Dashboard:

opensearch_security:
cookie:
secure: true
ttl: 86400000
session:
ttl: 86400000
keepalive: true
auth:
type: [ "openid"]
multiple_auth_enabled: false
openid:
base_redirect_url: "xxxx/dashboards"
connect_url: "/.well-known/openid-configuration"
scope: openid
client_id: xxxx
client_secret: xxxx

Opensearch:
openid_auth_domain:
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: openid
challenge: false
config:
jwt:
expiry: AUTO+1440
openid_connect_idp:
enable_ssl: true
verify_hostnames: false
pemtrustedcas_filepath: "/rootCa.pem"
subject_key: sub
openid_connect_url: "xxxx/.well-known/openid-configuration"

[orest-gulman]

SAML Azure AD - same issue.

[derek-ho]

This issue is getting a little long in the tooth. It seems to me like there's several issues mentioned, some related, and some not, and some based on opendistro, which may or may not be out of date. From what I see the issues are:

• SAML assertion assumptions not allowing auth0 to be properly read. I created a follow up issue in the security repo since SAML assertion reading is done there: [FEATURE] Support custom SAML headers for expiry time security#4046. @mvanderlee can you comment on whether customizing SAML assertion fits your use case? I am new to the space so not sure if I am reading that this might help?
• Any OIDC cookie expiry issues to anything less than the opendistro_security.cookie.ttl, which defaults to 1 hour should be handled in Fix cookie expiry issues from IDP/JWT auth methods, disables keepalive for JWT/IDP #1773
• Any cookie expiry issues where keepalive is true (which is the default) should be handled in Fix cookie expiry issues from IDP/JWT auth methods, disables keepalive for JWT/IDP #1773

I will be closing this issue with the merging of #1773. Anybody please feel free to open a follow-up issue with detailed reproduction steps (IDP, opensearch_dashboards.yml settings, opensearch security backend config, etc.) so I can better address individual concerns. Thanks!

Additionally, we have a RFC #1711 to discuss confusion around some of the settings. If anyone has any thoughts, please leave them there, thanks!

@snarmaev @thoro @smalltown @jonbev @jbarnett1981 @bbrendon @mvanderlee @mhoydis13 @sushovan23 @taltsafrirpx @hm2thr33 @StefanStroebel @hobti01 @dominik-paiha-auva @elnoxgdl @tomuk5 @dominik-paiha-auva @danielwhatmuff
@skbinwal @orest-gulman

[derek-ho]

Closing this as #1773 was merged.

[shree1999]

Hi @derek-ho thanks for taking your time to make a fix for this
I have just one question is this available with 2.12.0 version of opensearch dashboards?

I am asking this because the same hasn't been mentioned in the releases notes https://github.com/opensearch-project/security-dashboards-plugin/releases/tag/2.12.0.0

[derek-ho]

@shree1999 sorry I just saw this - this didn't make it into the 2.12.0 release, and instead will be available in 2.13. That should be released by April 2nd: https://opensearch.org/releases.html

[jkrishnarao2003]

Is this session timeout issue fixed in latest OpenSearch 2.16.0 release?

[ComBin]

In 2.14 work fine.

[jkrishnarao2003]

Is the session issue fixed in 2.14 or we need to configure below ones

Extend the session timeout

opensearch_security.session.ttl: 28800000
opensearch_security.cookie.ttl: 28800000
opensearch_security.session.keepalive: true