[Feature-Proposal] Enable Multiple Authentication for OpenSearch Dashboard

[aoguan1990]

What are you proposing?

Leverage the functionality to allow OpenSearch Dashboards administer to enable multiple authentication types on demand by setting up OpenSeach Dashboards configuration. For OpenSearch Dashboards with Security Plugin enabled, at least one authentication type should be configured.

	In Scope	Out of Scope
Single Authentication Mode	Basic, OpenID Connect, SAML, Proxy, JWT
Multiple Authentication Mode	Basic, OpenID Connect, SAML	Proxy, JWT

How did you come up with this proposal?

As for now, OpenSearch Dashboards supports many types of authentications including Basic, OIDC, SAML, LDAP, Proxy and Client-Certificate based authentication. However, only one authentication type can be configured in OpenSearch Dashboard while there is a high demand shows the opposite way. After capturing and analyzing customer requests from both GitHub and OpenSearch Community, the great value of enabling multiple authentication types simultaneously in OpenSearch Dashboards is self-evident.

Related Customer Request

1. GitHub Issues:

• #1112
• #2099
• #74

2. OpenSeach Community Issues:

• #354
• #3164
• #10553
• #10233
• #7015

Authentication Use Cases

Use Case 1:

Authentication Type: Basic and OIDC / SAML
IDP:

• Internal IDP for Basic Auth: OpenSearch
• External IDP for OIDC / SAML Auth: Enterprise based IDP

This use case is applied to the organization, which uses a dedicated third-party IDP to manage OpenSearch Dashboards User Identity. This solution can further integrate the OpenSearch Dashboards authentication solution with these organizations’ Single-Sign-On Solution . In this use case, OpenSearch serves as an Internal IDP to maintain authentication information for Admin or Service OpenSearch Dashboards accounts. Enterprise-based IDP serves as an external IDP to maintain authentication information for *Regular OpenSearch Dashboards account.

Use Case 2:

Authentication Type: Basic and OIDC
IDP:

• Internal IDP for Basic Auth: OpenSearch
• External IDP for OIDC Auth: Social based IDP

This use case is applied to the organization, which uses Social IDP to manage OpenSearch Dashboards User Identity. This solution can remove the identity management burden from the OpenSearch Dashboards admins’ shoulders. However, challenges still exist on access controls for Social SignIn accounts. In this use case, OpenSearch serves as an Internal IDP to maintain authentication information for Admins or Service OpenSearch Dashboards accounts. Social-based IDP serves as an external IDP to maintain authentication information for *Regular OpenSearch Dashboards accounts.

What is the user experience going to be?

1. Administrators setup authentication types and IDP related endpoint configuration in opensearch-dashboards.yml
2. Administrators start OpenSearch Dashboards service
3. User clicked on the preferred method to login to OpenSearch Dashboards
4. Based on authentication type get picked by User, OpenSearch Dashboards redirect authentication request to different IDP Endpoints to retrieve authentication information
5. User is authenticated and session cookie is updated properly with limited time period

[dblock]

There are links into docs internal at Amazon here that should be removed.

[aoguan1990]

There are links into docs internal at Amazon here that should be removed.

Links are removed. Thanks!

[davidlago]

Linking related issue to add documentation for this feature: opensearch-project/documentation-website#1488

[kavilla]

@aoguan1990 is this possible for 2.4 I believe feature freeze is next week if this is going to open as PR it might require some time to review.

[aoguan1990]

@kavilla Thank you so much for following up on this feature. Here is the PR.