Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Document client certificate options to support mutual TLS for OpenID endpoint #5697

Merged
merged 8 commits into from
Dec 5, 2023
Merged

Document client certificate options to support mutual TLS for OpenID endpoint #5697

Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
4e83567
Document client certificate options to support mutual TLS for OpenID
Simple-Analysis Nov 29, 2023
d6e6f57
Merge branch 'main' into main
Naarcha-AWS Nov 30, 2023
0a1d55c
Merge branch 'main' into main
Simple-Analysis Dec 1, 2023
75e935a
Update _security/authentication-backends/openid-connect.md
Simple-Analysis Dec 1, 2023
bf456dc
Update _security/authentication-backends/openid-connect.md
Simple-Analysis Dec 1, 2023
36c1be8
Update _security/authentication-backends/openid-connect.md
Simple-Analysis Dec 1, 2023
caf5b43
Merge branch 'main' into main
Simple-Analysis Dec 1, 2023
ef318aa
Merge branch 'main' into main
Simple-Analysis Dec 4, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions _security/authentication-backends/openid-connect.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -302,6 +302,12 @@ Name | Description
`opensearch_security.openid.logout_url` | The logout URL of your IdP. Optional. Only necessary if your IdP does not publish the logout URL in its metadata.
`opensearch_security.openid.base_redirect_url` | The base of the redirect URL that will be sent to your IdP. Optional. Only necessary when OpenSearch Dashboards is behind a reverse proxy, in which case it should be different than `server.host` and `server.port` in `opensearch_dashboards.yml`.
`opensearch_security.openid.trust_dynamic_headers` | Compute `base_redirect_url` from the reverse proxy HTTP headers (`X-Forwarded-Host` / `X-Forwarded-Proto`). Optional. Default is `false`.
`opensearch_security.openid.root_ca` | Path to the root CAs (PEM format) that your IdP's certificate can match or chain to. Optional.
`opensearch_security.openid.certificate` | Cert chains (PEM format) to be used for mTLS when obtaining endpoints from your IdP. Optional.
`opensearch_security.openid.private_key` | Private keys (PEM format) to be used for mTLS when obtaining endpoints from your IdP. Optional.
`opensearch_security.openid.passphrase` | Passphrase used for a single `private_key` or a `pfx`. Optional.
`opensearch_security.openid.pfx` | PFX or PKCS12 encoded private key and certificate chain to be used for mTLS when obtaining endpoints from your IdP. Alternative to `certificate` and `private_key`. Optional.
`opensearch_security.openid.verify_hostnames` | Whether to verify the hostnames of the IdP's TLS certificate. Default is `true`. Optional.


### Configuration example
Expand All @@ -319,6 +325,11 @@ opensearch_security.openid.client_id: "opensearch-dashboards-sso"
# The client secret of the OpenID Connect client
opensearch_security.openid.client_secret: "a59c51f5-f052-4740-a3b0-e14ba355b520"

# mTLS Options for obtaining endpoints from IdP
opensearch_security.openid.root_ca: /usr/share/opensearch-dashboards/config/certs/ca.pem
opensearch_security.openid.certificate: /usr/share/opensearch-dashboards/config/certs/cert.pem
opensearch_security.openid.private_key: /usr/share/opensearch-dashboards/config/certs/key.pem

# Use HTTPS instead of HTTP
opensearch.url: "https://<hostname>.com:<http port>"

Expand Down