[Enhancement]SAML Authentication can not be enabled with Anonymous

[aoguan1990]

What is the bug?
A clear and concise description of the bug.

How can one reproduce the bug?
Steps to reproduce the behavior:

1. Enable the following feature flag in opensearch_dashboards.yml
   opensearch_security.auth.type: 'saml'
opensearch_security.auth.anonymous_auth_enabled: true
2. Go to OpenSearch Dashboards: http://localhost:5601/
3. Got Internal Exception:
   

What is the expected behavior?
User is able to login as Anonymous and by SAML based external IDP.

[devardee]

I guess that happens because in OSD security plugin, when SAML authentication beings it will get the SAML request (challenge) by hitting the authinfo api which will return anonymous user when anonymous auth is enabled. One way to force SAML challenge on unauthenticated requests is to introduce a header (ex : FORCE-AUTH:true), which will ensure anonymous user is not injected for unauthenticated requests, thoughts ?

[cwperks]

@opensearch-project/transfer-request Please move this to security-dashboards-plugin

[cwperks]

[Triage] @cliu123 Please follow-up on this issue.

[cliu123]

@aoguan1990 Is this a regression caused by multi-auth? If not, we can fix it separately.

[aoguan1990]

@cliu123 This is an existing issue with SAML. Multi-auth did not change any implementation for SAML authentication. Multi-auth also does not support SAML and Anonymous to be enabled at the same time, which is signed off by PM. As per discussion with developer from Search Guard during the training, Anonymous with SAML is not implemented. Use this issue to keep track of the enhancement.

[aoguan1990]

@opensearch-project/transfer-request Please move this to security-dashboards-plugin
@cwperks SAML authentication logic is implemented by backend security plugin. So this issue should be tracked under /security repo.

[peternied]

Multi-auth also does not support SAML and Anonymous to be enabled at the same time, which is signed off by PM

@aoguan1990 OpenSearch Project's own https://build.ci.opensearch.org/ uses Anonymous + SAML authentication for its Jenkins instance. Do you have a link to where decision was documented or @mention the person behind the decision?

Even if we don't support the scenario we, we should make sure its documented and include appropriate in-product blocks to prevent the configuration from being set.

[DarshitChanpura]

@aoguan1990 Would you need any help answering the question above?

[aoguan1990]

@peternied @DarshitChanpura Thank you so much for following up on this issue. Do you by any chance can reproduce this issue?

[peternied]

@aoguan1990 this issue has not been worked on AFAIK so we haven't attempted to reproduce - is there a pull request that allows SAML + anonymous auth over the break?

[stephen-crawford]

[Triage] @davidlago could you follow up with @aoguan1990. Thank you!

[stephen-crawford]

[Triage 2/6] Moving from "sprint backlog" to backlog.

[davidlago]

Closed by mistake, reopening.

[davidlago]

Closing in favor of #1236