Document client certificate options to support mutual TLS for OpenID endpoint (#5697)

* Document client certificate options to support mutual TLS for OpenID
endpoint.

Signed-off-by: Calvin Harrison <74850112+Simple-Analysis@users.noreply.github.com>

* Update _security/authentication-backends/openid-connect.md

Co-authored-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com>
Signed-off-by: Simple-Analysis <74850112+Simple-Analysis@users.noreply.github.com>

* Update _security/authentication-backends/openid-connect.md

Co-authored-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com>
Signed-off-by: Simple-Analysis <74850112+Simple-Analysis@users.noreply.github.com>

* Update _security/authentication-backends/openid-connect.md

Co-authored-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com>
Signed-off-by: Simple-Analysis <74850112+Simple-Analysis@users.noreply.github.com>

---------

Signed-off-by: Calvin Harrison <74850112+Simple-Analysis@users.noreply.github.com>
Signed-off-by: Simple-Analysis <74850112+Simple-Analysis@users.noreply.github.com>
Co-authored-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com>

_security/authentication-backends/openid-connect.md

@@ -302,6 +302,12 @@ Name | Description
 `opensearch_security.openid.logout_url` | The logout URL of your IdP. Optional. Only necessary if your IdP does not publish the logout URL in its metadata.
 `opensearch_security.openid.base_redirect_url` | The base of the redirect URL that will be sent to your IdP. Optional. Only necessary when OpenSearch Dashboards is behind a reverse proxy, in which case it should be different than `server.host` and `server.port` in `opensearch_dashboards.yml`.
 `opensearch_security.openid.trust_dynamic_headers` | Compute `base_redirect_url` from the reverse proxy HTTP headers (`X-Forwarded-Host` / `X-Forwarded-Proto`). Optional. Default is `false`.
+`opensearch_security.openid.root_ca` | Path to the root CAs (PEM format) that your IdP's certificate can match or chain to. Optional.
+`opensearch_security.openid.certificate` | Cert chains (PEM format) to be used for mTLS when obtaining endpoints from your IdP. Optional.
+`opensearch_security.openid.private_key` | Private keys (PEM format) to be used for mTLS when obtaining endpoints from your IdP. Optional.
+`opensearch_security.openid.passphrase` | Passphrase used for a single `private_key` or a `pfx`. Optional.
+`opensearch_security.openid.pfx` | PFX or PKCS12 encoded private key and certificate chain to be used for mTLS when obtaining endpoints from your IdP. Alternative to `certificate` and `private_key`. Optional.
+`opensearch_security.openid.verify_hostnames` | Whether to verify the hostnames of the IdP's TLS certificate. Default is `true`. Optional. 
 
 
 ### Configuration example
@@ -319,6 +325,11 @@ opensearch_security.openid.client_id: "opensearch-dashboards-sso"
 # The client secret of the OpenID Connect client
 opensearch_security.openid.client_secret: "a59c51f5-f052-4740-a3b0-e14ba355b520"
 
+# mTLS Options for obtaining endpoints from IdP
+opensearch_security.openid.root_ca: /usr/share/opensearch-dashboards/config/certs/ca.pem
+opensearch_security.openid.certificate: /usr/share/opensearch-dashboards/config/certs/cert.pem
+opensearch_security.openid.private_key: /usr/share/opensearch-dashboards/config/certs/key.pem
+
 # Use HTTPS instead of HTTP
 opensearch.url: "https://<hostname>.com:<http port>"