From 21f8a61557bca44da797908eef84751dbe3c1c10 Mon Sep 17 00:00:00 2001 From: Simple-Analysis <74850112+Simple-Analysis@users.noreply.github.com> Date: Tue, 5 Dec 2023 14:34:15 -0500 Subject: [PATCH] Document client certificate options to support mutual TLS for OpenID endpoint (#5697) * Document client certificate options to support mutual TLS for OpenID endpoint. Signed-off-by: Calvin Harrison <74850112+Simple-Analysis@users.noreply.github.com> * Update _security/authentication-backends/openid-connect.md Co-authored-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> Signed-off-by: Simple-Analysis <74850112+Simple-Analysis@users.noreply.github.com> * Update _security/authentication-backends/openid-connect.md Co-authored-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> Signed-off-by: Simple-Analysis <74850112+Simple-Analysis@users.noreply.github.com> * Update _security/authentication-backends/openid-connect.md Co-authored-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> Signed-off-by: Simple-Analysis <74850112+Simple-Analysis@users.noreply.github.com> --------- Signed-off-by: Calvin Harrison <74850112+Simple-Analysis@users.noreply.github.com> Signed-off-by: Simple-Analysis <74850112+Simple-Analysis@users.noreply.github.com> Co-authored-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> --- _security/authentication-backends/openid-connect.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/_security/authentication-backends/openid-connect.md b/_security/authentication-backends/openid-connect.md index 2ff75a3c..4d24f2ef 100755 --- a/_security/authentication-backends/openid-connect.md +++ b/_security/authentication-backends/openid-connect.md @@ -302,6 +302,12 @@ Name | Description `opensearch_security.openid.logout_url` | The logout URL of your IdP. Optional. Only necessary if your IdP does not publish the logout URL in its metadata. `opensearch_security.openid.base_redirect_url` | The base of the redirect URL that will be sent to your IdP. Optional. Only necessary when OpenSearch Dashboards is behind a reverse proxy, in which case it should be different than `server.host` and `server.port` in `opensearch_dashboards.yml`. `opensearch_security.openid.trust_dynamic_headers` | Compute `base_redirect_url` from the reverse proxy HTTP headers (`X-Forwarded-Host` / `X-Forwarded-Proto`). Optional. Default is `false`. +`opensearch_security.openid.root_ca` | Path to the root CAs (PEM format) that your IdP's certificate can match or chain to. Optional. +`opensearch_security.openid.certificate` | Cert chains (PEM format) to be used for mTLS when obtaining endpoints from your IdP. Optional. +`opensearch_security.openid.private_key` | Private keys (PEM format) to be used for mTLS when obtaining endpoints from your IdP. Optional. +`opensearch_security.openid.passphrase` | Passphrase used for a single `private_key` or a `pfx`. Optional. +`opensearch_security.openid.pfx` | PFX or PKCS12 encoded private key and certificate chain to be used for mTLS when obtaining endpoints from your IdP. Alternative to `certificate` and `private_key`. Optional. +`opensearch_security.openid.verify_hostnames` | Whether to verify the hostnames of the IdP's TLS certificate. Default is `true`. Optional. ### Configuration example @@ -319,6 +325,11 @@ opensearch_security.openid.client_id: "opensearch-dashboards-sso" # The client secret of the OpenID Connect client opensearch_security.openid.client_secret: "a59c51f5-f052-4740-a3b0-e14ba355b520" +# mTLS Options for obtaining endpoints from IdP +opensearch_security.openid.root_ca: /usr/share/opensearch-dashboards/config/certs/ca.pem +opensearch_security.openid.certificate: /usr/share/opensearch-dashboards/config/certs/cert.pem +opensearch_security.openid.private_key: /usr/share/opensearch-dashboards/config/certs/key.pem + # Use HTTPS instead of HTTP opensearch.url: "https://.com:"