From e5ed103a1ad877723d5cf3a53d6fe7e9ba2960ae Mon Sep 17 00:00:00 2001 From: Naarcha-AWS Date: Thu, 14 Apr 2022 12:27:27 -0500 Subject: [PATCH 1/6] Add allowlist for more inclusive nomenclature Signed-off-by: Naarcha-AWS --- _dashboards/branding.md | 2 +- _dashboards/install/tls.md | 2 +- _security-plugin/access-control/multi-tenancy.md | 4 ++-- _security-plugin/configuration/ldap.md | 6 +++--- _security-plugin/configuration/openid-connect.md | 4 ++-- _security-plugin/configuration/proxy.md | 4 ++-- _security-plugin/configuration/saml.md | 12 ++++++------ _security-plugin/configuration/yaml.md | 8 ++++---- _troubleshoot/saml.md | 6 +++--- 9 files changed, 24 insertions(+), 24 deletions(-) diff --git a/_dashboards/branding.md b/_dashboards/branding.md index 62763cfd..1fc95bf1 100644 --- a/_dashboards/branding.md +++ b/_dashboards/branding.md @@ -100,7 +100,7 @@ opensearch.hosts: ["https://localhost:9200"] opensearch.ssl.verificationMode: none opensearch.username: "kibanaserver" opensearch.password: "kibanaserver" -opensearch.requestHeadersWhitelist: [ authorization,securitytenant ] +opensearch.requestHeadersallowlist: [ authorization,securitytenant ] #server.ssl.enabled: true #server.ssl.certificate: /path/to/your/server/certificate #server.ssl.key: /path/to/your/server/key diff --git a/_dashboards/install/tls.md b/_dashboards/install/tls.md index 546dd36b..9ddc7414 100644 --- a/_dashboards/install/tls.md +++ b/_dashboards/install/tls.md @@ -25,7 +25,7 @@ opensearch.hosts: ["https://localhost:9200"] opensearch.ssl.verificationMode: full opensearch.username: "kibanaserver" opensearch.password: "kibanaserver" -opensearch.requestHeadersWhitelist: [ authorization,securitytenant ] +opensearch.requestHeadersallowlist: [ authorization,securitytenant ] server.ssl.enabled: true server.ssl.certificate: /usr/share/opensearch-dashboards/config/client-cert.pem server.ssl.key: /usr/share/opensearch-dashboards/config/client-cert-key.pem diff --git a/_security-plugin/access-control/multi-tenancy.md b/_security-plugin/access-control/multi-tenancy.md index fdde01df..36809dc2 100644 --- a/_security-plugin/access-control/multi-tenancy.md +++ b/_security-plugin/access-control/multi-tenancy.md @@ -46,7 +46,7 @@ Setting | Description ```yml opensearch.username: kibanaserver opensearch.password: kibanaserver -opensearch.requestHeadersWhitelist: ["securitytenant","Authorization"] +opensearch.requestHeadersallowlist: ["securitytenant","Authorization"] opensearch_security.multitenancy.enabled: true opensearch_security.multitenancy.tenants.enable_global: true opensearch_security.multitenancy.tenants.enable_private: true @@ -56,7 +56,7 @@ opensearch_security.multitenancy.enable_filter: false Setting | Description :--- | :--- -`opensearch.requestHeadersWhitelist` | OpenSearch Dashboards requires that you whitelist all HTTP headers that it passes to OpenSearch. Multi-tenancy uses a specific header, `securitytenant`, that must be present with the standard `Authorization` header. If the `securitytenant` header is not whitelisted, OpenSearch Dashboards starts with a red status. +`opensearch.requestHeadersallowlist` | OpenSearch Dashboards requires that you allowlist all HTTP headers that it passes to OpenSearch. Multi-tenancy uses a specific header, `securitytenant`, that must be present with the standard `Authorization` header. If the `securitytenant` header is not allowlisted, OpenSearch Dashboards starts with a red status. `opensearch_security.multitenancy.enabled` | Enables or disables multi-tenancy in OpenSearch Dashboards. Default is true. `opensearch_security.multitenancy.tenants.enable_global` | Enables or disables the global tenant. Default is true. `opensearch_security.multitenancy.tenants.enable_private` | Enables or disables the private tenant. Default is true. diff --git a/_security-plugin/configuration/ldap.md b/_security-plugin/configuration/ldap.md index b2d71134..7d427a68 100755 --- a/_security-plugin/configuration/ldap.md +++ b/_security-plugin/configuration/ldap.md @@ -433,7 +433,7 @@ By default, the security plugin reads all LDAP user attributes and makes them av Name | Description :--- | :--- -`custom_attr_whitelist` | String array. Specifies the LDAP attributes that should be made available for variable substitution. +`custom_attr_allowlist` | String array. Specifies the LDAP attributes that should be made available for variable substitution. `custom_attr_maxval_len` | Integer. Specifies the maximum allowed length of each attribute. All attributes longer than this value are discarded. A value of `0` disables custom attributes altogether. Default is 36. Example: @@ -446,7 +446,7 @@ authz: authorization_backend: type: ldap config: - custom_attr_whitelist: + custom_attr_allowlist: - attribute1 - attribute2 custom_attr_maxval_len: 36 @@ -501,7 +501,7 @@ Name | Description `skip_users` | Array of users that should be skipped when retrieving roles. Wildcards and regular expressions are supported. `nested_role_filter` | Array of role DNs that should be filtered before resolving nested roles. Wildcards and regular expressions are supported. `rolesearch_enabled` | Boolean. Enable or disable the role search. Default is `true`. -`custom_attr_whitelist` | String array. Specifies the LDAP attributes that should be made available for variable substitution. +`custom_attr_allowlist` | String array. Specifies the LDAP attributes that should be made available for variable substitution. `custom_attr_maxval_len` | Integer. Specifies the maximum allowed length of each attribute. All attributes longer than this value are discarded. A value of `0` disables custom attributes altogether. Default is 36. diff --git a/_security-plugin/configuration/openid-connect.md b/_security-plugin/configuration/openid-connect.md index cdb8c3f9..c214b987 100755 --- a/_security-plugin/configuration/openid-connect.md +++ b/_security-plugin/configuration/openid-connect.md @@ -308,8 +308,8 @@ opensearch.password: "kibanaserver" # Disable SSL verification when using self-signed demo certificates opensearch.ssl.verificationMode: none -# Whitelist basic headers and multi-tenancy header -opensearch.requestHeadersWhitelist: ["Authorization", "security_tenant"] +# allowlist basic headers and multi-tenancy header +opensearch.requestHeadersallowlist: ["Authorization", "security_tenant"] ``` diff --git a/_security-plugin/configuration/proxy.md b/_security-plugin/configuration/proxy.md index bbbe23c2..c12f88b9 100644 --- a/_security-plugin/configuration/proxy.md +++ b/_security-plugin/configuration/proxy.md @@ -192,10 +192,10 @@ config: internalProxies: '' ``` -To pass the user and role headers that the authenticating proxy adds from OpenSearch Dashboards to the security plugin, add them to the HTTP header whitelist in `opensearch_dashboards.yml`: +To pass the user and role headers that the authenticating proxy adds from OpenSearch Dashboards to the security plugin, add them to the HTTP header allowlist in `opensearch_dashboards.yml`: ```yml -opensearch.requestHeadersWhitelist: ["securitytenant","Authorization","x-forwarded-for","x-proxy-user","x-proxy-roles"] +opensearch.requestHeadersallowlist: ["securitytenant","Authorization","x-forwarded-for","x-proxy-user","x-proxy-roles"] ``` You must also enable the authentication type in `opensearch_dashboards.yml`: diff --git a/_security-plugin/configuration/saml.md b/_security-plugin/configuration/saml.md index a2a789e7..289c8ae4 100755 --- a/_security-plugin/configuration/saml.md +++ b/_security-plugin/configuration/saml.md @@ -302,16 +302,16 @@ Because most of the SAML-specific configuration is done in the security plugin, opensearch_security.auth.type: "saml" ``` -In addition, the OpenSearch Dashboards endpoint for validating the SAML assertions must be whitelisted: +In addition, the OpenSearch Dashboards endpoint for validating the SAML assertions must be allowlisted: ```yml -server.xsrf.whitelist: ["/_plugins/_security/saml/acs"] +server.xsrf.allowlist: ["/_plugins/_security/saml/acs"] ``` -If you use the logout POST binding, you also need to whitelist the logout endpoint: +If you use the logout POST binding, you also need to allowlist the logout endpoint: ```yml -server.xsrf.whitelist: ["/_plugins/_security/saml/acs", "/_plugins/_security/saml/logout"] +server.xsrf.allowlist: ["/_plugins/_security/saml/acs", "/_plugins/_security/saml/logout"] ``` ### IdP-initiated SSO @@ -322,8 +322,8 @@ To use IdP-initiated SSO, set the Assertion Consumer Service endpoint of your Id /_plugins/_security/saml/acs/idpinitiated ``` -Then add this endpoint to `server.xsrf.whitelist` in `opensearch_dashboards.yml`: +Then add this endpoint to `server.xsrf.allowlist` in `opensearch_dashboards.yml`: ```yml -server.xsrf.whitelist: ["/_plugins/_security/saml/acs/idpinitiated", "/_plugins/_security/saml/acs", "/_plugins/_security/saml/logout"] +server.xsrf.allowlist: ["/_plugins/_security/saml/acs/idpinitiated", "/_plugins/_security/saml/acs", "/_plugins/_security/saml/logout"] ``` diff --git a/_security-plugin/configuration/yaml.md b/_security-plugin/configuration/yaml.md index 114f080d..1f3a0eff 100644 --- a/_security-plugin/configuration/yaml.md +++ b/_security-plugin/configuration/yaml.md @@ -124,16 +124,16 @@ plugins.security.restapi.password_validation_regex: '(?=.*[A-Z])(?=.*[^a-zA-Z\d] plugins.security.restapi.password_validation_error_message: "Password must be minimum 8 characters long and must contain at least one uppercase letter, one lowercase letter, one digit, and one special character." ``` -## whitelist.yml +## allowlist.yml -You can use `whitelist.yml` to add any endpoints and HTTP requests to a list of allowed endpoints and requests. If enabled, all users except the super admin are allowed access to only the specified endpoints and HTTP requests, and all other HTTP requests associated with the endpoint are denied. For example, if GET `_cluster/settings` is added to the allow list, users cannot submit PUT requests to `_cluster/settings` to update cluster settings. +You can use `allowlist.yml` to add any endpoints and HTTP requests to a list of allowed endpoints and requests. If enabled, all users except the super admin are allowed access to only the specified endpoints and HTTP requests, and all other HTTP requests associated with the endpoint are denied. For example, if GET `_cluster/settings` is added to the allow list, users cannot submit PUT requests to `_cluster/settings` to update cluster settings. Note that while you can configure access to endpoints this way, for most cases, it is still best to configure permissions using the security plugin's users and roles, which have more granular settings. ```yml --- _meta: - type: "whitelist" + type: "allowlist" config_version: 2 # Description: @@ -165,7 +165,7 @@ requests: - PUT ``` -You can also add custom indices to the allow list. `whitelist.yml` doesn't support wildcards, so you must manually specify all of the indices you want to add. +You can also add custom indices to the allow list. `allowlist.yml` doesn't support wildcards, so you must manually specify all of the indices you want to add. ```yml requests: # Only allow GET requests to /sample-index1/_doc/1 and /sample-index2/_doc/1 diff --git a/_troubleshoot/saml.md b/_troubleshoot/saml.md index 7191a82a..2ef748a1 100644 --- a/_troubleshoot/saml.md +++ b/_troubleshoot/saml.md @@ -45,12 +45,12 @@ The endpoint the OpenSearch Dashboards security plugin provides is: /_plugins/_security/saml/acs ``` -Make sure that you have configured this endpoint correctly in your IdP. Some IdPs also require you to whitelist all endpoints that they send requests to. Ensure that the ACS endpoint is listed. +Make sure that you have configured this endpoint correctly in your IdP. Some IdPs also require you to allowlist all endpoints that they send requests to. Ensure that the ACS endpoint is listed. -OpenSearch Dashboards also requires you to whitelist this endpoint. Make sure you have the following entry in `opensearch_dashboards.yml`: +OpenSearch Dashboards also requires you to allowlist this endpoint. Make sure you have the following entry in `opensearch_dashboards.yml`: ``` -server.xsrf.whitelist: [/_plugins/_security/saml/acs] +server.xsrf.allowlist: [/_plugins/_security/saml/acs] ``` From 9194940dbf7d47e2d935a8dae66c2d19d4460139 Mon Sep 17 00:00:00 2001 From: Naarcha-AWS Date: Mon, 25 Apr 2022 12:46:16 -0500 Subject: [PATCH 2/6] Add feedback. Signed-off-by: Naarcha-AWS --- _security-plugin/access-control/multi-tenancy.md | 2 +- _security-plugin/configuration/yaml.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/_security-plugin/access-control/multi-tenancy.md b/_security-plugin/access-control/multi-tenancy.md index 36809dc2..7229729a 100644 --- a/_security-plugin/access-control/multi-tenancy.md +++ b/_security-plugin/access-control/multi-tenancy.md @@ -56,7 +56,7 @@ opensearch_security.multitenancy.enable_filter: false Setting | Description :--- | :--- -`opensearch.requestHeadersallowlist` | OpenSearch Dashboards requires that you allowlist all HTTP headers that it passes to OpenSearch. Multi-tenancy uses a specific header, `securitytenant`, that must be present with the standard `Authorization` header. If the `securitytenant` header is not allowlisted, OpenSearch Dashboards starts with a red status. +`opensearch.requestHeadersallowlist` | OpenSearch Dashboards requires that you allowlist all HTTP headers that it passes to OpenSearch. Multi-tenancy uses a specific header, `securitytenant`, that must be present with the standard `Authorization` header. If the `securitytenant` header is not on the allowlist, OpenSearch Dashboards starts with a red status. `opensearch_security.multitenancy.enabled` | Enables or disables multi-tenancy in OpenSearch Dashboards. Default is true. `opensearch_security.multitenancy.tenants.enable_global` | Enables or disables the global tenant. Default is true. `opensearch_security.multitenancy.tenants.enable_private` | Enables or disables the private tenant. Default is true. diff --git a/_security-plugin/configuration/yaml.md b/_security-plugin/configuration/yaml.md index 1f3a0eff..6f75ee36 100644 --- a/_security-plugin/configuration/yaml.md +++ b/_security-plugin/configuration/yaml.md @@ -165,7 +165,7 @@ requests: - PUT ``` -You can also add custom indices to the allow list. `allowlist.yml` doesn't support wildcards, so you must manually specify all of the indices you want to add. +You can also add custom indices to the allow list. `allowlist.yml` doesn't support wildcards, so you must manually specify all of the indexes you want to add. ```yml requests: # Only allow GET requests to /sample-index1/_doc/1 and /sample-index2/_doc/1 From 1add8f4bb9f9bd6c611d13518ddedf502ae94f0d Mon Sep 17 00:00:00 2001 From: Naarcha-AWS Date: Mon, 25 Apr 2022 16:22:59 -0500 Subject: [PATCH 3/6] Add Camelcase Signed-off-by: Naarcha-AWS --- _dashboards/branding.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_dashboards/branding.md b/_dashboards/branding.md index 1fc95bf1..7460abcc 100644 --- a/_dashboards/branding.md +++ b/_dashboards/branding.md @@ -100,7 +100,7 @@ opensearch.hosts: ["https://localhost:9200"] opensearch.ssl.verificationMode: none opensearch.username: "kibanaserver" opensearch.password: "kibanaserver" -opensearch.requestHeadersallowlist: [ authorization,securitytenant ] +opensearch.requestHeadersAllowlist: [ authorization,securitytenant ] #server.ssl.enabled: true #server.ssl.certificate: /path/to/your/server/certificate #server.ssl.key: /path/to/your/server/key From 28194d5653266315810bd660235c401a955e01d6 Mon Sep 17 00:00:00 2001 From: Naarcha-AWS Date: Tue, 3 May 2022 14:36:26 -0500 Subject: [PATCH 4/6] Add CamelCase: Signed-off-by: Naarcha-AWS --- _dashboards/install/tls.md | 2 +- _security-plugin/access-control/multi-tenancy.md | 4 ++-- _security-plugin/configuration/openid-connect.md | 2 +- _security-plugin/configuration/proxy.md | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/_dashboards/install/tls.md b/_dashboards/install/tls.md index 9ddc7414..22f123bc 100644 --- a/_dashboards/install/tls.md +++ b/_dashboards/install/tls.md @@ -25,7 +25,7 @@ opensearch.hosts: ["https://localhost:9200"] opensearch.ssl.verificationMode: full opensearch.username: "kibanaserver" opensearch.password: "kibanaserver" -opensearch.requestHeadersallowlist: [ authorization,securitytenant ] +opensearch.requestHeadersAllowlist: [ authorization,securitytenant ] server.ssl.enabled: true server.ssl.certificate: /usr/share/opensearch-dashboards/config/client-cert.pem server.ssl.key: /usr/share/opensearch-dashboards/config/client-cert-key.pem diff --git a/_security-plugin/access-control/multi-tenancy.md b/_security-plugin/access-control/multi-tenancy.md index 7229729a..db3a0ecb 100644 --- a/_security-plugin/access-control/multi-tenancy.md +++ b/_security-plugin/access-control/multi-tenancy.md @@ -46,7 +46,7 @@ Setting | Description ```yml opensearch.username: kibanaserver opensearch.password: kibanaserver -opensearch.requestHeadersallowlist: ["securitytenant","Authorization"] +opensearch.requestHeadersAllowlist: ["securitytenant","Authorization"] opensearch_security.multitenancy.enabled: true opensearch_security.multitenancy.tenants.enable_global: true opensearch_security.multitenancy.tenants.enable_private: true @@ -56,7 +56,7 @@ opensearch_security.multitenancy.enable_filter: false Setting | Description :--- | :--- -`opensearch.requestHeadersallowlist` | OpenSearch Dashboards requires that you allowlist all HTTP headers that it passes to OpenSearch. Multi-tenancy uses a specific header, `securitytenant`, that must be present with the standard `Authorization` header. If the `securitytenant` header is not on the allowlist, OpenSearch Dashboards starts with a red status. +`opensearch.requestHeadersAllowlist` | OpenSearch Dashboards requires that you allowlist all HTTP headers that it passes to OpenSearch. Multi-tenancy uses a specific header, `securitytenant`, that must be present with the standard `Authorization` header. If the `securitytenant` header is not on the allowlist, OpenSearch Dashboards starts with a red status. `opensearch_security.multitenancy.enabled` | Enables or disables multi-tenancy in OpenSearch Dashboards. Default is true. `opensearch_security.multitenancy.tenants.enable_global` | Enables or disables the global tenant. Default is true. `opensearch_security.multitenancy.tenants.enable_private` | Enables or disables the private tenant. Default is true. diff --git a/_security-plugin/configuration/openid-connect.md b/_security-plugin/configuration/openid-connect.md index c214b987..959193a5 100755 --- a/_security-plugin/configuration/openid-connect.md +++ b/_security-plugin/configuration/openid-connect.md @@ -309,7 +309,7 @@ opensearch.password: "kibanaserver" opensearch.ssl.verificationMode: none # allowlist basic headers and multi-tenancy header -opensearch.requestHeadersallowlist: ["Authorization", "security_tenant"] +opensearch.requestHeadersAllowlist: ["Authorization", "security_tenant"] ``` diff --git a/_security-plugin/configuration/proxy.md b/_security-plugin/configuration/proxy.md index c12f88b9..cdcfb4f9 100644 --- a/_security-plugin/configuration/proxy.md +++ b/_security-plugin/configuration/proxy.md @@ -195,7 +195,7 @@ config: To pass the user and role headers that the authenticating proxy adds from OpenSearch Dashboards to the security plugin, add them to the HTTP header allowlist in `opensearch_dashboards.yml`: ```yml -opensearch.requestHeadersallowlist: ["securitytenant","Authorization","x-forwarded-for","x-proxy-user","x-proxy-roles"] +opensearch.requestHeadersAllowlist: ["securitytenant","Authorization","x-forwarded-for","x-proxy-user","x-proxy-roles"] ``` You must also enable the authentication type in `opensearch_dashboards.yml`: From 73eea241ef36c186a079cc33c5b8ab011b18a619 Mon Sep 17 00:00:00 2001 From: Naarcha-AWS Date: Tue, 3 May 2022 14:38:37 -0500 Subject: [PATCH 5/6] Remove use of allowlist Signed-off-by: Naarcha-AWS --- _security-plugin/access-control/multi-tenancy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_security-plugin/access-control/multi-tenancy.md b/_security-plugin/access-control/multi-tenancy.md index db3a0ecb..dfbee950 100644 --- a/_security-plugin/access-control/multi-tenancy.md +++ b/_security-plugin/access-control/multi-tenancy.md @@ -56,7 +56,7 @@ opensearch_security.multitenancy.enable_filter: false Setting | Description :--- | :--- -`opensearch.requestHeadersAllowlist` | OpenSearch Dashboards requires that you allowlist all HTTP headers that it passes to OpenSearch. Multi-tenancy uses a specific header, `securitytenant`, that must be present with the standard `Authorization` header. If the `securitytenant` header is not on the allowlist, OpenSearch Dashboards starts with a red status. +`opensearch.requestHeadersAllowlist` | OpenSearch Dashboards requires that you add all HTTP headers to the allow list so that the headers pass to OpenSearch. Multi-tenancy uses a specific header, `securitytenant`, that must be present with the standard `Authorization` header. If the `securitytenant` header is not on the allow list, OpenSearch Dashboards starts with a red status. `opensearch_security.multitenancy.enabled` | Enables or disables multi-tenancy in OpenSearch Dashboards. Default is true. `opensearch_security.multitenancy.tenants.enable_global` | Enables or disables the global tenant. Default is true. `opensearch_security.multitenancy.tenants.enable_private` | Enables or disables the private tenant. Default is true. From c6f73419938d8e7c53b467b0bcbb34eeb4cecfd6 Mon Sep 17 00:00:00 2001 From: Naarcha-AWS Date: Tue, 3 May 2022 14:49:55 -0500 Subject: [PATCH 6/6] Break up allowlist Signed-off-by: Naarcha-AWS --- _security-plugin/configuration/proxy.md | 2 +- _security-plugin/configuration/saml.md | 4 ++-- _troubleshoot/saml.md | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/_security-plugin/configuration/proxy.md b/_security-plugin/configuration/proxy.md index cdcfb4f9..8e7b88b9 100644 --- a/_security-plugin/configuration/proxy.md +++ b/_security-plugin/configuration/proxy.md @@ -192,7 +192,7 @@ config: internalProxies: '' ``` -To pass the user and role headers that the authenticating proxy adds from OpenSearch Dashboards to the security plugin, add them to the HTTP header allowlist in `opensearch_dashboards.yml`: +To pass the user and role headers that the authenticating proxy adds from OpenSearch Dashboards to the security plugin, add them to the HTTP header allow list in `opensearch_dashboards.yml`: ```yml opensearch.requestHeadersAllowlist: ["securitytenant","Authorization","x-forwarded-for","x-proxy-user","x-proxy-roles"] diff --git a/_security-plugin/configuration/saml.md b/_security-plugin/configuration/saml.md index 289c8ae4..bd7a1594 100755 --- a/_security-plugin/configuration/saml.md +++ b/_security-plugin/configuration/saml.md @@ -302,13 +302,13 @@ Because most of the SAML-specific configuration is done in the security plugin, opensearch_security.auth.type: "saml" ``` -In addition, the OpenSearch Dashboards endpoint for validating the SAML assertions must be allowlisted: +In addition, you must add the OpenSearch Dashboards endpoint for validating the SAML assertions to your allow list: ```yml server.xsrf.allowlist: ["/_plugins/_security/saml/acs"] ``` -If you use the logout POST binding, you also need to allowlist the logout endpoint: +If you use the logout POST binding, you also need to ad the logout endpoint to your allow list: ```yml server.xsrf.allowlist: ["/_plugins/_security/saml/acs", "/_plugins/_security/saml/logout"] diff --git a/_troubleshoot/saml.md b/_troubleshoot/saml.md index 2ef748a1..103604a8 100644 --- a/_troubleshoot/saml.md +++ b/_troubleshoot/saml.md @@ -45,9 +45,9 @@ The endpoint the OpenSearch Dashboards security plugin provides is: /_plugins/_security/saml/acs ``` -Make sure that you have configured this endpoint correctly in your IdP. Some IdPs also require you to allowlist all endpoints that they send requests to. Ensure that the ACS endpoint is listed. +Make sure that you have configured this endpoint correctly in your IdP. Some IdPs also require you to add all endpoints to the allow list that they send requests to. Ensure that the ACS endpoint is listed. -OpenSearch Dashboards also requires you to allowlist this endpoint. Make sure you have the following entry in `opensearch_dashboards.yml`: +OpenSearch Dashboards also requires you to add this endpoint to the allow list. Make sure you have the following entry in `opensearch_dashboards.yml`: ``` server.xsrf.allowlist: [/_plugins/_security/saml/acs]