From 6986995f088dda59d39673bbbbb4e2ccb17202db Mon Sep 17 00:00:00 2001
From: Craig Perkins <cwperx@amazon.com>
Date: Wed, 10 Jan 2024 11:38:20 -0500
Subject: [PATCH] Fix bug where login with SAML does not work when multiauth is
 enabled and SAML and anonymous are sign in options

Signed-off-by: Craig Perkins <cwperx@amazon.com>
---
 .../security/auth/BackendRegistry.java        | 33 +++++++++++--------
 1 file changed, 20 insertions(+), 13 deletions(-)

diff --git a/src/main/java/org/opensearch/security/auth/BackendRegistry.java b/src/main/java/org/opensearch/security/auth/BackendRegistry.java
index 4531101308..bbeef3dd24 100644
--- a/src/main/java/org/opensearch/security/auth/BackendRegistry.java
+++ b/src/main/java/org/opensearch/security/auth/BackendRegistry.java
@@ -387,19 +387,6 @@ public boolean authenticate(final SecurityRequestChannel request) {
                 log.debug("User still not authenticated after checking {} auth domains", restAuthDomains.size());
             }
 
-            if (authCredentials == null && anonymousAuthEnabled) {
-                final String tenant = Utils.coalesce(request.header("securitytenant"), request.header("security_tenant"));
-                User anonymousUser = new User(User.ANONYMOUS.getName(), new HashSet<String>(User.ANONYMOUS.getRoles()), null);
-                anonymousUser.setRequestedTenant(tenant);
-
-                threadPool.getThreadContext().putTransient(ConfigConstants.OPENDISTRO_SECURITY_USER, anonymousUser);
-                auditLog.logSucceededLogin(anonymousUser.getName(), false, null, request);
-                if (isDebugEnabled) {
-                    log.debug("Anonymous User is authenticated");
-                }
-                return true;
-            }
-
             Optional<SecurityResponse> challengeResponse = Optional.empty();
 
             if (firstChallengingHttpAuthenticator != null) {
@@ -416,6 +403,26 @@ public boolean authenticate(final SecurityRequestChannel request) {
                 }
             }
 
+            boolean firstChallengingAuthenticatorIsSaml = firstChallengingHttpAuthenticator != null
+                && "saml".equals(firstChallengingHttpAuthenticator.getType());
+            System.out.println("firstChallengingAuthenticatorIsSaml = " + firstChallengingAuthenticatorIsSaml);
+            System.out.println("request.path: " + request.path());
+            if (authCredentials == null
+                && anonymousAuthEnabled
+                && !(firstChallengingAuthenticatorIsSaml
+                    && (request.path().endsWith("tenantinfo") || request.path().endsWith("authtoken")))) {
+                final String tenant = Utils.coalesce(request.header("securitytenant"), request.header("security_tenant"));
+                User anonymousUser = new User(User.ANONYMOUS.getName(), new HashSet<String>(User.ANONYMOUS.getRoles()), null);
+                anonymousUser.setRequestedTenant(tenant);
+
+                threadPool.getThreadContext().putTransient(ConfigConstants.OPENDISTRO_SECURITY_USER, anonymousUser);
+                auditLog.logSucceededLogin(anonymousUser.getName(), false, null, request);
+                if (isDebugEnabled) {
+                    log.debug("Anonymous User is authenticated");
+                }
+                return true;
+            }
+
             log.warn(
                 "Authentication finally failed for {} from {}",
                 authCredentials == null ? null : authCredentials.getUsername(),