[BUG] SAML login nextUrl drops URL hash

[markj-db]

Describe the bug
OpenSearch Dashboards encodes useful state in the hash component of the URL, for example:

https://<domain>/app/discover#/?_a=(columns:!(level,loggerCategory,messageText,shardName,tags.subDir,workspaceId))

Currently, the SAML component's nextUrl builder includes url.path but omits url.hash, dropping this state. This creates a problem when sharing links to a particular view without first creating a shortlink, in that the state of that view is lost. For the example above, the redirect would be:

https://<domain>/auth/saml/login?nextUrl=%2Fapp%2Fdiscover

and after authentication, the user would land at:

https://<domain>/app/discover

With no preselected columns.

Expected behavior
I believe the user expect to be redirected back to the exact URL, including hash, as they were at before the authentication redirect. I believe it would be preferable to include url.hash, so the nextUrl would become:

https://<domain>/auth/saml/login?nextUrl=%2Fapp%2Fdiscover%23%2F%3F_a%3D%28columns%3A%21%28level%2CloggerCategory%2CmessageText%2CshardName%2Ctags.subDir%2CworkspaceId%29%29

Additional context

• security-dashboards-plugin/server/auth/types/saml/saml_auth.ts

  Line 57 in afd6497

  (request.url.path || '/app/opensearch-dashboards');

• https://nodejs.org/dist/latest-v8.x/docs/api/url.html#url_url_strings_and_url_objects
• https://www.elastic.co/guide/en/kibana/master/kibana-navigation.html#state-sync

[mvanderlee]

The problem is more complicated than this. I build my own version that include the hash part.
Only to realize that the SAML auth and nextUrl building happens on the server.
This is very problematic because the server will never get the hash part. So it can not include it.

[mvanderlee]

Looks like a duplicate of #543

[mvanderlee]

Elasticsearch Kibana solved this by redirecting to a capture-url-fragment page first, which gets the url fragment and returns that back to server, and only then does it build the SAML redirect url.

Captured and included a har file that showcases this.
es_saml_fragment_capture.zip

[wkruse]

This seems like a general issue. The same happens when OpenID is used. The nextUrl parameter drops the URL hash. So for example if you have a dashboard open and your login session expires, you are redirected to /app/dashboards (Dashboards overview). Or if you have a visualization open and you login session expires, you are redirected to /app/visualize (Visualizations overview).

Also enabling state:storeInSessionStorage in the Advanced Settings does not help, at it changes the URL hash.

Similar issue #926.

After security dashboard plugin is enabled, the usability of OpenSearch Dashboards suffers a lot, as the end users do not understand, why they are redirected to unexpected locations after re-login.

[peternied]

Thanks for commenting on this issue, there is a pull request to save the hash from the url on redirect, #1001 that I believe would address this issue as well as several impacted by the same root cause.

[davidlago]

This looks like it was successfully backported/released for 2.2, closing