From 3d7d716bda2cb6fb55c50e1f5e44eebdb59cc61b Mon Sep 17 00:00:00 2001
From: "opensearch-trigger-bot[bot]"
 <98922864+opensearch-trigger-bot[bot]@users.noreply.github.com>
Date: Thu, 3 Oct 2024 10:28:22 -0400
Subject: [PATCH] [Backport 2.x] Remove failed login attempt for saml
 authenticator (#4770)

Signed-off-by: Derek Ho <dxho@amazon.com>
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
---
 .../amazon/dlic/auth/http/saml/HTTPSamlAuthenticator.java   | 3 ++-
 .../java/org/opensearch/security/auth/BackendRegistry.java  | 6 +++++-
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/main/java/com/amazon/dlic/auth/http/saml/HTTPSamlAuthenticator.java b/src/main/java/com/amazon/dlic/auth/http/saml/HTTPSamlAuthenticator.java
index ae3d1c9128..20e0b25b5c 100644
--- a/src/main/java/com/amazon/dlic/auth/http/saml/HTTPSamlAuthenticator.java
+++ b/src/main/java/com/amazon/dlic/auth/http/saml/HTTPSamlAuthenticator.java
@@ -88,6 +88,7 @@ public class HTTPSamlAuthenticator implements HTTPAuthenticator, Destroyable {
     private static final Pattern PATTERN_PATH_PREFIX = Pattern.compile(REGEX_PATH_PREFIX);
 
     private static boolean openSamlInitialized = false;
+    public static final String SAML_TYPE = "saml";
 
     private String subjectKey;
     private String rolesKey;
@@ -175,7 +176,7 @@ public AuthCredentials extractCredentials(final SecurityRequest request, final T
 
     @Override
     public String getType() {
-        return "saml";
+        return SAML_TYPE;
     }
 
     @Override
diff --git a/src/main/java/org/opensearch/security/auth/BackendRegistry.java b/src/main/java/org/opensearch/security/auth/BackendRegistry.java
index d633d307e9..f06b5aa56d 100644
--- a/src/main/java/org/opensearch/security/auth/BackendRegistry.java
+++ b/src/main/java/org/opensearch/security/auth/BackendRegistry.java
@@ -75,6 +75,7 @@
 import static org.apache.http.HttpStatus.SC_FORBIDDEN;
 import static org.apache.http.HttpStatus.SC_SERVICE_UNAVAILABLE;
 import static org.apache.http.HttpStatus.SC_UNAUTHORIZED;
+import static com.amazon.dlic.auth.http.saml.HTTPSamlAuthenticator.SAML_TYPE;
 
 public class BackendRegistry {
 
@@ -303,7 +304,10 @@ public boolean authenticate(final SecurityRequestChannel request) {
                 if (authDomain.isChallenge()) {
                     final Optional<SecurityResponse> restResponse = httpAuthenticator.reRequestAuthentication(request, null);
                     if (restResponse.isPresent()) {
-                        auditLog.logFailedLogin("<NONE>", false, null, request);
+                        // saml will always hit this to re-request authentication
+                        if (!authDomain.getHttpAuthenticator().getType().equals(SAML_TYPE)) {
+                            auditLog.logFailedLogin("<NONE>", false, null, request);
+                        }
                         if (isTraceEnabled) {
                             log.trace("No 'Authorization' header, send 401 and 'WWW-Authenticate Basic'");
                         }