From 481b4097e91c4f9e9de1a07491556636a812eb71 Mon Sep 17 00:00:00 2001
From: Chang Liu <lc12251109@gmail.com>
Date: Wed, 18 Jan 2023 16:16:14 -0800
Subject: [PATCH 1/6] Create security plugin

Signed-off-by: Chang Liu <lc12251109@gmail.com>
---
 src/plugins/security/common/index.ts          | 19 ++++++
 .../security/opensearch_dashboards.json       |  9 +++
 src/plugins/security/public/index.ts          | 28 ++++++++
 src/plugins/security/public/plugin.ts         | 66 ++++++++++++++++++
 src/plugins/security/public/types.ts          | 39 +++++++++++
 src/plugins/security/server/index.ts          | 32 +++++++++
 src/plugins/security/server/plugin.ts         | 67 +++++++++++++++++++
 src/plugins/security/server/types.ts          | 24 +++++++
 src/plugins/security/tsconfig.json            | 32 +++++++++
 9 files changed, 316 insertions(+)
 create mode 100644 src/plugins/security/common/index.ts
 create mode 100644 src/plugins/security/opensearch_dashboards.json
 create mode 100644 src/plugins/security/public/index.ts
 create mode 100644 src/plugins/security/public/plugin.ts
 create mode 100644 src/plugins/security/public/types.ts
 create mode 100644 src/plugins/security/server/index.ts
 create mode 100644 src/plugins/security/server/plugin.ts
 create mode 100644 src/plugins/security/server/types.ts
 create mode 100644 src/plugins/security/tsconfig.json

diff --git a/src/plugins/security/common/index.ts b/src/plugins/security/common/index.ts
new file mode 100644
index 000000000000..3a05e2f4285f
--- /dev/null
+++ b/src/plugins/security/common/index.ts
@@ -0,0 +1,19 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+/*
+ *   Copyright OpenSearch Contributors
+ *
+ *   Licensed under the Apache License, Version 2.0 (the "License").
+ *   You may not use this file except in compliance with the License.
+ *   A copy of the License is located at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   or in the "license" file accompanying this file. This file is distributed
+ *   on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ *   express or implied. See the License for the specific language governing
+ *   permissions and limitations under the License.
+ */
diff --git a/src/plugins/security/opensearch_dashboards.json b/src/plugins/security/opensearch_dashboards.json
new file mode 100644
index 000000000000..1efcb783edcc
--- /dev/null
+++ b/src/plugins/security/opensearch_dashboards.json
@@ -0,0 +1,9 @@
+{
+  "id": "securityDashboards",
+  "version": "3.0.0.0",
+  "opensearchDashboardsVersion": "3.0.0",
+  "configPath": ["dashboards_security"],
+  "requiredPlugins": [],
+  "server": true,
+  "ui": true
+}
\ No newline at end of file
diff --git a/src/plugins/security/public/index.ts b/src/plugins/security/public/index.ts
new file mode 100644
index 000000000000..59d02d8718e3
--- /dev/null
+++ b/src/plugins/security/public/index.ts
@@ -0,0 +1,28 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+/*
+ *   Copyright OpenSearch Contributors
+ *
+ *   Licensed under the Apache License, Version 2.0 (the "License").
+ *   You may not use this file except in compliance with the License.
+ *   A copy of the License is located at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   or in the "license" file accompanying this file. This file is distributed
+ *   on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ *   express or implied. See the License for the specific language governing
+ *   permissions and limitations under the License.
+ */
+import { SecurityPlugin } from './plugin';
+import { PluginInitializerContext } from '../../../core/public';
+
+// This exports static code and TypeScript types,
+// as well as, OpenSearchDashboards Platform `plugin()` initializer.
+export function plugin(initializerContext: PluginInitializerContext) {
+  return new SecurityPlugin(initializerContext);
+}
+export { SecurityPluginSetup, SecurityPluginStart } from './types';
diff --git a/src/plugins/security/public/plugin.ts b/src/plugins/security/public/plugin.ts
new file mode 100644
index 000000000000..b1f33840bcae
--- /dev/null
+++ b/src/plugins/security/public/plugin.ts
@@ -0,0 +1,66 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+/*
+ *   Copyright OpenSearch Contributors
+ *
+ *   Licensed under the Apache License, Version 2.0 (the "License").
+ *   You may not use this file except in compliance with the License.
+ *   A copy of the License is located at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   or in the "license" file accompanying this file. This file is distributed
+ *   on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ *   express or implied. See the License for the specific language governing
+ *   permissions and limitations under the License.
+ */
+
+import {
+  AppMountParameters,
+  AppStatus,
+  AppUpdater,
+  CoreSetup,
+  CoreStart,
+  Plugin,
+  PluginInitializerContext,
+} from '../../../core/public';
+import {
+  SecurityPluginStartDependencies,
+  SecurityPluginSetup,
+  SecurityPluginStart,
+  SecurityPluginSetupDependencies,
+} from './types';
+
+const APP_ID_HOME = 'home';
+const APP_ID_DASHBOARDS = 'dashboards';
+// OpenSearchDashboards app is for legacy url migration
+const APP_ID_OPENSEARCH_DASHBOARDS = 'kibana';
+
+export class SecurityPlugin
+  implements
+    Plugin<
+      SecurityPluginSetup,
+      SecurityPluginStart,
+      SecurityPluginSetupDependencies,
+      SecurityPluginStartDependencies
+    > {
+  // @ts-ignore : initializerContext not used
+  constructor(private readonly initializerContext: PluginInitializerContext) {}
+
+  public async setup(
+    core: CoreSetup,
+    deps: SecurityPluginSetupDependencies
+  ): Promise<SecurityPluginSetup> {
+    // Return methods that should be available to other plugins
+    return {};
+  }
+
+  public start(core: CoreStart, deps: SecurityPluginStartDependencies): SecurityPluginStart {
+    return {};
+  }
+
+  public stop() {}
+}
diff --git a/src/plugins/security/public/types.ts b/src/plugins/security/public/types.ts
new file mode 100644
index 000000000000..bb355e34a0cc
--- /dev/null
+++ b/src/plugins/security/public/types.ts
@@ -0,0 +1,39 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+/*
+ *   Copyright OpenSearch Contributors
+ *
+ *   Licensed under the Apache License, Version 2.0 (the "License").
+ *   You may not use this file except in compliance with the License.
+ *   A copy of the License is located at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   or in the "license" file accompanying this file. This file is distributed
+ *   on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ *   express or implied. See the License for the specific language governing
+ *   permissions and limitations under the License.
+ */
+
+import { NavigationPublicPluginStart } from '../../../plugins/navigation/public';
+import {
+  SavedObjectsManagementPluginSetup,
+  SavedObjectsManagementPluginStart,
+} from '../../../plugins/saved_objects_management/public';
+
+// eslint-disable-next-line @typescript-eslint/no-empty-interface
+export interface SecurityPluginSetup {}
+// eslint-disable-next-line @typescript-eslint/no-empty-interface
+export interface SecurityPluginStart {}
+
+export interface SecurityPluginSetupDependencies {
+  savedObjectsManagement: SavedObjectsManagementPluginSetup;
+}
+
+export interface SecurityPluginStartDependencies {
+  navigation: NavigationPublicPluginStart;
+  savedObjectsManagement: SavedObjectsManagementPluginStart;
+}
diff --git a/src/plugins/security/server/index.ts b/src/plugins/security/server/index.ts
new file mode 100644
index 000000000000..38f176e2a30d
--- /dev/null
+++ b/src/plugins/security/server/index.ts
@@ -0,0 +1,32 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+/*
+ *   Copyright OpenSearch Contributors
+ *
+ *   Licensed under the Apache License, Version 2.0 (the "License").
+ *   You may not use this file except in compliance with the License.
+ *   A copy of the License is located at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   or in the "license" file accompanying this file. This file is distributed
+ *   on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ *   express or implied. See the License for the specific language governing
+ *   permissions and limitations under the License.
+ */
+
+import { schema, TypeOf } from '@osd/config-schema';
+import { PluginInitializerContext, PluginConfigDescriptor } from '../../../core/server';
+import { SecurityPlugin } from './plugin';
+
+//  This exports static code and TypeScript types,
+//  as well as, OpenSearchDashboards Platform `plugin()` initializer.
+
+export function plugin(initializerContext: PluginInitializerContext) {
+  return new SecurityPlugin(initializerContext);
+}
+
+export { SecurityPluginSetup, SecurityPluginStart } from './types';
diff --git a/src/plugins/security/server/plugin.ts b/src/plugins/security/server/plugin.ts
new file mode 100644
index 000000000000..a91897db2cf8
--- /dev/null
+++ b/src/plugins/security/server/plugin.ts
@@ -0,0 +1,67 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+/*
+ *   Copyright OpenSearch Contributors
+ *
+ *   Licensed under the Apache License, Version 2.0 (the "License").
+ *   You may not use this file except in compliance with the License.
+ *   A copy of the License is located at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   or in the "license" file accompanying this file. This file is distributed
+ *   on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ *   express or implied. See the License for the specific language governing
+ *   permissions and limitations under the License.
+ */
+
+import { first } from 'rxjs/operators';
+import { Observable } from 'rxjs';
+import {
+  PluginInitializerContext,
+  CoreSetup,
+  CoreStart,
+  Plugin,
+  Logger,
+  ILegacyClusterClient,
+  SessionStorageFactory,
+  SharedGlobalConfig,
+} from '../../../core/server';
+
+import { SecurityPluginSetup, SecurityPluginStart } from './types';
+
+export interface SecurityPluginRequestContext {
+  logger: Logger;
+}
+
+export interface SecurityPluginRequestContext {
+  logger: Logger;
+}
+
+export class SecurityPlugin implements Plugin<SecurityPluginSetup, SecurityPluginStart> {
+  private readonly logger: Logger;
+
+  // @ts-ignore: property not initialzied in constructor
+  private securityClient: SecurityClient;
+
+  constructor(private readonly initializerContext: PluginInitializerContext) {
+    this.logger = initializerContext.logger.get();
+  }
+
+  public async setup(core: CoreSetup) {
+    this.logger.debug('opendistro_security: Setup');
+    return {};
+  }
+
+  // TODO: add more logs
+  public async start(core: CoreStart) {
+    this.logger.debug('dashboards_security: Started');
+
+    return {};
+  }
+
+  public stop() {}
+}
diff --git a/src/plugins/security/server/types.ts b/src/plugins/security/server/types.ts
new file mode 100644
index 000000000000..17d712fa1c65
--- /dev/null
+++ b/src/plugins/security/server/types.ts
@@ -0,0 +1,24 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+/*
+ *   Copyright OpenSearch Contributors
+ *
+ *   Licensed under the Apache License, Version 2.0 (the "License").
+ *   You may not use this file except in compliance with the License.
+ *   A copy of the License is located at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   or in the "license" file accompanying this file. This file is distributed
+ *   on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ *   express or implied. See the License for the specific language governing
+ *   permissions and limitations under the License.
+ */
+
+// eslint-disable-next-line @typescript-eslint/no-empty-interface
+export interface SecurityPluginSetup {}
+// eslint-disable-next-line @typescript-eslint/no-empty-interface
+export interface SecurityPluginStart {}
diff --git a/src/plugins/security/tsconfig.json b/src/plugins/security/tsconfig.json
new file mode 100644
index 000000000000..06bd62dbdce6
--- /dev/null
+++ b/src/plugins/security/tsconfig.json
@@ -0,0 +1,32 @@
+{
+  // extend OpenSearchDashboards's tsconfig, or use your own settings
+  "extends": "../../tsconfig.json",
+  "compilerOptions": {
+    "esModuleInterop": true,
+    "outDir": "./target",
+    "allowUnusedLabels": true,
+    "noUnusedLocals": false,
+    "noUnusedParameters": false,
+    "skipLibCheck": true,
+    "alwaysStrict": false,
+    "noImplicitUseStrict": false,
+  },
+
+  // tell the TypeScript compiler where to find your source files
+  "include": [
+    "index.ts",
+    "public/**/*.ts",
+    "public/**/*.tsx",
+    "server/**/*.ts",
+    "common/**/*.ts",
+    "../../typings/**/*",
+  ],
+  "exclude": [
+    "public/**/*.test.ts",
+    "public/**/*.test.tsx",
+    "server/**/*.test.ts",
+    "../../src/**/*",
+    "**/request.ts",
+    "src/**/*"
+  ],
+}
\ No newline at end of file

From 4929bb707fec0d7bf5efd27f447a0d77c3dcc11b Mon Sep 17 00:00:00 2001
From: Chang Liu <lc12251109@gmail.com>
Date: Mon, 6 Feb 2023 13:54:44 -0800
Subject: [PATCH 2/6] Remove the duplicate empty security plugin

Signed-off-by: Chang Liu <lc12251109@gmail.com>
---
 src/plugins/security/common/index.ts          | 19 ------
 .../security/opensearch_dashboards.json       |  9 ---
 src/plugins/security/public/index.ts          | 28 --------
 src/plugins/security/public/plugin.ts         | 66 ------------------
 src/plugins/security/public/types.ts          | 39 -----------
 src/plugins/security/server/index.ts          | 32 ---------
 src/plugins/security/server/plugin.ts         | 67 -------------------
 src/plugins/security/server/types.ts          | 24 -------
 src/plugins/security/tsconfig.json            | 32 ---------
 9 files changed, 316 deletions(-)
 delete mode 100644 src/plugins/security/common/index.ts
 delete mode 100644 src/plugins/security/opensearch_dashboards.json
 delete mode 100644 src/plugins/security/public/index.ts
 delete mode 100644 src/plugins/security/public/plugin.ts
 delete mode 100644 src/plugins/security/public/types.ts
 delete mode 100644 src/plugins/security/server/index.ts
 delete mode 100644 src/plugins/security/server/plugin.ts
 delete mode 100644 src/plugins/security/server/types.ts
 delete mode 100644 src/plugins/security/tsconfig.json

diff --git a/src/plugins/security/common/index.ts b/src/plugins/security/common/index.ts
deleted file mode 100644
index 3a05e2f4285f..000000000000
--- a/src/plugins/security/common/index.ts
+++ /dev/null
@@ -1,19 +0,0 @@
-/*
- * Copyright OpenSearch Contributors
- * SPDX-License-Identifier: Apache-2.0
- */
-
-/*
- *   Copyright OpenSearch Contributors
- *
- *   Licensed under the Apache License, Version 2.0 (the "License").
- *   You may not use this file except in compliance with the License.
- *   A copy of the License is located at
- *
- *       http://www.apache.org/licenses/LICENSE-2.0
- *
- *   or in the "license" file accompanying this file. This file is distributed
- *   on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
- *   express or implied. See the License for the specific language governing
- *   permissions and limitations under the License.
- */
diff --git a/src/plugins/security/opensearch_dashboards.json b/src/plugins/security/opensearch_dashboards.json
deleted file mode 100644
index 1efcb783edcc..000000000000
--- a/src/plugins/security/opensearch_dashboards.json
+++ /dev/null
@@ -1,9 +0,0 @@
-{
-  "id": "securityDashboards",
-  "version": "3.0.0.0",
-  "opensearchDashboardsVersion": "3.0.0",
-  "configPath": ["dashboards_security"],
-  "requiredPlugins": [],
-  "server": true,
-  "ui": true
-}
\ No newline at end of file
diff --git a/src/plugins/security/public/index.ts b/src/plugins/security/public/index.ts
deleted file mode 100644
index 59d02d8718e3..000000000000
--- a/src/plugins/security/public/index.ts
+++ /dev/null
@@ -1,28 +0,0 @@
-/*
- * Copyright OpenSearch Contributors
- * SPDX-License-Identifier: Apache-2.0
- */
-
-/*
- *   Copyright OpenSearch Contributors
- *
- *   Licensed under the Apache License, Version 2.0 (the "License").
- *   You may not use this file except in compliance with the License.
- *   A copy of the License is located at
- *
- *       http://www.apache.org/licenses/LICENSE-2.0
- *
- *   or in the "license" file accompanying this file. This file is distributed
- *   on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
- *   express or implied. See the License for the specific language governing
- *   permissions and limitations under the License.
- */
-import { SecurityPlugin } from './plugin';
-import { PluginInitializerContext } from '../../../core/public';
-
-// This exports static code and TypeScript types,
-// as well as, OpenSearchDashboards Platform `plugin()` initializer.
-export function plugin(initializerContext: PluginInitializerContext) {
-  return new SecurityPlugin(initializerContext);
-}
-export { SecurityPluginSetup, SecurityPluginStart } from './types';
diff --git a/src/plugins/security/public/plugin.ts b/src/plugins/security/public/plugin.ts
deleted file mode 100644
index b1f33840bcae..000000000000
--- a/src/plugins/security/public/plugin.ts
+++ /dev/null
@@ -1,66 +0,0 @@
-/*
- * Copyright OpenSearch Contributors
- * SPDX-License-Identifier: Apache-2.0
- */
-
-/*
- *   Copyright OpenSearch Contributors
- *
- *   Licensed under the Apache License, Version 2.0 (the "License").
- *   You may not use this file except in compliance with the License.
- *   A copy of the License is located at
- *
- *       http://www.apache.org/licenses/LICENSE-2.0
- *
- *   or in the "license" file accompanying this file. This file is distributed
- *   on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
- *   express or implied. See the License for the specific language governing
- *   permissions and limitations under the License.
- */
-
-import {
-  AppMountParameters,
-  AppStatus,
-  AppUpdater,
-  CoreSetup,
-  CoreStart,
-  Plugin,
-  PluginInitializerContext,
-} from '../../../core/public';
-import {
-  SecurityPluginStartDependencies,
-  SecurityPluginSetup,
-  SecurityPluginStart,
-  SecurityPluginSetupDependencies,
-} from './types';
-
-const APP_ID_HOME = 'home';
-const APP_ID_DASHBOARDS = 'dashboards';
-// OpenSearchDashboards app is for legacy url migration
-const APP_ID_OPENSEARCH_DASHBOARDS = 'kibana';
-
-export class SecurityPlugin
-  implements
-    Plugin<
-      SecurityPluginSetup,
-      SecurityPluginStart,
-      SecurityPluginSetupDependencies,
-      SecurityPluginStartDependencies
-    > {
-  // @ts-ignore : initializerContext not used
-  constructor(private readonly initializerContext: PluginInitializerContext) {}
-
-  public async setup(
-    core: CoreSetup,
-    deps: SecurityPluginSetupDependencies
-  ): Promise<SecurityPluginSetup> {
-    // Return methods that should be available to other plugins
-    return {};
-  }
-
-  public start(core: CoreStart, deps: SecurityPluginStartDependencies): SecurityPluginStart {
-    return {};
-  }
-
-  public stop() {}
-}
diff --git a/src/plugins/security/public/types.ts b/src/plugins/security/public/types.ts
deleted file mode 100644
index bb355e34a0cc..000000000000
--- a/src/plugins/security/public/types.ts
+++ /dev/null
@@ -1,39 +0,0 @@
-/*
- * Copyright OpenSearch Contributors
- * SPDX-License-Identifier: Apache-2.0
- */
-
-/*
- *   Copyright OpenSearch Contributors
- *
- *   Licensed under the Apache License, Version 2.0 (the "License").
- *   You may not use this file except in compliance with the License.
- *   A copy of the License is located at
- *
- *       http://www.apache.org/licenses/LICENSE-2.0
- *
- *   or in the "license" file accompanying this file. This file is distributed
- *   on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
- *   express or implied. See the License for the specific language governing
- *   permissions and limitations under the License.
- */
-
-import { NavigationPublicPluginStart } from '../../../plugins/navigation/public';
-import {
-  SavedObjectsManagementPluginSetup,
-  SavedObjectsManagementPluginStart,
-} from '../../../plugins/saved_objects_management/public';
-
-// eslint-disable-next-line @typescript-eslint/no-empty-interface
-export interface SecurityPluginSetup {}
-// eslint-disable-next-line @typescript-eslint/no-empty-interface
-export interface SecurityPluginStart {}
-
-export interface SecurityPluginSetupDependencies {
-  savedObjectsManagement: SavedObjectsManagementPluginSetup;
-}
-
-export interface SecurityPluginStartDependencies {
-  navigation: NavigationPublicPluginStart;
-  savedObjectsManagement: SavedObjectsManagementPluginStart;
-}
diff --git a/src/plugins/security/server/index.ts b/src/plugins/security/server/index.ts
deleted file mode 100644
index 38f176e2a30d..000000000000
--- a/src/plugins/security/server/index.ts
+++ /dev/null
@@ -1,32 +0,0 @@
-/*
- * Copyright OpenSearch Contributors
- * SPDX-License-Identifier: Apache-2.0
- */
-
-/*
- *   Copyright OpenSearch Contributors
- *
- *   Licensed under the Apache License, Version 2.0 (the "License").
- *   You may not use this file except in compliance with the License.
- *   A copy of the License is located at
- *
- *       http://www.apache.org/licenses/LICENSE-2.0
- *
- *   or in the "license" file accompanying this file. This file is distributed
- *   on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
- *   express or implied. See the License for the specific language governing
- *   permissions and limitations under the License.
- */
-
-import { schema, TypeOf } from '@osd/config-schema';
-import { PluginInitializerContext, PluginConfigDescriptor } from '../../../core/server';
-import { SecurityPlugin } from './plugin';
-
-//  This exports static code and TypeScript types,
-//  as well as, OpenSearchDashboards Platform `plugin()` initializer.
-
-export function plugin(initializerContext: PluginInitializerContext) {
-  return new SecurityPlugin(initializerContext);
-}
-
-export { SecurityPluginSetup, SecurityPluginStart } from './types';
diff --git a/src/plugins/security/server/plugin.ts b/src/plugins/security/server/plugin.ts
deleted file mode 100644
index a91897db2cf8..000000000000
--- a/src/plugins/security/server/plugin.ts
+++ /dev/null
@@ -1,67 +0,0 @@
-/*
- * Copyright OpenSearch Contributors
- * SPDX-License-Identifier: Apache-2.0
- */
-
-/*
- *   Copyright OpenSearch Contributors
- *
- *   Licensed under the Apache License, Version 2.0 (the "License").
- *   You may not use this file except in compliance with the License.
- *   A copy of the License is located at
- *
- *       http://www.apache.org/licenses/LICENSE-2.0
- *
- *   or in the "license" file accompanying this file. This file is distributed
- *   on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
- *   express or implied. See the License for the specific language governing
- *   permissions and limitations under the License.
- */
-
-import { first } from 'rxjs/operators';
-import { Observable } from 'rxjs';
-import {
-  PluginInitializerContext,
-  CoreSetup,
-  CoreStart,
-  Plugin,
-  Logger,
-  ILegacyClusterClient,
-  SessionStorageFactory,
-  SharedGlobalConfig,
-} from '../../../core/server';
-
-import { SecurityPluginSetup, SecurityPluginStart } from './types';
-
-export interface SecurityPluginRequestContext {
-  logger: Logger;
-}
-
-export interface SecurityPluginRequestContext {
-  logger: Logger;
-}
-
-export class SecurityPlugin implements Plugin<SecurityPluginSetup, SecurityPluginStart> {
-  private readonly logger: Logger;
-
-  // @ts-ignore: property not initialzied in constructor
-  private securityClient: SecurityClient;
-
-  constructor(private readonly initializerContext: PluginInitializerContext) {
-    this.logger = initializerContext.logger.get();
-  }
-
-  public async setup(core: CoreSetup) {
-    this.logger.debug('opendistro_security: Setup');
-    return {};
-  }
-
-  // TODO: add more logs
-  public async start(core: CoreStart) {
-    this.logger.debug('dashboards_security: Started');
-
-    return {};
-  }
-
-  public stop() {}
-}
diff --git a/src/plugins/security/server/types.ts b/src/plugins/security/server/types.ts
deleted file mode 100644
index 17d712fa1c65..000000000000
--- a/src/plugins/security/server/types.ts
+++ /dev/null
@@ -1,24 +0,0 @@
-/*
- * Copyright OpenSearch Contributors
- * SPDX-License-Identifier: Apache-2.0
- */
-
-/*
- *   Copyright OpenSearch Contributors
- *
- *   Licensed under the Apache License, Version 2.0 (the "License").
- *   You may not use this file except in compliance with the License.
- *   A copy of the License is located at
- *
- *       http://www.apache.org/licenses/LICENSE-2.0
- *
- *   or in the "license" file accompanying this file. This file is distributed
- *   on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
- *   express or implied. See the License for the specific language governing
- *   permissions and limitations under the License.
- */
-
-// eslint-disable-next-line @typescript-eslint/no-empty-interface
-export interface SecurityPluginSetup {}
-// eslint-disable-next-line @typescript-eslint/no-empty-interface
-export interface SecurityPluginStart {}
diff --git a/src/plugins/security/tsconfig.json b/src/plugins/security/tsconfig.json
deleted file mode 100644
index 06bd62dbdce6..000000000000
--- a/src/plugins/security/tsconfig.json
+++ /dev/null
@@ -1,32 +0,0 @@
-{
-  // extend OpenSearchDashboards's tsconfig, or use your own settings
-  "extends": "../../tsconfig.json",
-  "compilerOptions": {
-    "esModuleInterop": true,
-    "outDir": "./target",
-    "allowUnusedLabels": true,
-    "noUnusedLocals": false,
-    "noUnusedParameters": false,
-    "skipLibCheck": true,
-    "alwaysStrict": false,
-    "noImplicitUseStrict": false,
-  },
-
-  // tell the TypeScript compiler where to find your source files
-  "include": [
-    "index.ts",
-    "public/**/*.ts",
-    "public/**/*.tsx",
-    "server/**/*.ts",
-    "common/**/*.ts",
-    "../../typings/**/*",
-  ],
-  "exclude": [
-    "public/**/*.test.ts",
-    "public/**/*.test.tsx",
-    "server/**/*.test.ts",
-    "../../src/**/*",
-    "**/request.ts",
-    "src/**/*"
-  ],
-}
\ No newline at end of file

From 60f1986908dd31e4325f63d12ec9e7a22c3c0f7e Mon Sep 17 00:00:00 2001
From: Aozixuan Priscilla Guan <aoguan@amazon.com>
Date: Mon, 6 Feb 2023 16:20:33 -0600
Subject: [PATCH 3/6] Basic and OIDC Authentication POC, Refactor configuration

Signed-off-by: Aozixuan Priscilla Guan <aoguan@amazon.com>
---
 .../dashboards_security/common/index.ts       |  36 +++
 .../opensearch_dashboards.json                |   8 +
 .../public/apps/login/_index.scss             |  25 ++
 .../public/apps/login/login-app.tsx           |  21 ++
 .../public/apps/login/login-page.tsx          | 184 +++++++++++++
 .../public/apps/logout/logout-app.tsx         |  38 +++
 .../public/apps/logout/logout-page.tsx        |  34 +++
 .../public/assets/get_started.svg             |  78 ++++++
 .../public/assets/opensearch_logo_h.svg       |  10 +
 .../dashboards_security/public/index.ts       |  13 +
 .../dashboards_security/public/plugin.ts      |  51 ++++
 .../dashboards_security/public/types.ts       |  61 +++++
 .../public/utils/auth_utils.ts                |  40 +++
 .../public/utils/request_utils.ts             |  25 ++
 .../server/auth/auth_handler_factory.ts       |  42 +++
 .../server/auth/types/authentication_type.ts  | 150 +++++++++++
 .../server/auth/types/basic/basic_auth.ts     | 106 ++++++++
 .../server/auth/types/basic/routes.ts         | 132 +++++++++
 .../server/auth/types/basic/user_bank.ts      |  43 +++
 .../server/auth/types/index.ts                |   8 +
 .../server/auth/types/multiple/multi_auth.ts  | 165 ++++++++++++
 .../server/auth/types/multiple/routes.ts      |  52 ++++
 .../server/auth/types/openid/openid_auth.ts   | 203 ++++++++++++++
 .../server/auth/types/openid/routes.ts        | 240 +++++++++++++++++
 .../dashboards_security/server/auth/user.ts   |   9 +
 .../server/configuration/auth_config.ts       |  19 ++
 .../dashboards_security/server/index.ts       | 236 ++++++++++++++++
 .../dashboards_security/server/plugin.ts      |  60 +++++
 .../server/session/security_cookie.ts         |  70 +++++
 .../dashboards_security/server/types.ts       |   9 +
 .../server/utils/auth_util.ts                 |  97 +++++++
 .../server/utils/common_util.ts               | 255 ++++++++++++++++++
 .../server/utils/next_url.ts                  |  59 ++++
 33 files changed, 2579 insertions(+)
 create mode 100644 src/plugins/dashboards_security/common/index.ts
 create mode 100644 src/plugins/dashboards_security/opensearch_dashboards.json
 create mode 100644 src/plugins/dashboards_security/public/apps/login/_index.scss
 create mode 100644 src/plugins/dashboards_security/public/apps/login/login-app.tsx
 create mode 100644 src/plugins/dashboards_security/public/apps/login/login-page.tsx
 create mode 100644 src/plugins/dashboards_security/public/apps/logout/logout-app.tsx
 create mode 100644 src/plugins/dashboards_security/public/apps/logout/logout-page.tsx
 create mode 100644 src/plugins/dashboards_security/public/assets/get_started.svg
 create mode 100644 src/plugins/dashboards_security/public/assets/opensearch_logo_h.svg
 create mode 100644 src/plugins/dashboards_security/public/index.ts
 create mode 100644 src/plugins/dashboards_security/public/plugin.ts
 create mode 100644 src/plugins/dashboards_security/public/types.ts
 create mode 100644 src/plugins/dashboards_security/public/utils/auth_utils.ts
 create mode 100644 src/plugins/dashboards_security/public/utils/request_utils.ts
 create mode 100644 src/plugins/dashboards_security/server/auth/auth_handler_factory.ts
 create mode 100644 src/plugins/dashboards_security/server/auth/types/authentication_type.ts
 create mode 100644 src/plugins/dashboards_security/server/auth/types/basic/basic_auth.ts
 create mode 100755 src/plugins/dashboards_security/server/auth/types/basic/routes.ts
 create mode 100644 src/plugins/dashboards_security/server/auth/types/basic/user_bank.ts
 create mode 100644 src/plugins/dashboards_security/server/auth/types/index.ts
 create mode 100644 src/plugins/dashboards_security/server/auth/types/multiple/multi_auth.ts
 create mode 100644 src/plugins/dashboards_security/server/auth/types/multiple/routes.ts
 create mode 100644 src/plugins/dashboards_security/server/auth/types/openid/openid_auth.ts
 create mode 100644 src/plugins/dashboards_security/server/auth/types/openid/routes.ts
 create mode 100644 src/plugins/dashboards_security/server/auth/user.ts
 create mode 100644 src/plugins/dashboards_security/server/configuration/auth_config.ts
 create mode 100644 src/plugins/dashboards_security/server/index.ts
 create mode 100644 src/plugins/dashboards_security/server/plugin.ts
 create mode 100644 src/plugins/dashboards_security/server/session/security_cookie.ts
 create mode 100644 src/plugins/dashboards_security/server/types.ts
 create mode 100644 src/plugins/dashboards_security/server/utils/auth_util.ts
 create mode 100644 src/plugins/dashboards_security/server/utils/common_util.ts
 create mode 100644 src/plugins/dashboards_security/server/utils/next_url.ts

diff --git a/src/plugins/dashboards_security/common/index.ts b/src/plugins/dashboards_security/common/index.ts
new file mode 100644
index 000000000000..c544cb202650
--- /dev/null
+++ b/src/plugins/dashboards_security/common/index.ts
@@ -0,0 +1,36 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+export const PLUGIN_ID = 'opensearchDashboardsSecurity';
+export const PLUGIN_NAME = 'security-dashboards-plugin';
+
+export const APP_ID_LOGIN = 'login';
+
+export const API_PREFIX = '/api/v1';
+export const CONFIGURATION_API_PREFIX = 'configuration';
+export const API_ENDPOINT_AUTHINFO = API_PREFIX + '/auth/authinfo';
+export const API_ENDPOINT_AUTHTYPE = API_PREFIX + '/auth/type';
+export const LOGIN_PAGE_URI = '/app/' + APP_ID_LOGIN;
+export const API_AUTH_LOGIN = '/auth/login';
+export const API_AUTH_LOGOUT = '/auth/logout';
+export const ANONYMOUS_AUTH_LOGIN = '/auth/anonymous';
+export const SAML_AUTH_LOGIN_WITH_FRAGMENT = '/auth/saml/captureUrlFragment?nextUrl=%2F';
+
+export const OPENID_AUTH_LOGOUT = '/auth/openid/logout';
+export const SAML_AUTH_LOGOUT = '/auth/saml/logout';
+export const ANONYMOUS_AUTH_LOGOUT = '/auth/anonymous/logout';
+
+export const AUTH_HEADER_NAME = 'authorization';
+export const AUTH_GRANT_TYPE = 'authorization_code';
+export const AUTH_RESPONSE_TYPE = 'code';
+
+export enum AuthType {
+  BASIC = 'basicauth',
+  OIDC = 'oidc',
+  JWT = 'jwt',
+  SAML = 'saml',
+  PROXY = 'proxy',
+  ANONYMOUS = 'anonymous',
+}
diff --git a/src/plugins/dashboards_security/opensearch_dashboards.json b/src/plugins/dashboards_security/opensearch_dashboards.json
new file mode 100644
index 000000000000..76c5e87a3224
--- /dev/null
+++ b/src/plugins/dashboards_security/opensearch_dashboards.json
@@ -0,0 +1,8 @@
+{
+  "id": "dashboardsSecurity",
+  "version": "opensearchDashboards",
+  "configPath": ["dashboards_security"],
+  "requiredPlugins": ["navigation"],
+  "server": true,
+  "ui": true
+}
diff --git a/src/plugins/dashboards_security/public/apps/login/_index.scss b/src/plugins/dashboards_security/public/apps/login/_index.scss
new file mode 100644
index 000000000000..5b48bd965e02
--- /dev/null
+++ b/src/plugins/dashboards_security/public/apps/login/_index.scss
@@ -0,0 +1,25 @@
+/*
+ *   Copyright OpenSearch Contributors
+ *
+ *   Licensed under the Apache License, Version 2.0 (the "License").
+ *   You may not use this file except in compliance with the License.
+ *   A copy of the License is located at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   or in the "license" file accompanying this file. This file is distributed
+ *   on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ *   express or implied. See the License for the specific language governing
+ *   permissions and limitations under the License.
+ */
+
+.login-wrapper {
+  margin: 10% auto;
+  width: 350px;
+  padding: 1rem;
+  position: relative;
+}
+
+.btn-login {
+  width: 100%;
+}
diff --git a/src/plugins/dashboards_security/public/apps/login/login-app.tsx b/src/plugins/dashboards_security/public/apps/login/login-app.tsx
new file mode 100644
index 000000000000..bdbd743c850b
--- /dev/null
+++ b/src/plugins/dashboards_security/public/apps/login/login-app.tsx
@@ -0,0 +1,21 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+import './_index.scss';
+// @ts-ignore : Component not used
+import React, { Component } from 'react';
+import ReactDOM from 'react-dom';
+import { AppMountParameters, CoreStart } from '../../../../../core/public';
+import { ClientConfigType } from '../../types';
+import { LoginPage } from './login-page';
+
+export function renderApp(
+  coreStart: CoreStart,
+  params: AppMountParameters,
+  config: ClientConfigType
+) {
+  ReactDOM.render(<LoginPage http={coreStart.http} config={config} />, params.element);
+  return () => ReactDOM.unmountComponentAtNode(params.element);
+}
diff --git a/src/plugins/dashboards_security/public/apps/login/login-page.tsx b/src/plugins/dashboards_security/public/apps/login/login-page.tsx
new file mode 100644
index 000000000000..01bab7cefd2d
--- /dev/null
+++ b/src/plugins/dashboards_security/public/apps/login/login-page.tsx
@@ -0,0 +1,184 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+import React, { useState } from 'react';
+import {
+  EuiText,
+  EuiFieldText,
+  EuiIcon,
+  EuiSpacer,
+  EuiButton,
+  EuiImage,
+  EuiListGroup,
+  EuiForm,
+  EuiFormRow,
+} from '@elastic/eui';
+import { AuthType } from 'src/plugins/dashboards_security/common';
+import { ESMap } from 'typescript';
+import { map } from 'bluebird';
+import { CoreStart } from '../../../../../core/public';
+import { ClientConfigType } from '../../types';
+import defaultBrandImage from '../../assets/opensearch_logo_h.svg';
+import { validateCurrentPassword } from '../../utils/auth_utils';
+
+interface LoginButtonConfig {
+  buttonname: string;
+  showbrandimage: boolean;
+  brandimage: string;
+  buttonstyle: string;
+}
+
+interface LoginPageDeps {
+  http: CoreStart['http'];
+  config: ClientConfigType;
+}
+
+function redirect(serverBasePath: string) {
+  // navigate to nextUrl
+  const urlParams = new URLSearchParams(window.location.search);
+  let nextUrl = urlParams.get('nextUrl');
+  if (!nextUrl || nextUrl.toLowerCase().includes('//')) {
+    nextUrl = serverBasePath + '/';
+  }
+  window.location.href = nextUrl + window.location.hash;
+}
+
+export function LoginPage(props: LoginPageDeps) {
+  const [username, setUsername] = React.useState('');
+  const [password, setPassword] = React.useState('');
+  const [loginFailed, setloginFailed] = useState(false);
+  const [loginError, setloginError] = useState('');
+  const [usernameValidationFailed, setUsernameValidationFailed] = useState(false);
+  const [passwordValidationFailed, setPasswordValidationFailed] = useState(false);
+
+  let errorLabel: any = null;
+  if (loginFailed) {
+    errorLabel = (
+      <EuiText id="error" color="danger" textAlign="center">
+        <b>{loginError}</b>
+      </EuiText>
+    );
+  }
+
+  // @ts-ignore : Parameter 'e' implicitly has an 'any' type.
+  const handleSubmit = async (e) => {
+    e.preventDefault();
+
+    // Clear errors
+    setloginFailed(false);
+    setUsernameValidationFailed(false);
+    setPasswordValidationFailed(false);
+
+    // Form validation
+    if (username === '') {
+      setUsernameValidationFailed(true);
+      return;
+    }
+
+    if (password === '') {
+      setPasswordValidationFailed(true);
+      return;
+    }
+    try {
+      await validateCurrentPassword(props.http, username, password);
+      redirect(props.http.basePath.serverBasePath);
+    } catch (error) {
+      setloginFailed(true);
+      setloginError('Invalid username or password. Please try again.');
+      return;
+    }
+  };
+
+  // TODO: Get brand image from server config
+  return (
+    <EuiListGroup className="login-wrapper">
+      {props.config.ui.basicauth.login.showbrandimage && (
+        <EuiImage
+          size="fullWidth"
+          alt=""
+          url={props.config.ui.basicauth.login.brandimage || defaultBrandImage}
+        />
+      )}
+      <EuiSpacer size="s" />
+      <EuiText size="m" textAlign="center">
+        {props.config.ui.basicauth.login.title || 'Please login to OpenSearch Dashboards'}
+      </EuiText>
+      <EuiSpacer size="s" />
+      <EuiText size="s" textAlign="center">
+        {props.config.ui.basicauth.login.subtitle ||
+          'If you have forgotten your username or password, please ask your system administrator'}
+      </EuiText>
+      <EuiSpacer size="s" />
+      <EuiForm component="form">
+        <EuiFormRow>
+          <EuiFieldText
+            data-test-subj="user-name"
+            placeholder="Username"
+            prepend={<EuiIcon type="user" />}
+            onChange={(e) => setUsername(e.target.value)}
+            value={username}
+          />
+        </EuiFormRow>
+        <EuiFormRow>
+          <EuiFieldText
+            data-test-subj="password"
+            placeholder="Password"
+            prepend={<EuiIcon type="lock" />}
+            type="password"
+            onChange={(e) => setPassword(e.target.value)}
+            value={password}
+          />
+        </EuiFormRow>
+        <EuiFormRow>
+          <EuiButton
+            data-test-subj="submit"
+            fill
+            size="s"
+            type="submit"
+            className={props.config.ui.basicauth.login.buttonstyle || 'btn-login'}
+            onClick={handleSubmit}
+          >
+            Log In
+          </EuiButton>
+        </EuiFormRow>
+      </EuiForm>
+      <EuiSpacer size="s" />
+      <EuiFormRow>
+        <EuiButton
+          data-test-subj="submit"
+          size="s"
+          type="prime"
+          className={props.config.ui.openid.login.buttonstyle || 'btn-login'}
+          href="/auth/oidc/okta/login"
+          iconType={
+            props.config.ui.openid.login.showbrandimage
+              ? props.config.ui.openid.login.brandimage
+              : ''
+          }
+        >
+          Login with OKTA (OIDC)
+        </EuiButton>
+      </EuiFormRow>
+      <EuiSpacer size="s" />
+      <EuiFormRow>
+        <EuiButton
+          data-test-subj="submit"
+          size="s"
+          type="prime"
+          className={props.config.ui.openid.login.buttonstyle || 'btn-login'}
+          href="/auth/oidc/google/login"
+          iconType={
+            props.config.ui.openid.login.showbrandimage
+              ? props.config.ui.openid.login.brandimage
+              : ''
+          }
+        >
+          Login with Google (OIDC)
+        </EuiButton>
+      </EuiFormRow>
+      {errorLabel}
+    </EuiListGroup>
+  );
+}
diff --git a/src/plugins/dashboards_security/public/apps/logout/logout-app.tsx b/src/plugins/dashboards_security/public/apps/logout/logout-app.tsx
new file mode 100644
index 000000000000..0d5689a86247
--- /dev/null
+++ b/src/plugins/dashboards_security/public/apps/logout/logout-app.tsx
@@ -0,0 +1,38 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+/*
+ *   Copyright OpenSearch Contributors
+ *
+ *   Licensed under the Apache License, Version 2.0 (the "License").
+ *   You may not use this file except in compliance with the License.
+ *   A copy of the License is located at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   or in the "license" file accompanying this file. This file is distributed
+ *   on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ *   express or implied. See the License for the specific language governing
+ *   permissions and limitations under the License.
+ */
+
+import React from 'react';
+import ReactDOM from 'react-dom';
+import { CoreStart } from 'opensearch-dashboards/public';
+import { ClientConfigType } from '../../types';
+import { LogoutPage } from './logout-page';
+
+export async function setupLogoutButton(coreStart: CoreStart, config: ClientConfigType) {
+  coreStart.chrome.navControls.registerRight({
+    order: 2000,
+    mount: (element: HTMLElement) => {
+      ReactDOM.render(
+        <LogoutPage http={coreStart.http} logoutUrl={config.auth.logout_url} />,
+        element
+      );
+      return () => ReactDOM.unmountComponentAtNode(element);
+    },
+  });
+}
diff --git a/src/plugins/dashboards_security/public/apps/logout/logout-page.tsx b/src/plugins/dashboards_security/public/apps/logout/logout-page.tsx
new file mode 100644
index 000000000000..8dac9368d020
--- /dev/null
+++ b/src/plugins/dashboards_security/public/apps/logout/logout-page.tsx
@@ -0,0 +1,34 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+/*
+ *   Copyright OpenSearch Contributors
+ *
+ *   Licensed under the Apache License, Version 2.0 (the "License").
+ *   You may not use this file except in compliance with the License.
+ *   A copy of the License is located at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   or in the "license" file accompanying this file. This file is distributed
+ *   on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ *   express or implied. See the License for the specific language governing
+ *   permissions and limitations under the License.
+ */
+
+import React from 'react';
+import { EuiButtonEmpty } from '@elastic/eui';
+import { HttpStart } from 'opensearch-dashboards/public';
+import { logout } from '../../utils/auth_utils';
+
+export function LogoutPage(props: { http: HttpStart; logoutUrl?: string }) {
+  return (
+    <div>
+      <EuiButtonEmpty size="xs" onClick={() => logout(props.http, props.logoutUrl)}>
+        Log out
+      </EuiButtonEmpty>
+    </div>
+  );
+}
diff --git a/src/plugins/dashboards_security/public/assets/get_started.svg b/src/plugins/dashboards_security/public/assets/get_started.svg
new file mode 100644
index 000000000000..842164f5c2b3
--- /dev/null
+++ b/src/plugins/dashboards_security/public/assets/get_started.svg
@@ -0,0 +1,78 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<svg width="512px" height="114px" viewBox="0 0 512 114" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+    <title>get_started</title>
+    <defs>
+        <rect id="path-1" x="118" y="23" width="117" height="66" rx="3"></rect>
+        <mask id="mask-2" maskContentUnits="userSpaceOnUse" maskUnits="objectBoundingBox" x="0" y="0" width="117" height="66" fill="white">
+            <use xlink:href="#path-1"></use>
+        </mask>
+    </defs>
+    <g id="Signed-off" stroke="none" stroke-width="1" fill="none" fill-rule="evenodd">
+        <g id="Get-started---Security-Plugin---P1" transform="translate(-421.000000, -220.000000)">
+            <g id="get_started" transform="translate(421.000000, 220.000000)">
+                <g id="Group-2" transform="translate(384.000000, 66.000000)" fill="#343741">
+                    <g id="user" transform="translate(48.000000, 0.000000)">
+                        <path d="M18.0332,15.1977 C19.7657,17.0307 20.9627,19.5162 21.3077,22.3197 C21.4157,23.2107 20.7062,23.9997 19.8077,23.9997 L19.8077,23.9997 L2.0102,23.9997 C1.1117,23.9997 0.4022,23.2107 0.5117,22.3197 C0.8552,19.5162 2.0522,17.0307 3.7847,15.1977 C4.1552,15.5397 4.5422,15.8607 4.9577,16.1472 C3.4007,17.7507 2.3102,19.9722 1.9997,22.5027 L1.9997,22.5027 L19.8077,22.4997 C19.5017,19.9707 18.4142,17.7507 16.8587,16.1472 C17.2757,15.8607 17.6627,15.5397 18.0332,15.1977 Z M10.90895,1.77635684e-15 C15.05045,1.77635684e-15 18.40895,3.3585 18.40895,7.5 C18.40895,11.6415 15.05045,15 10.90895,15 C6.76745,15 3.40895,11.6415 3.40895,7.5 C3.40895,3.3585 6.76745,1.77635684e-15 10.90895,1.77635684e-15 Z M16.29856,4.86398252 L16.1377444,4.940574 C15.6852333,5.13938333 15.1859,5.25045 14.6588,5.25045 C14.2118,5.25045 13.7903,5.15895 13.3928,5.01495 C12.3608,6.29295 10.8023,7.12545 9.0338,7.12545 C8.68505,7.12545 8.2963,7.13586667 7.89407778,7.13827639 L7.59029957,7.13829451 C6.64039076,7.13189207 5.65327638,7.05688596 4.96546976,6.67956678 C4.92804493,6.94690567 4.90895,7.22126022 4.90895,7.5 C4.90895,10.809 7.59995,13.5 10.90895,13.5 C14.21795,13.5 16.90895,10.809 16.90895,7.5 C16.90895,6.55479761 16.6893816,5.66002006 16.29856,4.86398252 Z" id="Color"></path>
+                    </g>
+                    <g id="user">
+                        <path d="M18.0332,15.1977 C19.7657,17.0307 20.9627,19.5162 21.3077,22.3197 C21.4157,23.2107 20.7062,23.9997 19.8077,23.9997 L19.8077,23.9997 L2.0102,23.9997 C1.1117,23.9997 0.4022,23.2107 0.5117,22.3197 C0.8552,19.5162 2.0522,17.0307 3.7847,15.1977 C4.1552,15.5397 4.5422,15.8607 4.9577,16.1472 C3.4007,17.7507 2.3102,19.9722 1.9997,22.5027 L1.9997,22.5027 L19.8077,22.4997 C19.5017,19.9707 18.4142,17.7507 16.8587,16.1472 C17.2757,15.8607 17.6627,15.5397 18.0332,15.1977 Z M10.90895,1.77635684e-15 C15.05045,1.77635684e-15 18.40895,3.3585 18.40895,7.5 C18.40895,11.6415 15.05045,15 10.90895,15 C6.76745,15 3.40895,11.6415 3.40895,7.5 C3.40895,3.3585 6.76745,1.77635684e-15 10.90895,1.77635684e-15 Z M16.29856,4.86398252 L16.1377444,4.940574 C15.6852333,5.13938333 15.1859,5.25045 14.6588,5.25045 C14.2118,5.25045 13.7903,5.15895 13.3928,5.01495 C12.3608,6.29295 10.8023,7.12545 9.0338,7.12545 C8.68505,7.12545 8.2963,7.13586667 7.89407778,7.13827639 L7.59029957,7.13829451 C6.64039076,7.13189207 5.65327638,7.05688596 4.96546976,6.67956678 C4.92804493,6.94690567 4.90895,7.22126022 4.90895,7.5 C4.90895,10.809 7.59995,13.5 10.90895,13.5 C14.21795,13.5 16.90895,10.809 16.90895,7.5 C16.90895,6.55479761 16.6893816,5.66002006 16.29856,4.86398252 Z" id="Color"></path>
+                    </g>
+                    <g id="user" transform="translate(24.000000, 0.000000)">
+                        <path d="M18.0332,15.1977 C19.7657,17.0307 20.9627,19.5162 21.3077,22.3197 C21.4157,23.2107 20.7062,23.9997 19.8077,23.9997 L19.8077,23.9997 L2.0102,23.9997 C1.1117,23.9997 0.4022,23.2107 0.5117,22.3197 C0.8552,19.5162 2.0522,17.0307 3.7847,15.1977 C4.1552,15.5397 4.5422,15.8607 4.9577,16.1472 C3.4007,17.7507 2.3102,19.9722 1.9997,22.5027 L1.9997,22.5027 L19.8077,22.4997 C19.5017,19.9707 18.4142,17.7507 16.8587,16.1472 C17.2757,15.8607 17.6627,15.5397 18.0332,15.1977 Z M10.90895,1.77635684e-15 C15.05045,1.77635684e-15 18.40895,3.3585 18.40895,7.5 C18.40895,11.6415 15.05045,15 10.90895,15 C6.76745,15 3.40895,11.6415 3.40895,7.5 C3.40895,3.3585 6.76745,1.77635684e-15 10.90895,1.77635684e-15 Z M16.29856,4.86398252 L16.1377444,4.940574 C15.6852333,5.13938333 15.1859,5.25045 14.6588,5.25045 C14.2118,5.25045 13.7903,5.15895 13.3928,5.01495 C12.3608,6.29295 10.8023,7.12545 9.0338,7.12545 C8.68505,7.12545 8.2963,7.13586667 7.89407778,7.13827639 L7.59029957,7.13829451 C6.64039076,7.13189207 5.65327638,7.05688596 4.96546976,6.67956678 C4.92804493,6.94690567 4.90895,7.22126022 4.90895,7.5 C4.90895,10.809 7.59995,13.5 10.90895,13.5 C14.21795,13.5 16.90895,10.809 16.90895,7.5 C16.90895,6.55479761 16.6893816,5.66002006 16.29856,4.86398252 Z" id="Color"></path>
+                    </g>
+                </g>
+                <text id="Map-backend-roles" font-family="Helvetica" font-size="14" font-weight="normal" letter-spacing="-0.0699999958" fill="#343741">
+                    <tspan x="356" y="111">Map backend roles</tspan>
+                </text>
+                <g id="Group-3" transform="translate(380.000000, 0.000000)" fill="#343741">
+                    <g id="user" transform="translate(24.000000, 0.000000)">
+                        <path d="M18.0332,15.1977 C19.7657,17.0307 20.9627,19.5162 21.3077,22.3197 C21.4157,23.2107 20.7062,23.9997 19.8077,23.9997 L19.8077,23.9997 L2.0102,23.9997 C1.1117,23.9997 0.4022,23.2107 0.5117,22.3197 C0.8552,19.5162 2.0522,17.0307 3.7847,15.1977 C4.1552,15.5397 4.5422,15.8607 4.9577,16.1472 C3.4007,17.7507 2.3102,19.9722 1.9997,22.5027 L1.9997,22.5027 L19.8077,22.4997 C19.5017,19.9707 18.4142,17.7507 16.8587,16.1472 C17.2757,15.8607 17.6627,15.5397 18.0332,15.1977 Z M10.90895,1.77635684e-15 C15.05045,1.77635684e-15 18.40895,3.3585 18.40895,7.5 C18.40895,11.6415 15.05045,15 10.90895,15 C6.76745,15 3.40895,11.6415 3.40895,7.5 C3.40895,3.3585 6.76745,1.77635684e-15 10.90895,1.77635684e-15 Z M16.29856,4.86398252 L16.1377444,4.940574 C15.6852333,5.13938333 15.1859,5.25045 14.6588,5.25045 C14.2118,5.25045 13.7903,5.15895 13.3928,5.01495 C12.3608,6.29295 10.8023,7.12545 9.0338,7.12545 C8.68505,7.12545 8.2963,7.13586667 7.89407778,7.13827639 L7.59029957,7.13829451 C6.64039076,7.13189207 5.65327638,7.05688596 4.96546976,6.67956678 C4.92804493,6.94690567 4.90895,7.22126022 4.90895,7.5 C4.90895,10.809 7.59995,13.5 10.90895,13.5 C14.21795,13.5 16.90895,10.809 16.90895,7.5 C16.90895,6.55479761 16.6893816,5.66002006 16.29856,4.86398252 Z" id="Color"></path>
+                    </g>
+                    <g id="user">
+                        <path d="M18.0332,15.1977 C19.7657,17.0307 20.9627,19.5162 21.3077,22.3197 C21.4157,23.2107 20.7062,23.9997 19.8077,23.9997 L19.8077,23.9997 L2.0102,23.9997 C1.1117,23.9997 0.4022,23.2107 0.5117,22.3197 C0.8552,19.5162 2.0522,17.0307 3.7847,15.1977 C4.1552,15.5397 4.5422,15.8607 4.9577,16.1472 C3.4007,17.7507 2.3102,19.9722 1.9997,22.5027 L1.9997,22.5027 L19.8077,22.4997 C19.5017,19.9707 18.4142,17.7507 16.8587,16.1472 C17.2757,15.8607 17.6627,15.5397 18.0332,15.1977 Z M10.90895,1.77635684e-15 C15.05045,1.77635684e-15 18.40895,3.3585 18.40895,7.5 C18.40895,11.6415 15.05045,15 10.90895,15 C6.76745,15 3.40895,11.6415 3.40895,7.5 C3.40895,3.3585 6.76745,1.77635684e-15 10.90895,1.77635684e-15 Z M16.29856,4.86398252 L16.1377444,4.940574 C15.6852333,5.13938333 15.1859,5.25045 14.6588,5.25045 C14.2118,5.25045 13.7903,5.15895 13.3928,5.01495 C12.3608,6.29295 10.8023,7.12545 9.0338,7.12545 C8.68505,7.12545 8.2963,7.13586667 7.89407778,7.13827639 L7.59029957,7.13829451 C6.64039076,7.13189207 5.65327638,7.05688596 4.96546976,6.67956678 C4.92804493,6.94690567 4.90895,7.22126022 4.90895,7.5 C4.90895,10.809 7.59995,13.5 10.90895,13.5 C14.21795,13.5 16.90895,10.809 16.90895,7.5 C16.90895,6.55479761 16.6893816,5.66002006 16.29856,4.86398252 Z" id="Color"></path>
+                    </g>
+                    <g id="user" transform="translate(48.000000, 0.000000)">
+                        <path d="M18.0332,15.1977 C19.7657,17.0307 20.9627,19.5162 21.3077,22.3197 C21.4157,23.2107 20.7062,23.9997 19.8077,23.9997 L19.8077,23.9997 L2.0102,23.9997 C1.1117,23.9997 0.4022,23.2107 0.5117,22.3197 C0.8552,19.5162 2.0522,17.0307 3.7847,15.1977 C4.1552,15.5397 4.5422,15.8607 4.9577,16.1472 C3.4007,17.7507 2.3102,19.9722 1.9997,22.5027 L1.9997,22.5027 L19.8077,22.4997 C19.5017,19.9707 18.4142,17.7507 16.8587,16.1472 C17.2757,15.8607 17.6627,15.5397 18.0332,15.1977 Z M10.90895,1.77635684e-15 C15.05045,1.77635684e-15 18.40895,3.3585 18.40895,7.5 C18.40895,11.6415 15.05045,15 10.90895,15 C6.76745,15 3.40895,11.6415 3.40895,7.5 C3.40895,3.3585 6.76745,1.77635684e-15 10.90895,1.77635684e-15 Z M16.29856,4.86398252 L16.1377444,4.940574 C15.6852333,5.13938333 15.1859,5.25045 14.6588,5.25045 C14.2118,5.25045 13.7903,5.15895 13.3928,5.01495 C12.3608,6.29295 10.8023,7.12545 9.0338,7.12545 C8.68505,7.12545 8.2963,7.13586667 7.89407778,7.13827639 L7.59029957,7.13829451 C6.64039076,7.13189207 5.65327638,7.05688596 4.96546976,6.67956678 C4.92804493,6.94690567 4.90895,7.22126022 4.90895,7.5 C4.90895,10.809 7.59995,13.5 10.90895,13.5 C14.21795,13.5 16.90895,10.809 16.90895,7.5 C16.90895,6.55479761 16.6893816,5.66002006 16.29856,4.86398252 Z" id="Color"></path>
+                    </g>
+                </g>
+                <text id="Map-internal-users" font-family="Helvetica" font-size="14" font-weight="normal" letter-spacing="-0.0699999958" fill="#343741">
+                    <tspan x="358.04748" y="41">Map internal users</tspan>
+                </text>
+                <g id="user" transform="translate(1.000000, 36.000000)" fill="#343741">
+                    <path d="M18.0332,15.1977 C19.7657,17.0307 20.9627,19.5162 21.3077,22.3197 C21.4157,23.2107 20.7062,23.9997 19.8077,23.9997 L19.8077,23.9997 L2.0102,23.9997 C1.1117,23.9997 0.4022,23.2107 0.5117,22.3197 C0.8552,19.5162 2.0522,17.0307 3.7847,15.1977 C4.1552,15.5397 4.5422,15.8607 4.9577,16.1472 C3.4007,17.7507 2.3102,19.9722 1.9997,22.5027 L1.9997,22.5027 L19.8077,22.4997 C19.5017,19.9707 18.4142,17.7507 16.8587,16.1472 C17.2757,15.8607 17.6627,15.5397 18.0332,15.1977 Z M10.90895,1.77635684e-15 C15.05045,1.77635684e-15 18.40895,3.3585 18.40895,7.5 C18.40895,11.6415 15.05045,15 10.90895,15 C6.76745,15 3.40895,11.6415 3.40895,7.5 C3.40895,3.3585 6.76745,1.77635684e-15 10.90895,1.77635684e-15 Z M16.29856,4.86398252 L16.1377444,4.940574 C15.6852333,5.13938333 15.1859,5.25045 14.6588,5.25045 C14.2118,5.25045 13.7903,5.15895 13.3928,5.01495 C12.3608,6.29295 10.8023,7.12545 9.0338,7.12545 C8.68505,7.12545 8.2963,7.13586667 7.89407778,7.13827639 L7.59029957,7.13829451 C6.64039076,7.13189207 5.65327638,7.05688596 4.96546976,6.67956678 C4.92804493,6.94690567 4.90895,7.22126022 4.90895,7.5 C4.90895,10.809 7.59995,13.5 10.90895,13.5 C14.21795,13.5 16.90895,10.809 16.90895,7.5 C16.90895,6.55479761 16.6893816,5.66002006 16.29856,4.86398252 Z" id="Color"></path>
+                </g>
+                <g id="Group" transform="translate(21.000000, 49.500000)">
+                    <g id="Key" transform="translate(6.750000, 12.000000) rotate(45.000000) translate(-6.750000, -12.000000) ">
+                        <path d="M6.75,0.705 L7.04221663,0.713181716 C8.59133216,0.790741631 9.98602868,1.48158176 11.0128014,2.55533101 C12.1149218,3.70787525 12.7941176,5.30077197 12.7941176,7.05882353 C12.7941176,8.34506395 12.4307061,9.54269141 11.8039264,10.5443722 C11.0819104,11.6982538 10.0106933,12.5924382 8.74506832,13.0576644 L8.74506832,13.0576644 L8.74418929,18.2319005 L7.39411765,18.958405 L7.39411765,21.0021514 C7.04508271,21.7396682 6.72733406,22.3005936 6.4341549,22.6805615 C6.30690613,22.8454793 6.21813177,23.0566742 6.09145031,23.0566742 C5.50066108,22.3869971 5.2006985,21.8869002 4.8707523,21.2305716 L4.8707523,21.2305716 L4.74902262,13.0554886 C3.48613048,12.5897123 2.41723272,11.6966806 1.69634378,10.544804 C1.06939839,9.54303566 0.705882353,8.34524878 0.705882353,7.05882353 C0.705882353,5.30077197 1.38507817,3.70787525 2.4871986,2.55533101 C3.57814462,1.41447244 5.08444211,0.705882353 6.75,0.705882353 L6.75,0.705 Z" id="Combined-Shape" stroke="#343741" stroke-width="1.41176471"></path>
+                        <ellipse id="Oval" fill="#343741" cx="6.75" cy="7.05882353" rx="1.35" ry="1.41176471"></ellipse>
+                    </g>
+                </g>
+                <text id="Role" font-family="Helvetica" font-size="14" font-weight="normal" letter-spacing="-0.0699999958" fill="#343741">
+                    <tspan x="0" y="94.5">Role</tspan>
+                </text>
+                <g id="Group-5" transform="translate(33.000000, 14.000000)">
+                    <circle id="↳🌈-Color" fill="#006BB4" cx="12" cy="12" r="12"></circle>
+                    <path d="M14.7978516,16 L14.7978516,15.0039062 L10.2158203,15.0039062 C10.3173828,14.5898438 10.5634766,14.2128906 10.9541016,13.8730469 C11.1728516,13.6816406 11.4736328,13.4804688 11.8564453,13.2695312 L11.8564453,13.2695312 L12.6591797,12.8242188 C13.3662109,12.4296875 13.8564453,12.09375 14.1298828,11.8164062 C14.6025391,11.3398438 14.8388672,10.765625 14.8388672,10.09375 C14.8388672,9.45703125 14.6171875,8.87890625 14.1738281,8.359375 C13.7304688,7.83984375 13.0283203,7.58007812 12.0673828,7.58007812 C10.9111328,7.58007812 10.1044922,7.98632812 9.64746094,8.79882812 C9.38964844,9.25976562 9.25488281,9.85546875 9.24316406,10.5859375 L9.24316406,10.5859375 L10.3154297,10.5859375 C10.3310547,10.0664062 10.4130859,9.66015625 10.5615234,9.3671875 C10.8388672,8.8203125 11.3388672,8.546875 12.0615234,8.546875 C12.5498047,8.546875 12.9404297,8.69042969 13.2333984,8.97753906 C13.5263672,9.26464844 13.6728516,9.65234375 13.6728516,10.140625 C13.6728516,10.5585938 13.5126953,10.9296875 13.1923828,11.2539062 C12.9892578,11.4609375 12.6357422,11.7109375 12.1318359,12.0039062 L12.1318359,12.0039062 L11.0068359,12.6542969 C10.2529297,13.0917969 9.74609375,13.578125 9.48632812,14.1132812 C9.2265625,14.6484375 9.07714844,15.2773438 9.03808594,16 L9.03808594,16 L14.7978516,16 Z" id="2" fill="#FFFFFF" fill-rule="nonzero"></path>
+                </g>
+                <g id="Group" transform="translate(488.000000, 13.000000)">
+                    <circle id="Color" fill="#006BB4" cx="12" cy="12" r="12"></circle>
+                    <path d="M11.7802734,16.2285156 C12.7490234,16.2285156 13.4970703,15.9765625 14.0244141,15.4726562 C14.5517578,14.96875 14.8154297,14.3164062 14.8154297,13.515625 C14.8154297,13.015625 14.6914062,12.5927734 14.4433594,12.2470703 C14.1953125,11.9013672 13.8505859,11.6679688 13.4091797,11.546875 C13.6826172,11.4335938 13.9052734,11.2773438 14.0771484,11.078125 C14.3544922,10.7578125 14.4931641,10.3398438 14.4931641,9.82421875 C14.4931641,9.1015625 14.2587891,8.54980469 13.7900391,8.16894531 C13.3212891,7.78808594 12.6591797,7.59765625 11.8037109,7.59765625 C10.7216797,7.59765625 9.96582031,7.98828125 9.53613281,8.76953125 C9.28613281,9.20703125 9.16113281,9.73828125 9.16113281,10.3632812 L9.16113281,10.3632812 L10.2041016,10.3632812 C10.2236328,9.88671875 10.3076172,9.51953125 10.4560547,9.26171875 C10.7255859,8.79296875 11.2119141,8.55859375 11.9150391,8.55859375 C12.3095703,8.55859375 12.6552734,8.671875 12.9521484,8.8984375 C13.2490234,9.125 13.3974609,9.44726562 13.3974609,9.86523438 C13.3974609,10.4277344 13.1748047,10.8183594 12.7294922,11.0371094 C12.4755859,11.1621094 12.1513672,11.2246094 11.7568359,11.2246094 C11.6708984,11.2246094 11.5908203,11.2226562 11.5166016,11.21875 C11.4423828,11.2148438 11.3505859,11.2070312 11.2412109,11.1953125 L11.2412109,11.1953125 L11.2412109,12.1269531 C11.3154297,12.1230469 11.3886719,12.1201172 11.4609375,12.1181641 C11.5332031,12.1162109 11.6044922,12.1152344 11.6748047,12.1152344 C12.3037109,12.1152344 12.7949219,12.2304688 13.1484375,12.4609375 C13.5019531,12.6914062 13.6787109,13.0957031 13.6787109,13.6738281 C13.6787109,14.1425781 13.5107422,14.5253906 13.1748047,14.8222656 C12.8388672,15.1191406 12.3935547,15.2675781 11.8388672,15.2675781 C11.1240234,15.2675781 10.6298828,15.046875 10.3564453,14.6054688 C10.2001953,14.359375 10.0986328,13.9648438 10.0517578,13.421875 L10.0517578,13.421875 L8.95019531,13.421875 C8.95019531,14.203125 9.17382812,14.8662109 9.62109375,15.4111328 C10.0683594,15.9560547 10.7880859,16.2285156 11.7802734,16.2285156 Z" id="3" fill="#FFFFFF" fill-rule="nonzero"></path>
+                </g>
+                <use id="Rectangle" stroke="#343741" mask="url(#mask-2)" stroke-width="3" stroke-dasharray="4,4" xlink:href="#path-1"></use>
+                <text id="(authc-&amp;-authz)" font-family="Helvetica" font-size="12" font-weight="normal" letter-spacing="-0.0599999964" fill="#343741">
+                    <tspan x="136.2625" y="66">(authc &amp; authz)</tspan>
+                </text>
+                <text id="Backends" font-family="Helvetica" font-size="14" font-weight="normal" letter-spacing="-0.0699999958" fill="#343741">
+                    <tspan x="146.038789" y="49">Backends</tspan>
+                </text>
+                <g id="Group-4" transform="translate(223.000000, 14.000000)">
+                    <circle id="Color" fill="#006BB4" cx="12" cy="12" r="12"></circle>
+                    <path d="M12.9111328,16 L12.9111328,7.64453125 L12.0791016,7.64453125 C11.9306641,8.29296875 11.7060547,8.70410156 11.4052734,8.87792969 C11.1044922,9.05175781 10.5732422,9.17578125 9.81152344,9.25 L9.81152344,9.25 L9.81152344,10.0585938 L11.7861328,10.0585938 L11.7861328,16 L12.9111328,16 Z" id="1" fill="#FFFFFF" fill-rule="nonzero"></path>
+                </g>
+                <line x1="49.5" y1="58.5" x2="117.5" y2="58.5" id="Line" stroke="#343741" stroke-width="1.5" stroke-linecap="square" stroke-dasharray="4,4"></line>
+                <path d="M235,58 L268,58 L268,43 L340,43" id="Line" stroke="#343741" stroke-width="1.5" stroke-linecap="square" stroke-dasharray="4,4"></path>
+                <path d="M235,73 L268,73 L268,58 L340,58" id="Line" stroke="#343741" stroke-width="1.5" stroke-linecap="square" stroke-dasharray="4,4" transform="translate(287.500000, 65.500000) scale(1, -1) translate(-287.500000, -65.500000) "></path>
+            </g>
+        </g>
+    </g>
+</svg>
\ No newline at end of file
diff --git a/src/plugins/dashboards_security/public/assets/opensearch_logo_h.svg b/src/plugins/dashboards_security/public/assets/opensearch_logo_h.svg
new file mode 100644
index 000000000000..cb329cadfb40
--- /dev/null
+++ b/src/plugins/dashboards_security/public/assets/opensearch_logo_h.svg
@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Generator: Adobe Illustrator 23.0.1, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
+<svg viewBox="0 0 372 72" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M61.7374 26.5C60.4878 26.5 59.4748 27.513 59.4748 28.7626C59.4748 47.3814 44.3814 62.4748 25.7626 62.4748C24.513 62.4748 23.5 63.4878 23.5 64.7374C23.5 65.987 24.513 67 25.7626 67C46.8805 67 64 49.8805 64 28.7626C64 27.513 62.987 26.5 61.7374 26.5Z" fill="#005EB8"/>
+<path d="M48.0814 41C50.2572 37.4505 52.3615 32.7178 51.9475 26.0921C51.0899 12.3673 38.6589 1.95537 26.9206 3.08373C22.3253 3.52547 17.6068 7.2712 18.026 13.9805C18.2082 16.8961 19.6352 18.6169 21.9544 19.9399C24.1618 21.1992 26.9978 21.9969 30.2128 22.9011C34.0962 23.9934 38.6009 25.2203 42.0631 27.7717C46.2125 30.8296 49.0491 34.3743 48.0814 41Z" fill="#003B5C"/>
+<path d="M3.91861 17C1.74276 20.5495 -0.361506 25.2822 0.0524931 31.9079C0.910072 45.6327 13.3411 56.0446 25.0794 54.9163C29.6747 54.4745 34.3932 50.7288 33.974 44.0195C33.7918 41.1039 32.3647 39.3831 30.0456 38.0601C27.8382 36.8008 25.0022 36.0031 21.7872 35.0989C17.9038 34.0066 13.3991 32.7797 9.93695 30.2283C5.78747 27.1704 2.95092 23.6257 3.91861 17Z" fill="#005EB8"/>
+<path fill-rule="evenodd" clip-rule="evenodd" d="M362.5 31V54H371.5V29C371.5 24.3927 370.6 20.9121 368.799 18.5511C366.998 16.1672 364.282 15 360.75 15C356.918 15 353.847 17.2408 352 21H351.5C351.636 19.0591 351.76 17.9472 351.85 17.1353C351.943 16.298 352 15.7797 352 15V0.5H343V54H352.5V35.5C352.5 31.3511 352.639 28.2815 353.493 26.081C354.347 23.8575 355.836 22.7458 357.96 22.7458C360.8 22.7458 362.5 25.3841 362.5 31ZM231.852 51.2289C234.284 48.7148 235.5 45.0936 235.5 40.3653C235.5 37.4129 234.834 34.7835 233.501 32.477C232.191 30.1705 229.865 27.9102 226.521 25.6959C224.042 24.0814 222.3 22.6398 221.294 21.3713C220.312 20.1027 219.821 18.615 219.821 16.9082C219.821 15.1783 220.23 13.8175 221.049 12.8257C221.891 11.8108 223.083 11.3034 224.627 11.3034C226.03 11.3034 227.339 11.5571 228.555 12.0645C229.794 12.572 230.975 13.1486 232.098 13.7944L235.254 6.25216C231.63 4.08405 227.854 3 223.925 3C219.809 3 216.524 4.26857 214.069 6.80572C211.637 9.34287 210.421 12.7796 210.421 17.1158C210.421 19.3761 210.725 21.3597 211.333 23.0665C211.964 24.7733 212.841 26.3187 213.964 27.7026C215.109 29.0634 216.781 30.4935 218.979 31.9927C221.505 33.6995 223.317 35.2564 224.416 36.6633C225.515 38.0472 226.065 39.5811 226.065 41.2648C226.065 42.9716 225.597 44.3209 224.662 45.3127C223.75 46.3045 222.382 46.8004 220.558 46.8004C217.354 46.8004 213.835 45.5664 210 43.0985V52.4052C213.133 54.1351 216.933 55 221.4 55C225.959 55 229.444 53.743 231.852 51.2289ZM241.674 49.8745C244.48 53.2915 248.306 55 253.152 55C257.303 55 260.862 54.1111 263.83 52.3333V44.7489C260.677 46.619 257.593 47.5541 254.578 47.5541C252.213 47.5541 250.358 46.7229 249.013 45.0606C247.668 43.3752 247.07 40.9401 247 37.5H265.5V32.4545C265.5 26.9365 264.283 22.6537 261.848 19.6061C259.413 16.5354 256.086 15 251.865 15C247.343 15 243.819 16.7893 241.291 20.368C238.764 23.9466 237.5 28.9221 237.5 35.2944C237.5 41.5743 238.891 46.4343 241.674 49.8745ZM248.526 24.2121C249.384 22.8038 250.474 22.0996 251.796 22.0996C253.21 22.0996 254.323 22.8268 255.135 24.2814C255.946 25.7359 256.454 28.1833 256.5 31H247C247.139 28.0678 247.668 25.5974 248.526 24.2121ZM288 54L286.5 49H286C284.622 51.2587 283.295 52.868 281.824 53.7208C280.352 54.5736 278.494 55 276.252 55C273.378 55 271.112 53.9398 269.453 51.8194C267.818 49.6989 267 46.7488 267 42.9689C267 38.9124 268.121 35.9046 270.364 33.9455C272.63 31.9634 276.006 30.8686 280.492 30.6612L285.678 30.4538V27.688C285.678 24.0925 284.101 22.2947 280.947 22.2947C278.611 22.2947 275.924 23.1936 272.887 24.9914L269.663 18.6301C273.542 16.21 277.694 15 282.25 15C286.385 15 289.592 16.1755 291.741 18.5264C293.914 20.8542 295 24.1616 295 28.4486V54H288ZM280.071 47.809C281.777 47.809 283.132 47.0599 284.136 45.5618C285.164 44.0406 285.678 42.0239 285.678 39.5117V36.2619L282.805 36.4002C280.679 36.5154 279.113 37.1147 278.109 38.1979C277.128 39.2812 276.637 40.8946 276.637 43.038C276.637 46.2187 277.782 47.809 280.071 47.809ZM318 15.75C316.93 15.405 315.337 15 314.222 15C312.651 15 311.273 15.5174 310.089 16.5523C308.905 17.5872 308.002 18.5853 307 21H306.5L305 16H298V54H307.463V34C307.463 30.6424 307.676 28.4763 308.86 26.7285C310.044 24.9577 311.74 24.0723 313.948 24.0723C314.973 24.0723 315.863 24.27 316.5 24.5L318 15.75ZM332 55C327.443 55 323.954 53.478 321.573 50.1302C319.191 46.7824 318 41.8647 318 35.377C318 28.5891 319.122 23.5213 321.366 20.1735C323.634 16.8257 327.017 15 331.735 15C333.154 15 334.752 15.3596 336.309 15.7752C337.866 16.1908 339.763 16.715 341 17.5L337.889 24.7449C335.989 23.6136 334.305 23.048 332.84 23.048C330.893 23.048 329.485 24.0754 328.614 26.1302C327.767 28.162 327.344 31.2211 327.344 35.3077C327.344 39.3019 327.767 42.2918 328.614 44.2774C329.462 46.2399 330.847 47.2211 332.771 47.2211C335.061 47.2211 337.454 46.413 339.95 44.7969V52.9008C337.546 54.4015 334.908 55 332 55Z" fill="#003B5C"/>
+<path fill-rule="evenodd" clip-rule="evenodd" d="M107.777 48.2625C110.926 43.7708 112.5 37.3442 112.5 28.9827C112.5 20.6213 110.937 14.2062 107.812 9.73754C104.686 5.24585 100.194 3 94.3368 3C88.4098 3 83.8719 5.23433 80.7231 9.70299C77.5744 14.1486 76 20.5522 76 28.9136C76 37.3442 77.5744 43.8053 80.7231 48.297C83.8719 52.7657 88.3866 55 94.2674 55C100.125 55 104.628 52.7542 107.777 48.2625ZM87.8425 42.1468C86.3839 39.1293 85.6546 34.7413 85.6546 28.9827C85.6546 23.2011 86.3839 18.8131 87.8425 15.8186C89.3011 12.8011 91.4659 11.2924 94.3368 11.2924C99.986 11.2924 102.811 17.1891 102.811 28.9827C102.811 40.7763 99.9629 46.6731 94.2674 46.6731C91.4428 46.6731 89.3011 45.1643 87.8425 42.1468ZM128.186 53.9979C129.469 54.7387 130.85 55 132.5 55C136.03 55 138.9 53.3265 140.94 49.7612C142.98 46.196 144 41.2764 144 35.0025C144 28.6359 143.014 23.7164 141.043 20.2437C139.072 16.7479 136.345 15 132.861 15C129.24 15 126.402 17.1569 124.5 21H124L122.5 16H115.5V71.5H124.5V55C124.5 54.3518 124.367 52.1485 124 49H124.5C125.25 51.25 126.925 53.2339 128.186 53.9979ZM125.882 25.3832C126.685 23.6932 127.979 22.8482 129.767 22.8482C131.44 22.8482 132.666 23.8437 133.446 25.8347C134.248 27.8257 134.649 30.8353 134.649 34.8636C134.649 43.059 133.045 47.1567 129.836 47.1567C127.979 47.1567 126.65 46.1844 125.848 44.2397C125.046 42.295 124.645 39.1928 124.645 34.933V33.7176C124.691 29.8282 125.103 27.0501 125.882 25.3832ZM161.652 55C156.806 55 152.98 53.2915 150.174 49.8745C147.391 46.4343 146 41.5743 146 35.2944C146 28.9221 147.264 23.9466 149.791 20.368C152.319 16.7893 155.843 15 160.365 15C164.586 15 167.913 16.5354 170.348 19.6061C172.783 22.6537 174 26.9365 174 32.4545V37.5H155.5C155.57 40.9401 156.168 43.3752 157.513 45.0606C158.858 46.7229 160.713 47.5541 163.078 47.5541C166.093 47.5541 169.177 46.619 172.33 44.7489V52.3333C169.362 54.1111 165.803 55 161.652 55ZM160.296 22.0996C158.974 22.0996 157.884 22.8038 157.026 24.2121C156.168 25.5974 155.639 28.0678 155.5 31H165C164.954 28.1833 164.446 25.7359 163.635 24.2814C162.823 22.8268 161.71 22.0996 160.296 22.0996ZM196.5 31V54H205.5V29.1991C205.5 24.5589 204.623 21.0323 202.868 18.6194C201.137 16.2065 198.516 15 195.007 15C192.93 15 191.117 15.5104 189.57 16.5313C188.024 17.5289 186.831 19.2135 186 21H185.5L184.25 16H177V54H186.5V35.75C186.5 31.0402 186.673 27.8302 187.597 25.8582C188.52 23.8628 189.974 22.8652 191.96 22.8652C193.461 22.8652 194.546 23.5844 195.215 25.0229C195.885 26.4614 196.5 28.1927 196.5 31Z" fill="#005EB8"/>
+</svg>
+
diff --git a/src/plugins/dashboards_security/public/index.ts b/src/plugins/dashboards_security/public/index.ts
new file mode 100644
index 000000000000..d6cd9167faf2
--- /dev/null
+++ b/src/plugins/dashboards_security/public/index.ts
@@ -0,0 +1,13 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+import { PluginInitializerContext } from 'opensearch-dashboards/public';
+import { SecurityPlugin } from './plugin';
+
+export function plugin(initializerContext: PluginInitializerContext) {
+  return new SecurityPlugin(initializerContext);
+}
+
+export { SecurityPluginSetup, SecurityPluginStart } from './types';
diff --git a/src/plugins/dashboards_security/public/plugin.ts b/src/plugins/dashboards_security/public/plugin.ts
new file mode 100644
index 000000000000..144047ec7bfc
--- /dev/null
+++ b/src/plugins/dashboards_security/public/plugin.ts
@@ -0,0 +1,51 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+import {
+  Plugin,
+  PluginInitializerContext,
+  CoreSetup,
+  CoreStart,
+  AppMountParameters,
+} from 'opensearch-dashboards/public';
+import { ClientConfigType, SecurityPluginSetup, SecurityPluginStart } from './types';
+import { APP_ID_LOGIN, LOGIN_PAGE_URI } from '../common';
+import { setupLogoutButton } from './apps/logout/logout-app';
+
+export class SecurityPlugin implements Plugin<SecurityPluginSetup, SecurityPluginStart> {
+  // @ts-ignore : initializerContext not used
+  constructor(private readonly initializerContext: PluginInitializerContext) {}
+
+  public async setup(core: CoreSetup): Promise<SecurityPluginSetup> {
+    const config = this.initializerContext.config.get<ClientConfigType>();
+
+    /* Privilege evaluation:: check the user's permissiion. Regsiter application based on user's permission
+     * This setep need to be implemented
+     */
+    core.application.register({
+      id: APP_ID_LOGIN,
+      title: 'Security',
+      chromeless: true,
+      appRoute: LOGIN_PAGE_URI,
+      mount: async (params: AppMountParameters) => {
+        const { renderApp } = await import('./apps/login/login-app');
+        // @ts-ignore depsStart not used.
+        const [coreStart, depsStart] = await core.getStartServices();
+        return renderApp(coreStart, params, config);
+      },
+    });
+
+    return {};
+  }
+
+  public start(core: CoreStart): SecurityPluginStart {
+    const config = this.initializerContext.config.get<ClientConfigType>();
+    setupLogoutButton(core, config);
+
+    return {};
+  }
+
+  public stop() {}
+}
diff --git a/src/plugins/dashboards_security/public/types.ts b/src/plugins/dashboards_security/public/types.ts
new file mode 100644
index 000000000000..e0b29bb4d37e
--- /dev/null
+++ b/src/plugins/dashboards_security/public/types.ts
@@ -0,0 +1,61 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+import { map } from 'rxjs/operators';
+
+// eslint-disable-next-line @typescript-eslint/no-empty-interface
+export interface SecurityPluginSetup {}
+// eslint-disable-next-line @typescript-eslint/no-empty-interface
+export interface SecurityPluginStart {}
+
+export interface AuthInfo {
+  user_name: string;
+  entitlements: {
+    [entitlement: string]: boolean;
+  };
+}
+
+export interface ClientConfigType {
+  readonly_mode: {
+    roles: string[];
+  };
+  ui: {
+    basicauth: {
+      login: {
+        title: string;
+        subtitle: string;
+        showbrandimage: boolean;
+        brandimage: string;
+        buttonstyle: string;
+      };
+    };
+    openid: {
+      login: {
+        buttonname: string;
+        showbrandimage: boolean;
+        brandimage: string;
+        buttonstyle: string;
+      };
+    };
+    saml: {
+      login: {
+        buttonname: string;
+        showbrandimage: boolean;
+        brandimage: string;
+        buttonstyle: string;
+      };
+    };
+    autologout: boolean;
+    backend_configurable: boolean;
+  };
+  auth: {
+    type: string | string[];
+    anonymous_auth_enabled: boolean;
+    logout_url: string;
+  };
+  idp: {
+    setting: typeof map;
+  };
+}
diff --git a/src/plugins/dashboards_security/public/utils/auth_utils.ts b/src/plugins/dashboards_security/public/utils/auth_utils.ts
new file mode 100644
index 000000000000..9ae972ce61b1
--- /dev/null
+++ b/src/plugins/dashboards_security/public/utils/auth_utils.ts
@@ -0,0 +1,40 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+import { HttpStart } from 'opensearch-dashboards/public';
+import { API_ENDPOINT_AUTHTYPE } from '../../common';
+import { httpGet, httpPost } from './request_utils';
+
+export async function validateCurrentPassword(
+  http: HttpStart,
+  userName: string,
+  currentPassword: string
+): Promise<void> {
+  await httpPost(http, `/auth/basicauth/opensearch/login`, {
+    username: userName,
+    password: currentPassword,
+  });
+}
+
+export async function logout(http: HttpStart, logoutUrl?: string): Promise<void> {
+  const currentAuthType = (await fetchCurrentAuthType(http))?.currentAuthType;
+  const authType = currentAuthType.split('_')[0];
+  const authIdent = currentAuthType.split('_')[1];
+
+  const logoutEndpoint = `/auth/${authType}/${authIdent}/logout`;
+  // console.log("Logout url:: ", logoutEndpoint);
+  await httpGet(http, logoutEndpoint);
+
+  sessionStorage.clear();
+
+  const basePath = http.basePath.serverBasePath ? http.basePath.serverBasePath : '/';
+  const nextUrl = encodeURIComponent(basePath);
+  window.location.href =
+    logoutUrl || `${http.basePath.serverBasePath}/app/login?nextUrl=${nextUrl}`;
+}
+
+export async function fetchCurrentAuthType(http: HttpStart): Promise<any> {
+  return await httpGet(http, API_ENDPOINT_AUTHTYPE);
+}
diff --git a/src/plugins/dashboards_security/public/utils/request_utils.ts b/src/plugins/dashboards_security/public/utils/request_utils.ts
new file mode 100644
index 000000000000..6907ada6c5c3
--- /dev/null
+++ b/src/plugins/dashboards_security/public/utils/request_utils.ts
@@ -0,0 +1,25 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+import { HttpStart, HttpHandler } from 'opensearch-dashboards/public';
+
+export async function request<T>(requestFunc: HttpHandler, url: string, body?: object): Promise<T> {
+  if (body) {
+    return (await requestFunc(url, { body: JSON.stringify(body) })) as T;
+  }
+  return (await requestFunc(url)) as T;
+}
+
+export async function httpGet<T>(http: HttpStart, url: string): Promise<T> {
+  return await request<T>(http.get, url);
+}
+
+export async function httpPost<T>(http: HttpStart, url: string, body?: object): Promise<T> {
+  return await request<T>(http.post, url, body);
+}
+
+export async function httpDelete<T>(http: HttpStart, url: string): Promise<T> {
+  return await request<T>(http.delete, url);
+}
diff --git a/src/plugins/dashboards_security/server/auth/auth_handler_factory.ts b/src/plugins/dashboards_security/server/auth/auth_handler_factory.ts
new file mode 100644
index 000000000000..835e5a677c7a
--- /dev/null
+++ b/src/plugins/dashboards_security/server/auth/auth_handler_factory.ts
@@ -0,0 +1,42 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+import { IRouter, CoreSetup, Logger, SessionStorageFactory } from 'opensearch-dashboards/server';
+import { SecuritySessionCookie } from '../session/security_cookie';
+import { SecurityPluginConfigType } from '..';
+import { IAuthenticationType, IAuthHandlerConstructor } from './types/authentication_type';
+import { MultipleAuthentication } from './types';
+
+async function createAuthentication(
+  ctor: IAuthHandlerConstructor,
+  config: SecurityPluginConfigType,
+  sessionStorageFactory: SessionStorageFactory<SecuritySessionCookie>,
+  router: IRouter,
+  coreSetup: CoreSetup,
+  logger: Logger
+): Promise<IAuthenticationType> {
+  const authHandler = new ctor('', config, sessionStorageFactory, router, coreSetup, logger);
+  await authHandler.init();
+  return authHandler;
+}
+
+export async function getAuthenticationHandler(
+  router: IRouter,
+  config: SecurityPluginConfigType,
+  core: CoreSetup,
+  securitySessionStorageFactory: SessionStorageFactory<SecuritySessionCookie>,
+  logger: Logger
+): Promise<IAuthenticationType> {
+  const authHandlerType: IAuthHandlerConstructor = MultipleAuthentication;
+  const auth: IAuthenticationType = await createAuthentication(
+    authHandlerType,
+    config,
+    securitySessionStorageFactory,
+    router,
+    core,
+    logger
+  );
+  return auth;
+}
diff --git a/src/plugins/dashboards_security/server/auth/types/authentication_type.ts b/src/plugins/dashboards_security/server/auth/types/authentication_type.ts
new file mode 100644
index 000000000000..dc3546460eaa
--- /dev/null
+++ b/src/plugins/dashboards_security/server/auth/types/authentication_type.ts
@@ -0,0 +1,150 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+import {
+  AuthenticationHandler,
+  SessionStorageFactory,
+  IRouter,
+  CoreSetup,
+  Logger,
+  AuthToolkit,
+  LifecycleResponseFactory,
+  OpenSearchDashboardsRequest,
+  IOpenSearchDashboardsResponse,
+  AuthResult,
+} from 'opensearch-dashboards/server';
+import { SecurityPluginConfigType } from '../..';
+import { SecuritySessionCookie } from '../../session/security_cookie';
+import { authenticate } from '../../utils/auth_util';
+
+export interface IAuthenticationType {
+  authType: string;
+  authHandler: AuthenticationHandler;
+  init: () => Promise<void>;
+}
+
+export type IAuthHandlerConstructor = new (
+  authType: string,
+  config: SecurityPluginConfigType,
+  sessionStorageFactory: SessionStorageFactory<SecuritySessionCookie>,
+  router: IRouter,
+  coreSetup: CoreSetup,
+  logger: Logger
+) => IAuthenticationType;
+
+export abstract class AuthenticationType implements IAuthenticationType {
+  protected static readonly ROUTES_TO_IGNORE: string[] = [
+    '/api/core/capabilities', // FIXME: need to figureout how to bypass this API call
+    '/app/login',
+  ];
+  protected static readonly REST_API_CALL_HEADER = 'osd-xsrf';
+
+  constructor(
+    public readonly authType: string,
+    protected readonly config: SecurityPluginConfigType,
+    protected readonly sessionStorageFactory: SessionStorageFactory<SecuritySessionCookie>,
+    protected readonly router: IRouter,
+    protected readonly coreSetup: CoreSetup,
+    protected readonly logger: Logger
+  ) {}
+
+  public authHandler: AuthenticationHandler = async (request, response, toolkit) => {
+    // if browser request, auth logic is:
+    //   1. check if request includes auth header or paramter(e.g. jwt in url params) is present, if so, authenticate with auth header.
+    //   2. if auth header not present, check if auth cookie is present, if no cookie, send to authentication workflow
+    //   3. verify whether auth cookie is valid, if not valid, send to authentication workflow
+    //   4. if cookie is valid, pass to route handlers
+    const authHeaders = {};
+    let cookie: SecuritySessionCookie | null | undefined;
+    let authInfo: any | undefined;
+    if (this.authNotRequired(request)) {
+      return toolkit.authenticated();
+    }
+
+    if (this.requestIncludesAuthInfo(request)) {
+      try {
+        const additonalAuthHeader = this.getAdditionalAuthHeader(request);
+        Object.assign(authHeaders, additonalAuthHeader);
+        authInfo = authenticate({
+          username: 'admin',
+          password: 'admin',
+        });
+        cookie = this.getCookie(request, authInfo);
+        this.sessionStorageFactory.asScoped(request).set(cookie);
+      } catch (error: any) {
+        return response.unauthorized({
+          body: error.message,
+        });
+      }
+    } else {
+      try {
+        cookie = await this.sessionStorageFactory.asScoped(request).get();
+      } catch (error: any) {
+        this.logger.error(`Error parsing cookie: ${error.message}`);
+        cookie = undefined;
+      }
+      if (!cookie || !(await this.isValidCookie(cookie))) {
+        // clear cookie
+        this.sessionStorageFactory.asScoped(request).clear();
+
+        // send to auth workflow
+        return this.handleUnauthedRequest(request, response, toolkit);
+      }
+
+      // extend session expiration time
+      if (this.config.session.keepalive) {
+        cookie!.expiryTime = Date.now() + this.config.session.ttl;
+        this.sessionStorageFactory.asScoped(request).set(cookie!);
+      }
+      // cookie is valid and build auth header
+      const authHeadersFromCookie = this.buildAuthHeaderFromCookie(cookie!);
+      Object.assign(authHeaders, authHeadersFromCookie);
+      const additonalAuthHeader = this.getAdditionalAuthHeader(request);
+      Object.assign(authHeaders, additonalAuthHeader);
+    }
+
+    return toolkit.authenticated({
+      requestHeaders: authHeaders,
+    });
+  };
+
+  authNotRequired(request: OpenSearchDashboardsRequest): boolean {
+    const pathname = request.url.pathname;
+    if (!pathname) {
+      return false;
+    }
+    // allow requests to ignored routes
+    if (AuthenticationType.ROUTES_TO_IGNORE.includes(pathname!)) {
+      return true;
+    }
+    // allow requests to routes that doesn't require authentication
+    if (this.config.auth.unauthenticated_routes.indexOf(pathname!) > -1) {
+      // TODO: use opensearch-dashboards server user
+      return true;
+    }
+    return false;
+  }
+
+  isPageRequest(request: OpenSearchDashboardsRequest) {
+    const path = request.url.pathname || '/';
+    return path.startsWith('/app/') || path === '/' || path.startsWith('/goto/');
+  }
+
+  // abstract functions for concrete auth types to implement
+  public abstract requestIncludesAuthInfo(request: OpenSearchDashboardsRequest): boolean;
+  public abstract getAdditionalAuthHeader(request: OpenSearchDashboardsRequest): Promise<any>;
+  public abstract getCookie(
+    request: OpenSearchDashboardsRequest,
+    authInfo: any
+  ): SecuritySessionCookie;
+  public abstract isValidCookie(cookie: SecuritySessionCookie): Promise<boolean>;
+  protected abstract handleUnauthedRequest(
+    request: OpenSearchDashboardsRequest,
+    response: LifecycleResponseFactory,
+    toolkit: AuthToolkit
+  ): IOpenSearchDashboardsResponse | AuthResult;
+  public abstract buildAuthHeaderFromCookie(cookie: SecuritySessionCookie): any;
+  public abstract init(): Promise<void>;
+}
diff --git a/src/plugins/dashboards_security/server/auth/types/basic/basic_auth.ts b/src/plugins/dashboards_security/server/auth/types/basic/basic_auth.ts
new file mode 100644
index 000000000000..3069a1c634f8
--- /dev/null
+++ b/src/plugins/dashboards_security/server/auth/types/basic/basic_auth.ts
@@ -0,0 +1,106 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+import { OpenSearchDashboardsResponse } from 'opensearch-dashboards/server/http/router';
+import {
+  CoreSetup,
+  SessionStorageFactory,
+  IRouter,
+  OpenSearchDashboardsRequest,
+  Logger,
+  LifecycleResponseFactory,
+  AuthToolkit,
+} from 'opensearch-dashboards/server';
+import { SecurityPluginConfigType } from '../../..';
+import { SecuritySessionCookie } from '../../../session/security_cookie';
+import { BasicAuthRoutes } from './routes';
+import { AuthenticationType } from '../authentication_type';
+import { LOGIN_PAGE_URI } from '../../../../common';
+import { composeNextUrlQueryParam } from '../../../utils/next_url';
+import { AUTH_HEADER_NAME } from '../../../../common';
+
+export class BasicAuthentication extends AuthenticationType {
+  constructor(
+    authType: string,
+    config: SecurityPluginConfigType,
+    sessionStorageFactory: SessionStorageFactory<SecuritySessionCookie>,
+    router: IRouter,
+    coreSetup: CoreSetup,
+    logger: Logger
+  ) {
+    super(authType, config, sessionStorageFactory, router, coreSetup, logger);
+  }
+
+  public async init() {
+    const routes = new BasicAuthRoutes(
+      this.authType,
+      this.router,
+      this.config,
+      this.sessionStorageFactory,
+      this.coreSetup
+    );
+    routes.setupRoutes();
+  }
+
+  requestIncludesAuthInfo(
+    request: OpenSearchDashboardsRequest<unknown, unknown, unknown, any>
+  ): boolean {
+    return request.headers[AUTH_HEADER_NAME] ? true : false;
+  }
+
+  async getAdditionalAuthHeader(
+    request: OpenSearchDashboardsRequest<unknown, unknown, unknown, any>
+  ): Promise<any> {
+    return {};
+  }
+
+  getCookie(request: OpenSearchDashboardsRequest, authInfo: any): SecuritySessionCookie {
+    return {
+      username: authInfo.user_name,
+      credentials: {
+        authHeaderValue: request.headers[AUTH_HEADER_NAME],
+      },
+      authType: this.authType,
+      expiryTime: Date.now() + this.config.session.ttl,
+    };
+  }
+
+  async isValidCookie(cookie: SecuritySessionCookie): Promise<boolean> {
+    return (
+      cookie.authType === this.authType &&
+      cookie.expiryTime &&
+      cookie.username &&
+      cookie.credentials?.authHeaderValue
+    );
+  }
+
+  handleUnauthedRequest(
+    request: OpenSearchDashboardsRequest,
+    response: LifecycleResponseFactory,
+    toolkit: AuthToolkit
+  ): OpenSearchDashboardsResponse {
+    if (this.isPageRequest(request)) {
+      const nextUrlParam = composeNextUrlQueryParam(
+        request,
+        this.coreSetup.http.basePath.serverBasePath
+      );
+      const redirectLocation = `${this.coreSetup.http.basePath.serverBasePath}${LOGIN_PAGE_URI}?${nextUrlParam}`;
+      return response.redirected({
+        headers: {
+          location: `${redirectLocation}`,
+        },
+      });
+    } else {
+      return response.unauthorized({
+        body: `Authentication required`,
+      });
+    }
+  }
+
+  buildAuthHeaderFromCookie(cookie: SecuritySessionCookie): any {
+    const headers: any = {};
+    Object.assign(headers, { authorization: cookie.credentials?.authHeaderValue });
+    return headers;
+  }
+}
diff --git a/src/plugins/dashboards_security/server/auth/types/basic/routes.ts b/src/plugins/dashboards_security/server/auth/types/basic/routes.ts
new file mode 100755
index 000000000000..85ea91572952
--- /dev/null
+++ b/src/plugins/dashboards_security/server/auth/types/basic/routes.ts
@@ -0,0 +1,132 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+/*
+ *   Copyright OpenSearch Contributors
+ *
+ *   Licensed under the Apache License, Version 2.0 (the "License").
+ *   You may not use this file except in compliance with the License.
+ *   A copy of the License is located at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   or in the "license" file accompanying this file. This file is distributed
+ *   on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ *   express or implied. See the License for the specific language governing
+ *   permissions and limitations under the License.
+ */
+
+import { schema } from '@osd/config-schema';
+import { IRouter, SessionStorageFactory, CoreSetup } from 'opensearch-dashboards/server';
+import {
+  SecuritySessionCookie,
+  clearOldVersionCookieValue,
+} from '../../../session/security_cookie';
+import { SecurityPluginConfigType } from '../../..';
+import { LOGIN_PAGE_URI } from '../../../../common';
+import { authenticate } from '../../../utils/auth_util';
+
+export class BasicAuthRoutes {
+  private authProvider: string;
+  constructor(
+    private readonly authType: string,
+    private readonly router: IRouter,
+    private readonly config: SecurityPluginConfigType,
+    private readonly sessionStorageFactory: SessionStorageFactory<SecuritySessionCookie>,
+    private readonly coreSetup: CoreSetup
+  ) {
+    this.authProvider = this.authType.split('_')[1];
+  }
+
+  public setupRoutes() {
+    this.coreSetup.http.resources.register(
+      {
+        path: LOGIN_PAGE_URI,
+        validate: false,
+        options: {
+          authRequired: false,
+        },
+      },
+      async (context, request, response) => {
+        this.sessionStorageFactory.asScoped(request).clear();
+        const clearOldVersionCookie = clearOldVersionCookieValue(this.config);
+        return response.renderAnonymousCoreApp({
+          headers: {
+            'set-cookie': clearOldVersionCookie,
+          },
+        });
+      }
+    );
+
+    // login using username and password
+    this.router.post(
+      {
+        path: `/auth/basicauth/${this.authProvider}/login`,
+        validate: {
+          body: schema.object({
+            username: schema.string(),
+            password: schema.string(),
+          }),
+        },
+        options: {
+          authRequired: false,
+        },
+      },
+      async (context, request, response) => {
+        try {
+          const user = authenticate({
+            username: request.body.username,
+            password: request.body.password,
+          });
+
+          this.sessionStorageFactory.asScoped(request).clear();
+          const encodedCredentials = Buffer.from(
+            `${request.body.username}:${request.body.password}`
+          ).toString('base64');
+          const sessionStorage: SecuritySessionCookie = {
+            username: user?.username,
+            credentials: {
+              authHeaderValue: `Basic ${encodedCredentials}`,
+            },
+            authType: this.authType,
+            expiryTime: Date.now() + this.config.session.ttl,
+          };
+
+          this.sessionStorageFactory.asScoped(request).set(sessionStorage);
+          await this.sessionStorageFactory.asScoped(request).get();
+          return response.ok({
+            body: {
+              username: user?.username,
+            },
+          });
+        } catch (error: any) {
+          // console.log(`Basic authentication failed: ${error}`);
+          return response.unauthorized({
+            headers: {
+              'www-authenticate': 'User not found',
+            },
+          });
+        }
+      }
+    );
+
+    // logout
+    this.router.get(
+      {
+        path: `/auth/basicauth/${this.authProvider}/logout`,
+        validate: false,
+        options: {
+          authRequired: false,
+        },
+      },
+      async (context, request, response) => {
+        this.sessionStorageFactory.asScoped(request).clear();
+        return response.ok({
+          body: {},
+        });
+      }
+    );
+  }
+}
diff --git a/src/plugins/dashboards_security/server/auth/types/basic/user_bank.ts b/src/plugins/dashboards_security/server/auth/types/basic/user_bank.ts
new file mode 100644
index 000000000000..4bb169faeeca
--- /dev/null
+++ b/src/plugins/dashboards_security/server/auth/types/basic/user_bank.ts
@@ -0,0 +1,43 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+export interface UserSchema {
+  username: string;
+  password?: string;
+  authOption?: string;
+}
+
+export const userProfiles = new Map([
+  [
+    'admin',
+    {
+      username: 'admin',
+      password: 'admin',
+      authOption: 'basicauth_opensearch',
+    },
+  ],
+  [
+    'aoguan',
+    {
+      username: 'aoguan',
+      password: 'admin',
+      authOption: 'basicauth_opensearch',
+    },
+  ],
+  [
+    'aoguan@amazon.com',
+    {
+      username: 'aoguan@amazon.com',
+      authOption: 'oidc_okta',
+    },
+  ],
+  [
+    'svc.opensearch.auth@gmail.com',
+    {
+      username: 'svc.opensearch.auth@gmail.com',
+      authOption: 'oidc_okta',
+    },
+  ],
+]);
diff --git a/src/plugins/dashboards_security/server/auth/types/index.ts b/src/plugins/dashboards_security/server/auth/types/index.ts
new file mode 100644
index 000000000000..c094badf6d08
--- /dev/null
+++ b/src/plugins/dashboards_security/server/auth/types/index.ts
@@ -0,0 +1,8 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+export { BasicAuthentication } from './basic/basic_auth';
+export { OpenIdAuthentication } from './openid/openid_auth';
+export { MultipleAuthentication } from './multiple/multi_auth';
diff --git a/src/plugins/dashboards_security/server/auth/types/multiple/multi_auth.ts b/src/plugins/dashboards_security/server/auth/types/multiple/multi_auth.ts
new file mode 100644
index 000000000000..bad353669a7b
--- /dev/null
+++ b/src/plugins/dashboards_security/server/auth/types/multiple/multi_auth.ts
@@ -0,0 +1,165 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+/*
+ *   Copyright OpenSearch Contributors
+ *
+ *   Licensed under the Apache License, Version 2.0 (the "License").
+ *   You may not use this file except in compliance with the License.
+ *   A copy of the License is located at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   or in the "license" file accompanying this file. This file is distributed
+ *   on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ *   express or implied. See the License for the specific language governing
+ *   permissions and limitations under the License.
+ */
+import {
+  CoreSetup,
+  SessionStorageFactory,
+  IRouter,
+  OpenSearchDashboardsRequest,
+  Logger,
+  LifecycleResponseFactory,
+  AuthToolkit,
+} from 'opensearch-dashboards/server';
+import { OpenSearchDashboardsResponse } from '../../../../../../src/core/server/http/router';
+import { SecurityPluginConfigType } from '../../..';
+import { AuthenticationType } from '../authentication_type';
+import { ANONYMOUS_AUTH_LOGIN, AuthType, LOGIN_PAGE_URI } from '../../../../common';
+import { composeNextUrlQueryParam } from '../../../utils/next_url';
+import { SecuritySessionCookie } from '../../../session/security_cookie';
+import { BasicAuthentication, OpenIdAuthentication } from '../../types';
+import { getAuthTypes } from '../../../utils/common_util';
+import { MultiAuthRoutes } from './routes';
+
+export class MultipleAuthentication extends AuthenticationType {
+  private authTypes: string[];
+  private authHandlers: Map<string, AuthenticationType>;
+
+  constructor(
+    authType: string,
+    config: SecurityPluginConfigType,
+    sessionStorageFactory: SessionStorageFactory<SecuritySessionCookie>,
+    router: IRouter,
+    coreSetup: CoreSetup,
+    logger: Logger
+  ) {
+    super(authType, config, sessionStorageFactory, router, coreSetup, logger);
+    this.authTypes = getAuthTypes(this.config);
+    this.authHandlers = new Map<string, AuthenticationType>();
+  }
+
+  public async init() {
+    const routes = new MultiAuthRoutes(this.router, this.sessionStorageFactory);
+    routes.setupRoutes();
+
+    for (const type of this.authTypes) {
+      const authOptions = type.split('_');
+      switch (authOptions[0]) {
+        case AuthType.BASIC: {
+          const BasicAuth = new BasicAuthentication(
+            type,
+            this.config,
+            this.sessionStorageFactory,
+            this.router,
+            this.coreSetup,
+            this.logger
+          );
+          await BasicAuth.init();
+          this.authHandlers.set(type, BasicAuth);
+          break;
+        }
+        case AuthType.OIDC: {
+          const OidcAuth = new OpenIdAuthentication(
+            type,
+            this.config,
+            this.sessionStorageFactory,
+            this.router,
+            this.coreSetup,
+            this.logger
+          );
+          await OidcAuth.init();
+          this.authHandlers.set(type, OidcAuth);
+          break;
+        }
+        default: {
+          throw new Error(`Unsupported authentication type: ${authOptions[0]}`);
+        }
+      }
+    }
+  }
+
+  // override functions inherited from AuthenticationType
+  requestIncludesAuthInfo(
+    request: OpenSearchDashboardsRequest<unknown, unknown, unknown, any>
+  ): boolean {
+    for (const key of this.authHandlers.keys()) {
+      if (this.authHandlers.get(key)!.requestIncludesAuthInfo(request)) {
+        return true;
+      }
+    }
+    return false;
+  }
+
+  async getAdditionalAuthHeader(
+    request: OpenSearchDashboardsRequest<unknown, unknown, unknown, any>
+  ): Promise<any> {
+    // To Do: refactor this method to improve the effiency to get cookie, get cookie from input parameter
+    const cookie = await this.sessionStorageFactory.asScoped(request).get();
+    const reqAuthType = cookie?.authType?.toLowerCase();
+
+    if (reqAuthType && this.authHandlers.has(reqAuthType)) {
+      return this.authHandlers.get(reqAuthType)!.getAdditionalAuthHeader(request);
+    } else {
+      return {};
+    }
+  }
+
+  getCookie(request: OpenSearchDashboardsRequest, authInfo: any): SecuritySessionCookie {
+    return {};
+  }
+
+  async isValidCookie(cookie: SecuritySessionCookie): Promise<boolean> {
+    const reqAuthType = cookie?.authType?.toLowerCase();
+    if (reqAuthType && this.authHandlers.has(reqAuthType)) {
+      return this.authHandlers.get(reqAuthType)!.isValidCookie(cookie);
+    } else {
+      return false;
+    }
+  }
+
+  handleUnauthedRequest(
+    request: OpenSearchDashboardsRequest,
+    response: LifecycleResponseFactory,
+    toolkit: AuthToolkit
+  ): OpenSearchDashboardsResponse {
+    if (this.isPageRequest(request)) {
+      const nextUrlParam = composeNextUrlQueryParam(
+        request,
+        this.coreSetup.http.basePath.serverBasePath
+      );
+
+      return response.redirected({
+        headers: {
+          location: `${this.coreSetup.http.basePath.serverBasePath}${LOGIN_PAGE_URI}?${nextUrlParam}`,
+        },
+      });
+    } else {
+      return response.unauthorized();
+    }
+  }
+
+  buildAuthHeaderFromCookie(cookie: SecuritySessionCookie): any {
+    const reqAuthType = cookie?.authType?.toLowerCase();
+
+    if (reqAuthType && this.authHandlers.has(reqAuthType)) {
+      return this.authHandlers.get(reqAuthType)!.buildAuthHeaderFromCookie(cookie);
+    } else {
+      return {};
+    }
+  }
+}
diff --git a/src/plugins/dashboards_security/server/auth/types/multiple/routes.ts b/src/plugins/dashboards_security/server/auth/types/multiple/routes.ts
new file mode 100644
index 000000000000..62927c699a43
--- /dev/null
+++ b/src/plugins/dashboards_security/server/auth/types/multiple/routes.ts
@@ -0,0 +1,52 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+/*
+ *   Copyright OpenSearch Contributors
+ *
+ *   Licensed under the Apache License, Version 2.0 (the "License").
+ *   You may not use this file except in compliance with the License.
+ *   A copy of the License is located at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   or in the "license" file accompanying this file. This file is distributed
+ *   on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ *   express or implied. See the License for the specific language governing
+ *   permissions and limitations under the License.
+ */
+
+import { IRouter, SessionStorageFactory } from 'opensearch-dashboards/server';
+import { SecuritySessionCookie } from '../../../session/security_cookie';
+import { API_ENDPOINT_AUTHTYPE } from '../../../../common';
+
+export class MultiAuthRoutes {
+  constructor(
+    private readonly router: IRouter,
+    private readonly sessionStorageFactory: SessionStorageFactory<SecuritySessionCookie>
+  ) {}
+
+  public setupRoutes() {
+    this.router.get(
+      {
+        path: API_ENDPOINT_AUTHTYPE,
+        validate: false,
+      },
+      async (context, request, response) => {
+        const cookie = await this.sessionStorageFactory.asScoped(request).get();
+        if (!cookie) {
+          return response.badRequest({
+            body: 'Invalid cookie',
+          });
+        }
+        return response.ok({
+          body: {
+            currentAuthType: cookie?.authType,
+          },
+        });
+      }
+    );
+  }
+}
diff --git a/src/plugins/dashboards_security/server/auth/types/openid/openid_auth.ts b/src/plugins/dashboards_security/server/auth/types/openid/openid_auth.ts
new file mode 100644
index 000000000000..b9a5054510df
--- /dev/null
+++ b/src/plugins/dashboards_security/server/auth/types/openid/openid_auth.ts
@@ -0,0 +1,203 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+/*
+ *   Copyright OpenSearch Contributors
+ *
+ *   Licensed under the Apache License, Version 2.0 (the "License").
+ *   You may not use this file except in compliance with the License.
+ *   A copy of the License is located at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   or in the "license" file accompanying this file. This file is distributed
+ *   on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ *   express or implied. See the License for the specific language governing
+ *   permissions and limitations under the License.
+ */
+
+import wreck from '@hapi/wreck';
+import {
+  Logger,
+  SessionStorageFactory,
+  CoreSetup,
+  IRouter,
+  OpenSearchDashboardsRequest,
+  LifecycleResponseFactory,
+  AuthToolkit,
+  IOpenSearchDashboardsResponse,
+} from 'opensearch-dashboards/server';
+import { PeerCertificate } from 'tls';
+import { SecurityPluginConfigType } from '../../..';
+import { SecuritySessionCookie } from '../../../session/security_cookie';
+import { OpenIdAuthRoutes } from './routes';
+import { AuthenticationType } from '../authentication_type';
+import { composeNextUrlQueryParam } from '../../../utils/next_url';
+import { LOGIN_PAGE_URI } from '../../../../common';
+import {
+  callTokenEndpoint,
+  createWreckClient,
+  getExpirationDate,
+  getOIDCConfiguration,
+} from '../../../utils/common_util';
+
+export interface OpenIdAuthConfig {
+  authorizationEndpoint?: string;
+  tokenEndpoint?: string;
+  endSessionEndpoint?: string;
+  scope?: string;
+  issuer?: string;
+  authHeaderName?: string;
+}
+
+export interface WreckHttpsOptions {
+  ca?: string | Buffer | Array<string | Buffer>;
+  checkServerIdentity?: (host: string, cert: PeerCertificate) => Error | undefined;
+}
+
+export class OpenIdAuthentication extends AuthenticationType {
+  private openIdAuthConfig: OpenIdAuthConfig;
+  private wreckClient: typeof wreck;
+  private idpConfig: any;
+  constructor(
+    authType: string,
+    config: SecurityPluginConfigType,
+    sessionStorageFactory: SessionStorageFactory<SecuritySessionCookie>,
+    router: IRouter,
+    core: CoreSetup,
+    logger: Logger
+  ) {
+    super(authType, config, sessionStorageFactory, router, core, logger);
+    this.wreckClient = createWreckClient(this.config);
+    this.openIdAuthConfig = {};
+    this.idpConfig = this.config.idp.setting.get(this.authType);
+  }
+
+  public async init() {
+    try {
+      await getOIDCConfiguration(
+        this.authType,
+        this.config,
+        this.wreckClient,
+        this.openIdAuthConfig
+      );
+      // console.log('this.openIdAuthConfig:: ', this.openIdAuthConfig);
+
+      const routes = new OpenIdAuthRoutes(
+        this.authType,
+        this.router,
+        this.config,
+        this.sessionStorageFactory,
+        this.openIdAuthConfig,
+        this.coreSetup,
+        this.wreckClient
+      );
+      routes.setupRoutes();
+    } catch (error: any) {
+      this.logger.error(error); // TODO: log more info
+      throw new Error('Failed when trying to obtain the endpoints from your IdP');
+    }
+  }
+
+  requestIncludesAuthInfo(request: OpenSearchDashboardsRequest): boolean {
+    return request.headers.authorization ? true : false;
+  }
+
+  async getAdditionalAuthHeader(request: OpenSearchDashboardsRequest): Promise<any> {
+    return {};
+  }
+
+  getCookie(request: OpenSearchDashboardsRequest, authInfo: any): SecuritySessionCookie {
+    return {
+      username: authInfo.user_name,
+      credentials: {
+        authHeaderValue: request.headers.authorization,
+      },
+      authType: this.authType,
+      expiryTime: Date.now() + this.config.session.ttl,
+    };
+  }
+
+  // TODO: Add token expiration check here
+  async isValidCookie(cookie: SecuritySessionCookie): Promise<boolean> {
+    if (
+      cookie.authType !== this.authType ||
+      !cookie.username ||
+      !cookie.expiryTime ||
+      !cookie.credentials?.authHeaderValue ||
+      !cookie.credentials?.expires_at
+    ) {
+      return false;
+    }
+    if (cookie.credentials?.expires_at > Date.now()) {
+      return true;
+    }
+
+    // need to renew id token
+    if (cookie.credentials.refresh_token) {
+      try {
+        const query: any = {
+          grant_type: 'refresh_token',
+          client_id: this.idpConfig.client_id,
+          client_secret: this.idpConfig.client_secret,
+          refresh_token: cookie.credentials.refresh_token,
+        };
+        const refreshTokenResponse = await callTokenEndpoint(
+          this.openIdAuthConfig.tokenEndpoint!,
+          query,
+          this.wreckClient
+        );
+
+        // if no id_token from refresh token call, maybe the Idp doesn't allow refresh id_token
+        if (refreshTokenResponse.idToken) {
+          cookie.credentials = {
+            authHeaderValue: `Bearer ${refreshTokenResponse.idToken}`,
+            refresh_token: refreshTokenResponse.refreshToken,
+            expires_at: getExpirationDate(refreshTokenResponse), // expiresIn is in second
+          };
+          return true;
+        } else {
+          return false;
+        }
+      } catch (error: any) {
+        this.logger.error(error);
+        return false;
+      }
+    } else {
+      // no refresh token, and current token is expired
+      return false;
+    }
+  }
+
+  handleUnauthedRequest(
+    request: OpenSearchDashboardsRequest,
+    response: LifecycleResponseFactory,
+    toolkit: AuthToolkit
+  ): IOpenSearchDashboardsResponse {
+    if (this.isPageRequest(request)) {
+      // nextUrl is a key value pair
+      const nextUrl = composeNextUrlQueryParam(
+        request,
+        this.coreSetup.http.basePath.serverBasePath
+      );
+      return response.redirected({
+        headers: {
+          location: `${this.coreSetup.http.basePath.serverBasePath}${LOGIN_PAGE_URI}?${nextUrl}`,
+        },
+      });
+    } else {
+      return response.unauthorized();
+    }
+  }
+
+  buildAuthHeaderFromCookie(cookie: SecuritySessionCookie): any {
+    const header: any = {};
+    const authHeaderValue = cookie.credentials?.authHeaderValue;
+    if (authHeaderValue) {
+      header.authorization = authHeaderValue;
+    }
+    return header;
+  }
+}
diff --git a/src/plugins/dashboards_security/server/auth/types/openid/routes.ts b/src/plugins/dashboards_security/server/auth/types/openid/routes.ts
new file mode 100644
index 000000000000..02c69e8a8891
--- /dev/null
+++ b/src/plugins/dashboards_security/server/auth/types/openid/routes.ts
@@ -0,0 +1,240 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+/*
+ *   Copyright OpenSearch Contributors
+ *
+ *   Licensed under the Apache License, Version 2.0 (the "License").
+ *   You may not use this file except in compliance with the License.
+ *   A copy of the License is located at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   or in the "license" file accompanying this file. This file is distributed
+ *   on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ *   express or implied. See the License for the specific language governing
+ *   permissions and limitations under the License.
+ */
+
+import { schema } from '@osd/config-schema';
+import { randomString } from '@hapi/cryptiles';
+import { stringify } from 'querystring';
+import wreck from '@hapi/wreck';
+import {
+  IRouter,
+  SessionStorageFactory,
+  CoreSetup,
+  OpenSearchDashboardsResponseFactory,
+  OpenSearchDashboardsRequest,
+} from 'opensearch-dashboards/server';
+import { SecuritySessionCookie } from '../../../session/security_cookie';
+import { SecurityPluginConfigType } from '../../..';
+import { OpenIdAuthConfig } from './openid_auth';
+import { validateNextUrl } from '../../../utils/next_url';
+import { AUTH_GRANT_TYPE, AUTH_RESPONSE_TYPE } from '../../../../common';
+import { authenticateWithToken } from '../../../utils/auth_util';
+import {
+  callTokenEndpoint,
+  composeLogoutUrl,
+  getBaseRedirectUrl,
+  getExpirationDate,
+} from '../../../utils/common_util';
+
+export class OpenIdAuthRoutes {
+  private static readonly NONCE_LENGTH: number = 22;
+  private authProvider: string;
+  private idpConfig: any;
+
+  constructor(
+    private readonly authType: string,
+    private readonly router: IRouter,
+    private readonly config: SecurityPluginConfigType,
+    private readonly sessionStorageFactory: SessionStorageFactory<SecuritySessionCookie>,
+    private readonly openIdAuthConfig: OpenIdAuthConfig,
+    private readonly core: CoreSetup,
+    private readonly wreckClient: typeof wreck
+  ) {
+    this.authProvider = authType.split('_')[1];
+    this.idpConfig = this.config.idp.setting.get(this.authType);
+  }
+
+  private redirectToLogin(
+    request: OpenSearchDashboardsRequest,
+    response: OpenSearchDashboardsResponseFactory
+  ) {
+    this.sessionStorageFactory.asScoped(request).clear();
+    return response.redirected({
+      headers: {
+        location: `${this.core.http.basePath.serverBasePath}/auth/oidc/${this.authProvider}/login`,
+      },
+    });
+  }
+
+  public setupRoutes() {
+    this.router.get(
+      {
+        path: `/auth/oidc/${this.authProvider}/login`,
+        validate: {
+          query: schema.object(
+            {
+              code: schema.maybe(schema.string()),
+              nextUrl: schema.maybe(
+                schema.string({
+                  validate: validateNextUrl,
+                })
+              ),
+              state: schema.maybe(schema.string()),
+              refresh: schema.maybe(schema.string()),
+            },
+            {
+              unknowns: 'allow',
+            }
+          ),
+        },
+        options: {
+          authRequired: false,
+        },
+      },
+      async (context, request, response) => {
+        if (!request.query.code) {
+          const nonce = randomString(OpenIdAuthRoutes.NONCE_LENGTH);
+          const query: any = {
+            client_id: this.idpConfig.client_id,
+            response_type: AUTH_RESPONSE_TYPE,
+            responseMode: 'query',
+            redirect_uri: `${getBaseRedirectUrl(this.config, this.core, request)}/auth/oidc/${
+              this.authProvider
+            }/login`,
+            state: nonce,
+            scope: this.openIdAuthConfig.scope,
+          };
+
+          const queryString = stringify(query);
+          const location = `${this.openIdAuthConfig.authorizationEndpoint}?${queryString}`;
+          const cookie: SecuritySessionCookie = {
+            oidc: {
+              state: nonce,
+              nextUrl: request.query.nextUrl || '/',
+            },
+            authType: this.authType,
+          };
+
+          this.sessionStorageFactory.asScoped(request).set(cookie);
+          return response.redirected({
+            headers: {
+              location,
+            },
+          });
+        }
+
+        // Authentication callback
+        // validate state first
+        let cookie;
+        try {
+          cookie = await this.sessionStorageFactory.asScoped(request).get();
+          if (
+            !cookie ||
+            !cookie.oidc?.state ||
+            cookie.oidc.state !== (request.query as any).state
+          ) {
+            // console.log('cookie got expired, need refresh');
+            return this.redirectToLogin(request, response);
+          }
+        } catch (error) {
+          return this.redirectToLogin(request, response);
+        }
+
+        try {
+          const nextUrl: string = cookie.oidc.nextUrl;
+          const clientId = this.idpConfig.client_id;
+          const clientSecret = this.idpConfig.client_secret;
+          const query: any = {
+            grant_type: AUTH_GRANT_TYPE,
+            code: request.query.code,
+            redirect_uri: `${getBaseRedirectUrl(this.config, this.core, request)}/auth/oidc/${
+              this.authProvider
+            }/login`,
+            client_id: clientId,
+            client_secret: clientSecret,
+          };
+          const tokenResponse = await callTokenEndpoint(
+            this.openIdAuthConfig.tokenEndpoint!,
+            query,
+            this.wreckClient
+          );
+          // console.log('tokenResponse:: ', tokenResponse);
+
+          const user = authenticateWithToken(
+            this.openIdAuthConfig.authHeaderName as string,
+            tokenResponse.idToken,
+            this.idpConfig,
+            this.openIdAuthConfig,
+            this.authType
+          );
+
+          // set to cookie
+          const sessionStorage: SecuritySessionCookie = {
+            username: user.username,
+            credentials: {
+              authHeaderValue: `Bearer ${tokenResponse.idToken}`,
+              expires_at: getExpirationDate(tokenResponse),
+            },
+            authType: this.authType,
+            expiryTime: Date.now() + this.config.session.ttl,
+          };
+
+          if (this.idpConfig?.refresh_tokens && tokenResponse.refreshToken) {
+            Object.assign(sessionStorage.credentials, {
+              refresh_token: tokenResponse.refreshToken,
+            });
+          }
+
+          this.sessionStorageFactory.asScoped(request).set(sessionStorage);
+          return response.redirected({
+            headers: {
+              location: nextUrl,
+            },
+          });
+        } catch (error: any) {
+          // console.log(`OpenId authentication failed: ${error}`);
+          if (error.toString().toLowerCase().includes('authentication exception')) {
+            return response.unauthorized();
+          } else {
+            return this.redirectToLogin(request, response);
+          }
+        }
+      }
+    );
+
+    this.router.get(
+      {
+        path: `/auth/oidc/${this.authProvider}/logout`,
+        validate: false,
+      },
+      async (context, request, response) => {
+        const cookie = await this.sessionStorageFactory.asScoped(request).get();
+        this.sessionStorageFactory.asScoped(request).clear();
+
+        // authHeaderValue is the bearer header, e.g. "Bearer <auth_token>"
+        const token = cookie?.credentials.authHeaderValue.split(' ')[1]; // get auth token
+        const nextUrl = getBaseRedirectUrl(this.config, this.core, request);
+        const logoutQueryParams = {
+          post_logout_redirect_uri: `${nextUrl}`,
+          id_token_hint: token,
+        };
+        const endSessionUrl = composeLogoutUrl(
+          this.idpConfig?.logout_url,
+          this.openIdAuthConfig.endSessionEndpoint,
+          logoutQueryParams
+        );
+        return response.redirected({
+          headers: {
+            location: endSessionUrl,
+          },
+        });
+      }
+    );
+  }
+}
diff --git a/src/plugins/dashboards_security/server/auth/user.ts b/src/plugins/dashboards_security/server/auth/user.ts
new file mode 100644
index 000000000000..b3f496105d05
--- /dev/null
+++ b/src/plugins/dashboards_security/server/auth/user.ts
@@ -0,0 +1,9 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+export interface User {
+  username: string;
+  credentials?: string;
+}
diff --git a/src/plugins/dashboards_security/server/configuration/auth_config.ts b/src/plugins/dashboards_security/server/configuration/auth_config.ts
new file mode 100644
index 000000000000..d26ef6ed8cb0
--- /dev/null
+++ b/src/plugins/dashboards_security/server/configuration/auth_config.ts
@@ -0,0 +1,19 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+export const identityProviders = new Map([
+  [
+    'basicauth.internal',
+    {
+      authOption: 'basic.internal',
+    },
+  ],
+  [
+    'oidc.okta',
+    {
+      authOption: 'oidc.okta',
+    },
+  ],
+]);
diff --git a/src/plugins/dashboards_security/server/index.ts b/src/plugins/dashboards_security/server/index.ts
new file mode 100644
index 000000000000..9bc10ab32423
--- /dev/null
+++ b/src/plugins/dashboards_security/server/index.ts
@@ -0,0 +1,236 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+/*
+ *   Copyright OpenSearch Contributors
+ *
+ *   Licensed under the Apache License, Version 2.0 (the "License").
+ *   You may not use this file except in compliance with the License.
+ *   A copy of the License is located at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   or in the "license" file accompanying this file. This file is distributed
+ *   on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ *   express or implied. See the License for the specific language governing
+ *   permissions and limitations under the License.
+ */
+
+import { schema, TypeOf } from '@osd/config-schema';
+import { PluginInitializerContext, PluginConfigDescriptor } from '../../../../src/core/server';
+import { SecurityPlugin } from './plugin';
+
+const validateAuthType = (value: string[]) => {
+  const supportedAuthTypes = [
+    '',
+    'basic',
+    'jwt',
+    'openid',
+    'saml',
+    'proxy',
+    'kerberos',
+    'proxycache',
+  ];
+
+  value.forEach((authVal) => {
+    if (!supportedAuthTypes.includes(authVal.toLowerCase())) {
+      throw new Error(
+        `Unsupported authentication type: ${authVal}. Allowed auth.type are ${supportedAuthTypes}.`
+      );
+    }
+  });
+};
+
+export const configSchema = schema.object({
+  enabled: schema.boolean({ defaultValue: true }),
+  allow_client_certificates: schema.boolean({ defaultValue: false }),
+  readonly_mode: schema.object({
+    roles: schema.arrayOf(schema.string(), { defaultValue: [] }),
+  }),
+  clusterPermissions: schema.object({
+    include: schema.arrayOf(schema.string(), { defaultValue: [] }),
+  }),
+  indexPermissions: schema.object({
+    include: schema.arrayOf(schema.string(), { defaultValue: [] }),
+  }),
+  disabledTransportCategories: schema.object({
+    exclude: schema.arrayOf(schema.string(), { defaultValue: [] }),
+  }),
+  disabledRestCategories: schema.object({
+    exclude: schema.arrayOf(schema.string(), { defaultValue: [] }),
+  }),
+  cookie: schema.object({
+    secure: schema.boolean({ defaultValue: false }),
+    name: schema.string({ defaultValue: 'security_authentication' }),
+    password: schema.string({ defaultValue: 'security_cookie_default_password', minLength: 32 }),
+    ttl: schema.number({ defaultValue: 60 * 60 * 1000 }),
+    domain: schema.nullable(schema.string()),
+    isSameSite: schema.oneOf(
+      [
+        schema.literal('Strict'),
+        schema.literal('Lax'),
+        schema.literal('None'),
+        schema.literal(false),
+      ],
+      { defaultValue: false }
+    ),
+  }),
+  session: schema.object({
+    ttl: schema.number({ defaultValue: 60 * 60 * 1000 }),
+    keepalive: schema.boolean({ defaultValue: true }),
+  }),
+  auth: schema.object({
+    type: schema.oneOf(
+      [
+        schema.arrayOf(schema.string(), {
+          defaultValue: [''],
+          validate(value: string[]) {
+            if (!value || value.length === 0) {
+              return `Authentication type is not configured properly. At least one authentication type must be selected.`;
+            }
+
+            if (value.length > 1) {
+              const includeBasicAuth = value.find((element) => {
+                return element.toLowerCase() === 'basicauth';
+              });
+
+              if (!includeBasicAuth) {
+                return `Authentication type is not configured properly. basicauth is mandatory.`;
+              }
+            }
+
+            validateAuthType(value);
+          },
+        }),
+        schema.string({
+          defaultValue: '',
+          validate(value: any) {
+            const valArray: string[] = [];
+            valArray.push(value);
+            validateAuthType(valArray);
+          },
+        }),
+      ],
+      { defaultValue: '' }
+    ),
+    anonymous_auth_enabled: schema.boolean({ defaultValue: false }),
+    unauthenticated_routes: schema.arrayOf(schema.string(), {
+      defaultValue: ['/api/reporting/stats'],
+    }),
+    forbidden_usernames: schema.arrayOf(schema.string(), { defaultValue: [] }),
+    logout_url: schema.string({ defaultValue: '' }),
+    multiple_auth_enabled: schema.boolean({ defaultValue: false }),
+  }),
+  basicauth: schema.object({
+    enabled: schema.boolean({ defaultValue: true }),
+    unauthenticated_routes: schema.arrayOf(schema.string(), { defaultValue: [] }),
+    forbidden_usernames: schema.arrayOf(schema.string(), { defaultValue: [] }),
+    header_trumps_session: schema.boolean({ defaultValue: false }),
+    alternative_login: schema.object({
+      headers: schema.arrayOf(schema.string(), { defaultValue: [] }),
+      show_for_parameter: schema.string({ defaultValue: '' }),
+      valid_redirects: schema.arrayOf(schema.string(), { defaultValue: [] }),
+      button_text: schema.string({ defaultValue: 'Log in with provider' }),
+      buttonstyle: schema.string({ defaultValue: '' }),
+    }),
+    loadbalancer_url: schema.maybe(schema.string()),
+    login: schema.object({
+      title: schema.string({ defaultValue: 'Log in to OpenSearch Dashboards' }),
+      subtitle: schema.string({
+        defaultValue:
+          'If you have forgotten your username or password, contact your system administrator.',
+      }),
+      showbrandimage: schema.boolean({ defaultValue: true }),
+      brandimage: schema.string({ defaultValue: '' }), // TODO: update brand image
+      buttonstyle: schema.string({ defaultValue: '' }),
+    }),
+  }),
+  configuration: schema.object({
+    enabled: schema.boolean({ defaultValue: true }),
+  }),
+  idp: schema.object({
+    setting: schema.mapOf(schema.string(), schema.any(), {
+      defaultValue: { basicauth_opensearch: { base_redirect_url: 'http://localhost:5601' } },
+    }),
+  }),
+  accountinfo: schema.object({
+    enabled: schema.boolean({ defaultValue: false }),
+  }),
+  openid: schema.maybe(
+    schema.object({
+      connect_url: schema.maybe(schema.string()),
+      header: schema.string({ defaultValue: 'Authorization' }),
+      // TODO: test if siblingRef() works here
+      // client_id is required when auth.type is openid
+      client_id: schema.conditional(
+        schema.siblingRef('auth.type'),
+        'openid',
+        schema.string(),
+        schema.maybe(schema.string())
+      ),
+      client_secret: schema.string({ defaultValue: '' }),
+      scope: schema.string({ defaultValue: 'openid profile email address phone' }),
+      base_redirect_url: schema.string({ defaultValue: '' }),
+      logout_url: schema.string({ defaultValue: '' }),
+      root_ca: schema.string({ defaultValue: '' }),
+      verify_hostnames: schema.boolean({ defaultValue: true }),
+      refresh_tokens: schema.boolean({ defaultValue: true }),
+      trust_dynamic_headers: schema.boolean({ defaultValue: false }),
+    })
+  ),
+  ui: schema.object({
+    basicauth: schema.object({
+      // the login config here is the same as old config `_security.basicauth.login`
+      // Since we are now rendering login page to browser app, so move these config to browser side.
+      login: schema.object({
+        title: schema.string({ defaultValue: 'Log in to OpenSearch Dashboards' }),
+        subtitle: schema.string({
+          defaultValue:
+            'If you have forgotten your username or password, contact your system administrator.',
+        }),
+        showbrandimage: schema.boolean({ defaultValue: true }),
+        brandimage: schema.string({ defaultValue: '' }),
+        buttonstyle: schema.string({ defaultValue: '' }),
+      }),
+    }),
+    openid: schema.object({
+      login: schema.object({
+        buttonname: schema.string({ defaultValue: 'Log in with single sign-on' }),
+        showbrandimage: schema.boolean({ defaultValue: false }),
+        brandimage: schema.string({ defaultValue: '' }),
+        buttonstyle: schema.string({ defaultValue: '' }),
+      }),
+    }),
+    saml: schema.object({
+      login: schema.object({
+        buttonname: schema.string({ defaultValue: 'Log in with single sign-on' }),
+        showbrandimage: schema.boolean({ defaultValue: false }),
+        brandimage: schema.string({ defaultValue: '' }),
+        buttonstyle: schema.string({ defaultValue: '' }),
+      }),
+    }),
+    autologout: schema.boolean({ defaultValue: true }),
+    backend_configurable: schema.boolean({ defaultValue: true }),
+  }),
+});
+
+export type SecurityPluginConfigType = TypeOf<typeof configSchema>;
+
+export const config: PluginConfigDescriptor<SecurityPluginConfigType> = {
+  exposeToBrowser: {
+    enabled: true,
+    auth: true,
+    ui: true,
+    readonly_mode: true,
+    idp: true,
+  },
+  schema: configSchema,
+};
+
+export function plugin(initializerContext: PluginInitializerContext) {
+  return new SecurityPlugin(initializerContext);
+}
+
+export { SecurityPluginSetup, SecurityPluginStart } from './types';
diff --git a/src/plugins/dashboards_security/server/plugin.ts b/src/plugins/dashboards_security/server/plugin.ts
new file mode 100644
index 000000000000..70fed2b3d68f
--- /dev/null
+++ b/src/plugins/dashboards_security/server/plugin.ts
@@ -0,0 +1,60 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+import {
+  PluginInitializerContext,
+  CoreSetup,
+  CoreStart,
+  Plugin,
+  Logger,
+  SessionStorageFactory,
+} from 'opensearch-dashboards/server';
+import { first } from 'rxjs/operators';
+import { SecurityPluginSetup, SecurityPluginStart } from './types';
+import { SecurityPluginConfigType } from '.';
+import { SecuritySessionCookie, getSecurityCookieOptions } from './session/security_cookie';
+import { getAuthenticationHandler } from './auth/auth_handler_factory';
+import { IAuthenticationType } from './auth/types/authentication_type';
+
+
+export class SecurityPlugin implements Plugin<SecurityPluginSetup, SecurityPluginStart> {
+  private readonly logger: Logger;
+
+  constructor(private readonly initializerContext: PluginInitializerContext) {
+    this.logger = initializerContext.logger.get();
+  }
+
+  public async setup(core: CoreSetup) {
+    const config$ = this.initializerContext.config.create<SecurityPluginConfigType>();
+    const config: SecurityPluginConfigType = await config$.pipe(first()).toPromise();
+
+    const router = core.http.createRouter();
+
+    const securitySessionStorageFactory: SessionStorageFactory<SecuritySessionCookie> = await core.http.createCookieSessionStorageFactory<
+      SecuritySessionCookie
+    >(getSecurityCookieOptions(config));
+
+    // setup auth
+    const auth: IAuthenticationType = await getAuthenticationHandler(
+      router,
+      config,
+      core,
+      securitySessionStorageFactory,
+      this.logger
+    );
+    core.http.registerAuth(auth.authHandler);
+
+    return {
+      config$,
+    };
+  }
+
+  // TODO: add more logs
+  public async start(core: CoreStart) {
+    return {};
+  }
+
+  public stop() {}
+}
diff --git a/src/plugins/dashboards_security/server/session/security_cookie.ts b/src/plugins/dashboards_security/server/session/security_cookie.ts
new file mode 100644
index 000000000000..63bca5e6d83e
--- /dev/null
+++ b/src/plugins/dashboards_security/server/session/security_cookie.ts
@@ -0,0 +1,70 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+import { SessionStorageCookieOptions } from 'opensearch-dashboards/server';
+import { SecurityPluginConfigType } from '..';
+
+export interface SecuritySessionCookie {
+  // security_authentication
+  username?: string;
+  credentials?: any;
+  authType?: string;
+  assignAuthHeader?: boolean;
+  isAnonymousAuth?: boolean;
+  expiryTime?: number;
+  additionalAuthHeaders?: any;
+
+  // for oidc auth workflow
+  oidc?: any;
+
+  // for Saml auth workflow
+  saml?: {
+    requestId?: string;
+    nextUrl?: string;
+    redirectHash?: boolean;
+  };
+}
+
+export function getSecurityCookieOptions(
+  config: SecurityPluginConfigType
+): SessionStorageCookieOptions<SecuritySessionCookie> {
+  return {
+    name: config.cookie.name,
+    encryptionKey: config.cookie.password,
+    validate: (sessionStorage: SecuritySessionCookie | SecuritySessionCookie[]) => {
+      sessionStorage = sessionStorage as SecuritySessionCookie;
+      if (sessionStorage === undefined) {
+        return { isValid: false, path: '/' };
+      }
+
+      // TODO: with setting redirect attributes to support OIDC and SAML,
+      //       we need to do additonal cookie validatin in AuthenticationHandlers.
+      // if SAML fields present
+      if (sessionStorage.saml && sessionStorage.saml.requestId && sessionStorage.saml.nextUrl) {
+        return { isValid: true, path: '/' };
+      }
+
+      // if OIDC fields present
+      if (sessionStorage.oidc) {
+        return { isValid: true, path: '/' };
+      }
+
+      if (sessionStorage.expiryTime === undefined || sessionStorage.expiryTime < Date.now()) {
+        return { isValid: false, path: '/' };
+      }
+      return { isValid: true, path: '/' };
+    },
+    isSecure: config.cookie.secure,
+    sameSite: config.cookie.isSameSite || undefined,
+  };
+}
+
+export function clearOldVersionCookieValue(config: SecurityPluginConfigType): string {
+  if (config.cookie.secure) {
+    return 'security_authentication=; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Secure; HttpOnly; Path=/';
+  } else {
+    return 'security_authentication=; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly; Path=/';
+  }
+}
diff --git a/src/plugins/dashboards_security/server/types.ts b/src/plugins/dashboards_security/server/types.ts
new file mode 100644
index 000000000000..09f521219923
--- /dev/null
+++ b/src/plugins/dashboards_security/server/types.ts
@@ -0,0 +1,9 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+// eslint-disable-next-line @typescript-eslint/no-empty-interface
+export interface SecurityPluginSetup {}
+// eslint-disable-next-line @typescript-eslint/no-empty-interface
+export interface SecurityPluginStart {}
diff --git a/src/plugins/dashboards_security/server/utils/auth_util.ts b/src/plugins/dashboards_security/server/utils/auth_util.ts
new file mode 100644
index 000000000000..3504ea8c5281
--- /dev/null
+++ b/src/plugins/dashboards_security/server/utils/auth_util.ts
@@ -0,0 +1,97 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+import { User } from '../auth/user';
+import { userProfiles } from '../auth/types/basic/user_bank';
+import { OpenIdAuthConfig } from '../auth/types/openid/openid_auth';
+
+export const authenticate = (authBody: any): User | null => {
+  const user = userProfiles.get(authBody.username);
+  try {
+    if (user !== undefined && user.password === authBody.password) {
+      return {
+        username: authBody.username,
+        credentials: authBody.password,
+      };
+    } else {
+      throw new Error('authentication exception:: User not found');
+    }
+  } catch (error: any) {
+    throw new Error(error.message);
+  }
+};
+
+export const authenticateWithToken = (
+  authzHeader: string,
+  idToken: string | undefined,
+  idpConfig: any,
+  openIdAuthConfig: OpenIdAuthConfig,
+  authType: string
+): User => {
+  try {
+    // If IdToke = null => not authenticated
+    // Else: if token payload.email does not exist => insert entry
+    //      else: get the user info from identity storage
+
+    const credentials: any = {
+      authzHeader,
+      idToken,
+    };
+
+    if (!idToken) {
+      throw new Error('authentication exception');
+    } else {
+      const decodedIdToken = decodeIdToken(idToken);
+      if (!validateIdToken(decodedIdToken, idpConfig, openIdAuthConfig)) {
+        throw new Error('authentication exception:: Invalid ID Token');
+      }
+
+      const username = decodedIdToken.email;
+      const user = userProfiles.get(username);
+
+      if (user) {
+        return {
+          username: user.username,
+          credentials,
+        };
+      } else {
+        // insert into user_bank, need implementation
+        userProfiles.set(username, { username, password: '', authOption: authType });
+        // console.log("userProfile:: ", userProfiles);
+        return {
+          username,
+          credentials,
+        };
+      }
+    }
+  } catch (error: any) {
+    throw new Error(error.message);
+  }
+};
+
+const decodeIdToken = (token: string): any => {
+  const parts = token.toString().split('.');
+  if (parts.length !== 3) {
+    throw new Error('authentication exception:: Invalid token');
+  }
+  const claim = JSON.parse(Buffer.from(parts[1], 'base64').toString());
+
+  return claim;
+};
+
+const validateIdToken = (
+  idToken: any,
+  idpConfig: any,
+  openIdAuthConfig: OpenIdAuthConfig
+): boolean => {
+  if (
+    idToken.aud !== idpConfig.client_id ||
+    idToken.iss !== openIdAuthConfig.issuer ||
+    idToken.exp > Date.now()
+  ) {
+    return false;
+  }
+  return true;
+};
diff --git a/src/plugins/dashboards_security/server/utils/common_util.ts b/src/plugins/dashboards_security/server/utils/common_util.ts
new file mode 100644
index 000000000000..e0ff18b591a0
--- /dev/null
+++ b/src/plugins/dashboards_security/server/utils/common_util.ts
@@ -0,0 +1,255 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+import wreck from '@hapi/wreck';
+import { PeerCertificate } from 'tls';
+import * as fs from 'fs';
+import HTTP from 'http';
+import HTTPS from 'https';
+import { parse, stringify } from 'querystring';
+import { CoreSetup } from 'opensearch-dashboards/server';
+import { OpenSearchDashboardsRequest } from 'opensearch-dashboards/server';
+import { SecurityPluginConfigType } from '..';
+import { OpenIdAuthConfig, WreckHttpsOptions } from '../auth/types/openid/openid_auth';
+
+export const getAuthTypes = (config: SecurityPluginConfigType): string[] => {
+  const authTypes: string[] = [];
+  const identityProviders = config.idp.setting;
+
+  for (const authType of identityProviders.keys()) {
+    if (authType) {
+      authTypes.push(authType);
+    } else {
+      // Error handling for auth-type not properly defined.
+    }
+  }
+  // console.log("authTypes:: ", authTypes);
+  return authTypes;
+};
+
+export const createWreckClient = (config: SecurityPluginConfigType): typeof wreck => {
+  const wreckHttpsOption: WreckHttpsOptions = {};
+
+  if (config.openid?.root_ca) {
+    wreckHttpsOption.ca = [fs.readFileSync(config.openid.root_ca)];
+  }
+  if (config.openid?.verify_hostnames === false) {
+    // this.logger.debug(`openId auth 'verify_hostnames' option is off.`);
+    wreckHttpsOption.checkServerIdentity = (host: string, cert: PeerCertificate) => {
+      return undefined;
+    };
+  }
+  if (Object.keys(wreckHttpsOption).length > 0) {
+    return wreck.defaults({
+      agents: {
+        http: new HTTP.Agent(),
+        https: new HTTPS.Agent(wreckHttpsOption),
+        httpsAllowUnauthorized: new HTTPS.Agent({
+          rejectUnauthorized: false,
+        }),
+      },
+    });
+  } else {
+    return wreck;
+  }
+};
+
+// OIDC Authentication Helper Methods
+export const getOIDCConfiguration = async (
+  authType: string,
+  config: SecurityPluginConfigType,
+  wreckClient: typeof wreck,
+  openIdAuthConfig: OpenIdAuthConfig
+) => {
+  const idpSetting = config.idp.setting.get(authType);
+  const authHeaderName = config.openid?.header || '';
+  openIdAuthConfig.authHeaderName = authHeaderName;
+
+  let scope = idpSetting.scope;
+  if (scope.indexOf('openid') < 0) {
+    scope = `openid ${scope}`;
+  }
+  openIdAuthConfig.scope = scope;
+  const openIdConnectUrl = idpSetting.connect_url;
+  const response = await wreckClient.get(openIdConnectUrl);
+  const payload = JSON.parse(response.payload as string);
+
+  openIdAuthConfig.authorizationEndpoint = payload.authorization_endpoint;
+  openIdAuthConfig.tokenEndpoint = payload.token_endpoint;
+  openIdAuthConfig.endSessionEndpoint = payload.end_session_endpoint || undefined;
+  openIdAuthConfig.issuer = payload.issuer;
+};
+
+export function parseTokenResponse(payload: Buffer) {
+  const payloadString = payload.toString();
+  if (payloadString.trim()[0] === '{') {
+    try {
+      return JSON.parse(payloadString);
+    } catch (error) {
+      throw Error(`Invalid JSON payload: ${error}`);
+    }
+  }
+  return parse(payloadString);
+}
+
+export function getRootUrl(
+  config: SecurityPluginConfigType,
+  core: CoreSetup,
+  request: OpenSearchDashboardsRequest
+): string {
+  const host = core.http.getServerInfo().hostname;
+  const port = core.http.getServerInfo().port;
+  let protocol = core.http.getServerInfo().protocol;
+  let httpHost = `${host}:${port}`;
+
+  if (config.openid?.trust_dynamic_headers) {
+    const xForwardedHost = (request.headers['x-forwarded-host'] as string) || undefined;
+    const xForwardedProto = (request.headers['x-forwarded-proto'] as string) || undefined;
+    if (xForwardedHost) {
+      httpHost = xForwardedHost;
+    }
+    if (xForwardedProto) {
+      protocol = xForwardedProto;
+    }
+  }
+
+  return `${protocol}://${httpHost}`;
+}
+
+export function getBaseRedirectUrl(
+  config: SecurityPluginConfigType,
+  core: CoreSetup,
+  request: OpenSearchDashboardsRequest
+): string {
+  if (config.openid?.base_redirect_url) {
+    const baseRedirectUrl = config.openid.base_redirect_url;
+    return baseRedirectUrl.endsWith('/') ? baseRedirectUrl.slice(0, -1) : baseRedirectUrl;
+  }
+
+  const rootUrl = getRootUrl(config, core, request);
+  if (core.http.basePath.serverBasePath) {
+    return `${rootUrl}${core.http.basePath.serverBasePath}`;
+  }
+  return rootUrl;
+}
+
+export async function callTokenEndpoint(
+  tokenEndpoint: string,
+  query: any,
+  wreckClient: typeof wreck
+): Promise<TokenResponse> {
+  const tokenResponse = await wreckClient.post(tokenEndpoint, {
+    payload: stringify(query),
+    headers: {
+      'Content-Type': 'application/x-www-form-urlencoded',
+    },
+  });
+
+  if (
+    !tokenResponse.res?.statusCode ||
+    tokenResponse.res.statusCode < 200 ||
+    tokenResponse.res.statusCode > 299
+  ) {
+    throw new Error(
+      `Failed calling token endpoint: ${tokenResponse.res.statusCode} ${tokenResponse.res.statusMessage}`
+    );
+  }
+  const tokenPayload: any = parseTokenResponse(tokenResponse.payload as Buffer);
+
+  return {
+    idToken: tokenPayload.id_token,
+    accessToken: tokenPayload.access_token,
+    refreshToken: tokenPayload.refresh_token,
+    expiresIn: tokenPayload.expires_in,
+  };
+}
+
+export function composeLogoutUrl(
+  customLogoutUrl: string | undefined,
+  idpEndsessionEndpoint: string | undefined,
+  additionalQueryParams: any
+) {
+  const logoutEndpont = customLogoutUrl || idpEndsessionEndpoint;
+  const logoutUrl = new URL(logoutEndpont!);
+  Object.keys(additionalQueryParams).forEach((key) => {
+    logoutUrl.searchParams.append(key, additionalQueryParams[key] as string);
+  });
+  return logoutUrl.toString();
+}
+
+export interface TokenResponse {
+  idToken?: string;
+  accessToken?: string;
+  refreshToken?: string;
+  expiresIn?: number;
+}
+
+export function getExpirationDate(tokenResponse: TokenResponse | undefined) {
+  if (!tokenResponse) {
+    throw new Error('Invalid token');
+  } else if (tokenResponse.idToken) {
+    const idToken = tokenResponse.idToken;
+    const parts = idToken.split('.');
+    if (parts.length !== 3) {
+      throw new Error('Invalid token');
+    }
+    const claim = JSON.parse(Buffer.from(parts[1], 'base64').toString());
+    return claim.exp * 1000;
+  } else {
+    return Date.now() + tokenResponse.expiresIn! * 1000;
+  }
+}
+
+/*
+export async function callTokenEndpoint(
+  request: OpenSearchDashboardsRequest,
+  core: CoreSetup,
+  cookie: SecuritySessionCookie,
+  config: SecurityPluginConfigType,
+  openIdAuthConfig: OpenIdAuthConfig,
+  wreckClient: typeof wreck
+): Promise<TokenResponse> {
+  const nextUrl: string = cookie.oidc.nextUrl;
+  const clientId = config.openid?.client_id;
+  const clientSecret = config.openid?.client_secret;
+  const query: any = {
+    grant_type: AUTH_GRANT_TYPE,
+    code: request.query.code,
+    redirect_uri: `${getBaseRedirectUrl(
+      config,
+      core,
+      request
+    )}${OPENID_AUTH_LOGIN}`,
+    client_id: clientId,
+    client_secret: clientSecret,
+  };
+  console.log("callTokenEndpoint::nextUrl:: ", nextUrl);
+  const tokenEndpoint = openIdAuthConfig.tokenEndpoint!;
+  const tokenResponse = await wreckClient.post(tokenEndpoint, {
+    payload: stringify(query),
+    headers: {
+      'Content-Type': 'application/x-www-form-urlencoded',
+    },
+  });
+  
+  if (
+    !tokenResponse.res?.statusCode ||
+    tokenResponse.res.statusCode < 200 ||
+    tokenResponse.res.statusCode > 299
+  ) {
+    throw new Error(
+      `Failed calling token endpoint: ${tokenResponse.res.statusCode} ${tokenResponse.res.statusMessage}`
+    );
+  }
+  const tokenPayload: any = parseTokenResponse(tokenResponse.payload as Buffer);
+  console.log("tokenPayload:: ", tokenPayload);
+  return {
+    idToken: tokenPayload.id_token,
+    accessToken: tokenPayload.access_token,
+    refreshToken: tokenPayload.refresh_token,
+    expiresIn: tokenPayload.expires_in,
+  };
+}
+*/
diff --git a/src/plugins/dashboards_security/server/utils/next_url.ts b/src/plugins/dashboards_security/server/utils/next_url.ts
new file mode 100644
index 000000000000..05e7b45a8d5c
--- /dev/null
+++ b/src/plugins/dashboards_security/server/utils/next_url.ts
@@ -0,0 +1,59 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+import { parse } from 'url';
+import { ParsedUrlQuery } from 'querystring';
+import { OpenSearchDashboardsRequest } from 'opensearch-dashboards/server';
+import { encodeUriQuery } from '../../../opensearch_dashboards_utils/common/url/encode_uri_query';
+
+export function composeNextUrlQueryParam(
+  request: OpenSearchDashboardsRequest,
+  basePath: string
+): string {
+  try {
+    const currentUrl = request.url.toString();
+    const parsedUrl = parse(currentUrl, true);
+    const nextUrl = parsedUrl?.path;
+
+    if (!!nextUrl && nextUrl !== '/') {
+      return `nextUrl=${encodeUriQuery(basePath + nextUrl)}`;
+    }
+  } catch (error) {
+    /* Ignore errors from parsing */
+  }
+  return '';
+}
+
+export interface ParsedUrlQueryParams extends ParsedUrlQuery {
+  nextUrl: string;
+}
+
+export const INVALID_NEXT_URL_PARAMETER_MESSAGE = 'Invalid nextUrl parameter.';
+
+/**
+ * We require the nextUrl parameter to be an relative url.
+ *
+ * Here we leverage the normalizeUrl function. If the library can parse the url
+ * parameter, which means it is an absolute url, then we reject it. Otherwise, the
+ * library cannot parse the url, which means it is not an absolute url, we let to
+ * go through.
+ * Note: url has been decoded by OpenSearchDashboards.
+ *
+ * @param url url string.
+ * @returns error message if nextUrl is invalid, otherwise void.
+ */
+export const validateNextUrl = (url: string | undefined): string | void => {
+  if (url) {
+    const path = url.split('?')[0];
+    if (
+      !path.startsWith('/') ||
+      path.startsWith('//') ||
+      path.includes('\\') ||
+      path.includes('@')
+    ) {
+      return INVALID_NEXT_URL_PARAMETER_MESSAGE;
+    }
+  }
+};

From 0a9b37ef7baf74e0a88a608f3756412e70cbc2a1 Mon Sep 17 00:00:00 2001
From: Aozixuan Priscilla Guan <aoguan@amazon.com>
Date: Mon, 6 Feb 2023 16:22:48 -0600
Subject: [PATCH 4/6] Fix style

Signed-off-by: Aozixuan Priscilla Guan <aoguan@amazon.com>
---
 src/plugins/dashboards_security/server/plugin.ts | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/plugins/dashboards_security/server/plugin.ts b/src/plugins/dashboards_security/server/plugin.ts
index 70fed2b3d68f..fdec8438097d 100644
--- a/src/plugins/dashboards_security/server/plugin.ts
+++ b/src/plugins/dashboards_security/server/plugin.ts
@@ -18,7 +18,6 @@ import { SecuritySessionCookie, getSecurityCookieOptions } from './session/secur
 import { getAuthenticationHandler } from './auth/auth_handler_factory';
 import { IAuthenticationType } from './auth/types/authentication_type';
 
-
 export class SecurityPlugin implements Plugin<SecurityPluginSetup, SecurityPluginStart> {
   private readonly logger: Logger;
 

From 92800357e8f4f358a3171820be7b27d272a87e94 Mon Sep 17 00:00:00 2001
From: Chang Liu <lc12251109@gmail.com>
Date: Mon, 6 Feb 2023 15:48:51 -0800
Subject: [PATCH 5/6] SAML PoC

---
 config/opensearch_dashboards.yml              |  52 ++++
 .../dashboards_security/common/index.ts       |   4 +
 src/plugins/dashboards_security/package.json  |  41 +++
 .../server/auth/types/saml/routes.ts          | 290 ++++++++++++++++++
 .../server/auth/types/saml/saml_auth.ts       | 136 ++++++++
 .../server/auth/types/saml/utils/AuthToken.ts |  25 ++
 .../auth/types/saml/utils/SAMLResponse.ts     |  45 +++
 .../backend/opensearch_security_client.ts     | 235 ++++++++++++++
 8 files changed, 828 insertions(+)
 create mode 100644 src/plugins/dashboards_security/package.json
 create mode 100644 src/plugins/dashboards_security/server/auth/types/saml/routes.ts
 create mode 100644 src/plugins/dashboards_security/server/auth/types/saml/saml_auth.ts
 create mode 100644 src/plugins/dashboards_security/server/auth/types/saml/utils/AuthToken.ts
 create mode 100644 src/plugins/dashboards_security/server/auth/types/saml/utils/SAMLResponse.ts
 create mode 100755 src/plugins/dashboards_security/server/backend/opensearch_security_client.ts

diff --git a/config/opensearch_dashboards.yml b/config/opensearch_dashboards.yml
index 4d81b0b3be69..0099d86d84f2 100644
--- a/config/opensearch_dashboards.yml
+++ b/config/opensearch_dashboards.yml
@@ -232,3 +232,55 @@
 #data_source.encryption.wrappingKeyName: 'changeme'
 #data_source.encryption.wrappingKeyNamespace: 'changeme'
 #data_source.encryption.wrappingKey: [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+
+
+# timelion.ui.enabled: true
+# server.name: opensearch-dashboards
+# server.host: "0.0.0.0"
+# opensearch.hosts: http://localhost:9200
+# opensearch.ssl.verificationMode: none
+# opensearch.username: kibanaserver
+# opensearch.password: kibanaserver
+# opensearch.requestHeadersWhitelist: ["securitytenant","Authorization"]
+# # dashboards_security.multitenancy.enabled: true
+# # dashboards_security.multitenancy.tenants.preferred: ["Private", "Global"]
+# dashboards_security.readonly_mode.roles: ["kibana_read_only"]
+# # dashboards_security.auth.type: "saml"
+# server.xsrf.whitelist:  [/_plugins/_security/saml/acs,/_opendistro/_security/saml/acs,/_plugins/_security/saml/acs/idpinitiated,/_opendistro/_security/saml/acs/idpinitiated,/_plugins/_security/saml/logout,/_opendistro/_security/saml/logout]
+
+
+
+
+server.host: 0.0.0.0
+server.port: 5601
+opensearch.hosts: ["http://localhost:9200"]
+opensearch.ssl.verificationMode: none
+opensearch.username: "kibanaserver"
+opensearch.password: "kibanaserver"
+opensearch.requestHeadersWhitelist: [ authorization,securitytenant ]
+
+dashboards_security.idp.setting: {
+    "basicauth_opensearch": 
+                {
+                 "base_redirect_url": "http://localhost:5601"},
+    "oidc_okta": 
+                {
+                "base_redirect_url": "http://localhost:5601",
+                "logout_url": "http://localhost:5601/app/login",
+                "connect_url": "https://dev-16628832.okta.com/.well-known/openid-configuration", 
+                "client_id": "0oa566po99gotj46m5d7", 
+                "client_secret": "4Gy9_NxFS2Xf97t4GRzkoRlyRAsApRwFcM6Zx9WB",
+                "scope": "openid profile email",
+                "verify_hostnames": "false",
+                "refresh_tokens": "false"},
+     "oidc_google":   
+                { 
+                "base_redirect_url": "http://localhost:5601", 
+                "logout_url": "http://localhost:5601/app/login",  
+                "connect_url": "https://accounts.google.com/.well-known/openid-configuration",  
+                "client_id": "177403260062-qsvknolof1u4qfmv3qtjti45eps7k3qs.apps.googleusercontent.com",  
+                "client_secret": "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", 
+                "scope": "openid profile email",  
+                "verify_hostnames": "false",  
+                "refresh_tokens": "false"},
+}
\ No newline at end of file
diff --git a/src/plugins/dashboards_security/common/index.ts b/src/plugins/dashboards_security/common/index.ts
index c544cb202650..37cedca9cbb1 100644
--- a/src/plugins/dashboards_security/common/index.ts
+++ b/src/plugins/dashboards_security/common/index.ts
@@ -15,6 +15,8 @@ export const API_ENDPOINT_AUTHTYPE = API_PREFIX + '/auth/type';
 export const LOGIN_PAGE_URI = '/app/' + APP_ID_LOGIN;
 export const API_AUTH_LOGIN = '/auth/login';
 export const API_AUTH_LOGOUT = '/auth/logout';
+export const OPENID_AUTH_LOGIN = '/auth/openid/login';
+export const SAML_AUTH_LOGIN = '/auth/saml/login';
 export const ANONYMOUS_AUTH_LOGIN = '/auth/anonymous';
 export const SAML_AUTH_LOGIN_WITH_FRAGMENT = '/auth/saml/captureUrlFragment?nextUrl=%2F';
 
@@ -26,6 +28,8 @@ export const AUTH_HEADER_NAME = 'authorization';
 export const AUTH_GRANT_TYPE = 'authorization_code';
 export const AUTH_RESPONSE_TYPE = 'code';
 
+export const jwtKey = "6aff3042-1327-4f3d-82f0-40a157ac4464"
+
 export enum AuthType {
   BASIC = 'basicauth',
   OIDC = 'oidc',
diff --git a/src/plugins/dashboards_security/package.json b/src/plugins/dashboards_security/package.json
new file mode 100644
index 000000000000..d5ebb1f8c625
--- /dev/null
+++ b/src/plugins/dashboards_security/package.json
@@ -0,0 +1,41 @@
+{
+  "name": "dashboards-security",
+  "version": "3.0.0.0",
+  "main": "target/plugins/dashboards-security",
+  "opensearchDashboards": {
+    "version": "3.0.0",
+    "templateVersion": "3.0.0"
+  },
+  "license": "Apache-2.0",
+  "homepage": "https://github.com/opensearch-project/security-dashboards-plugin",
+  "scripts": {
+    "plugin-helpers": "node ../../scripts/plugin_helpers",
+    "osd": "node ../../scripts/osd",
+    "opensearch": "node ../../scripts/opensearch",
+    "build": "yarn plugin-helpers build && node build_tools/rename_zip.js",
+    "start": "node ../../scripts/opensearch-dashboards --dev",
+    "lint:es": "node ../../scripts/eslint",
+    "lint:style": "node ../../scripts/stylelint",
+    "lint": "yarn run lint:es && yarn run lint:style",
+    "pretest:jest_server": "node ./test/jest_integration/runIdpServer.js &",
+    "test:jest_server": "node ./test/run_jest_tests.js --config ./test/jest.config.server.js",
+    "test:jest_ui": "node ./test/run_jest_tests.js --config ./test/jest.config.ui.js"
+  },
+  "devDependencies": {
+    "@elastic/eslint-import-resolver-kibana": "link:../../packages/osd-eslint-import-resolver-opensearch-dashboards",
+    "@testing-library/react-hooks": "^7.0.2",
+    "@types/hapi__wreck": "^15.0.1",
+    "gulp-rename": "2.0.0",
+    "saml-idp": "^1.2.1",
+    "selenium-webdriver": "^4.0.0-alpha.7",
+    "selfsigned": "^2.0.1",
+    "typescript": "4.0.2",
+    "saml-encoder-decoder-js": "1.0.1",
+    "fast-xml-parser": "4.0.15"
+  },
+  "dependencies": {
+    "@hapi/cryptiles": "5.0.0",
+    "@hapi/wreck": "^17.1.0",
+    "html-entities": "1.3.1"
+  }
+}
diff --git a/src/plugins/dashboards_security/server/auth/types/saml/routes.ts b/src/plugins/dashboards_security/server/auth/types/saml/routes.ts
new file mode 100644
index 000000000000..10b083b411f3
--- /dev/null
+++ b/src/plugins/dashboards_security/server/auth/types/saml/routes.ts
@@ -0,0 +1,290 @@
+/*
+ *   Copyright OpenSearch Contributors
+ *
+ *   Licensed under the Apache License, Version 2.0 (the "License").
+ *   You may not use this file except in compliance with the License.
+ *   A copy of the License is located at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   or in the "license" file accompanying this file. This file is distributed
+ *   on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ *   express or implied. See the License for the specific language governing
+ *   permissions and limitations under the License.
+ */
+
+import { schema } from '@osd/config-schema';
+import {
+  IRouter,
+  SessionStorageFactory,
+  OpenSearchDashboardsRequest,
+} from '../../../../../../../src/core/server';
+import { SecuritySessionCookie } from '../../../session/security_cookie';
+import { SecurityPluginConfigType } from '../../..';
+import { SecurityClient } from '../../../backend/opensearch_security_client';
+import { CoreSetup } from '../../../../../../../src/core/server';
+import { validateNextUrl } from '../../../utils/next_url';
+import { AuthType, SAML_AUTH_LOGIN, SAML_AUTH_LOGOUT } from '../../../../common';
+import { compileSchema } from 'ajv/dist/compile';
+import { XMLParser } from "fast-xml-parser";
+import { AuthToken } from './utils/AuthToken';
+
+export class SamlAuthRoutes {
+  constructor(
+    private readonly router: IRouter,
+    // @ts-ignore: unused variable
+    private readonly config: SecurityPluginConfigType,
+    private readonly sessionStorageFactory: SessionStorageFactory<SecuritySessionCookie>,
+    private readonly securityClient: SecurityClient,
+    private readonly coreSetup: CoreSetup
+  ) {}
+
+  public setupRoutes() {
+    this.router.get(
+      {
+        path: SAML_AUTH_LOGIN,
+        validate: {
+          query: schema.object({
+            nextUrl: schema.maybe(
+              schema.string({
+                validate: validateNextUrl,
+              })
+            ),
+          }),
+        },
+        options: {
+          authRequired: false,
+        },
+      },
+      async (context, request, response) => {
+        if (request.auth.isAuthenticated) {
+          return response.redirected({
+            headers: {
+              location: `${this.coreSetup.http.basePath.serverBasePath}/app/opensearch-dashboards`,
+            },
+          });
+        }
+
+        try {
+          const samlHeader = await this.securityClient.getSamlHeader(request);
+          // const { nextUrl = '/' } = request.query;
+          const cookie: SecuritySessionCookie = {
+            saml: {
+              nextUrl: request.query.nextUrl,
+              requestId: samlHeader.requestId,
+            },
+          };
+          this.sessionStorageFactory.asScoped(request).set(cookie);
+          return response.redirected({
+            headers: {
+              location: samlHeader.location,
+            },
+          });
+        } catch (error) {
+          context.security_plugin.logger.error(`Failed to get saml header: ${error}`);
+          return response.internalError(); // TODO: redirect to error page?
+        }
+      }
+    );
+
+    this.router.post(
+      {
+        path: `/_opendistro/_security/saml/acs`,
+        validate: {
+          body: schema.any(),
+        },
+        options: {
+          authRequired: false,
+        },
+      },
+      async (context, request, response) => {
+        let requestId: string = '';
+        let nextUrl: string = '/';
+        try {
+          const cookie = await this.sessionStorageFactory.asScoped(request).get();
+          if (cookie) {
+            requestId = cookie.saml?.requestId || '';
+            nextUrl =
+              cookie.saml?.nextUrl ||
+              `${this.coreSetup.http.basePath.serverBasePath}/app/opensearch-dashboards`;
+          }
+          if (!requestId) {
+            return response.badRequest({
+              body: 'Invalid requestId',
+            });
+          }
+        } catch (error) {
+          context.security_plugin.logger.error(`Failed to parse cookie: ${error}`);
+          return response.badRequest();
+        }
+
+        try {
+          const SAML = require("saml-encoder-decoder-js");
+          const xmlParser = new XMLParser();
+          const samlResponse = request.body.SAMLResponse;
+          // TODO: 
+          // - Validate SAML Response 
+          // - Set the SAML Response expiry in cookie
+          // - Consider how identiy info updates in IDP are synced with SP(Just in time/Real Time updates)
+          SAML.decodeSamlPost(samlResponse, function(err: string | undefined, xml: any) {
+              if (err) {
+                  throw new Error(err);
+              }
+              const jsonObj = xmlParser.parse(xml);
+              const username = jsonObj["samlp:Response"]["saml:Assertion"]["saml:Subject"]["saml:NameID"];
+          });
+          
+
+          // const credentials = await this.securityClient.authToken(
+          //   requestId,
+          //   request.body.SAMLResponse,
+          //   undefined
+          // );
+          // const user = await this.securityClient.authenticateWithHeader(
+          //   request,
+          //   'authorization',
+          //   credentials.authorization
+          // );
+
+          let expiryTime = Date.now() + this.config.session.ttl;
+          // const [headerEncoded, payloadEncoded, signature] = credentials.authorization.split('.');
+          // if (!payloadEncoded) {
+          //   context.security_plugin.logger.error('JWT token payload not found');
+          // }
+          // const tokenPayload = JSON.parse(Buffer.from(payloadEncoded, 'base64').toString());
+
+          // if (tokenPayload.exp) {
+          //   expiryTime = parseInt(tokenPayload.exp, 10) * 1000;
+          // }
+          // const cookie: SecuritySessionCookie = {
+          //   username: user.username,
+          //   credentials: {
+          //     authHeaderValue: credentials.authorization,
+          //   },
+          //   authType: AuthType.SAML, // TODO: create constant
+          //   expiryTime,
+          // };
+          // console.log("######cookie");
+          // console.log(cookie);
+
+          const authToken = new AuthToken(samlResponse);
+          const credentials = authToken.token;
+          console.log("######### credentials");
+          console.log(credentials);
+
+          // const cookie: SecuritySessionCookie = {
+          //   username: "cgliu@amazon.com",
+          //   credentials: {
+          //     authHeaderValue: "bearer eyJhbGciOiJIUzUxMiJ9.eyJuYmYiOjE2NzUyMTM3NzksImV4cCI6MTY3NTMwMDE3OSwic3ViIjoiY2dsaXVAYW1hem9uLmNvbSIsInNhbWxfbmlmIjoiZW1haWwiLCJzYW1sX3NpIjoiXzE5N2U0M2MxLTczNjMtNGQxMi05MGEzLTYyMTNjZDdkZmMzYSJ9.M-msJk-lZnzwl9jn0RUaVauB1uLFIGe9ePG_WCCMyLHFCR0YPYhdqyyCE8OHqbB5xa4GN92sMCRkSTIsJ07j7A",
+          //   },
+          //   authType: AuthType.SAML, // TODO: create constant
+          //   expiryTime,
+          // };
+
+          const cookie: SecuritySessionCookie = {
+            username: "cgliu@amazon.com",
+            credentials: {
+              authHeaderValue: authToken.token,
+            },
+            authType: AuthType.SAML, // TODO: create constant
+            expiryTime,
+          };
+
+          this.sessionStorageFactory.asScoped(request).set(cookie);
+          return response.redirected({
+            headers: {
+              location: nextUrl,
+            },
+          });
+        } catch (error) {
+          context.security_plugin.logger.error(
+            `SAML SP initiated authentication workflow failed: ${error}`
+          );
+        }
+
+        return response.internalError();
+      }
+    );
+
+    this.router.post(
+      {
+        path: `/_opendistro/_security/saml/acs/idpinitiated`,
+        validate: {
+          body: schema.any(),
+        },
+        options: {
+          authRequired: false,
+        },
+      },
+      async (context, request, response) => {
+        const acsEndpoint = `${this.coreSetup.http.basePath.serverBasePath}/_opendistro/_security/saml/acs/idpinitiated`;
+        try {
+          const credentials = await this.securityClient.authToken(
+            undefined,
+            request.body.SAMLResponse,
+            acsEndpoint
+          );
+          const user = await this.securityClient.authenticateWithHeader(
+            request,
+            'authorization',
+            credentials.authorization
+          );
+
+          let expiryTime = Date.now() + this.config.session.ttl;
+          const [headerEncoded, payloadEncoded, signature] = credentials.authorization.split('.');
+          if (!payloadEncoded) {
+            context.security_plugin.logger.error('JWT token payload not found');
+          }
+          const tokenPayload = JSON.parse(Buffer.from(payloadEncoded, 'base64').toString());
+          if (tokenPayload.exp) {
+            expiryTime = parseInt(tokenPayload.exp, 10) * 1000;
+          }
+
+          const cookie: SecuritySessionCookie = {
+            username: user.username,
+            credentials: {
+              authHeaderValue: credentials.authorization,
+            },
+            authType: AuthType.SAML, // TODO: create constant
+            expiryTime,
+          };
+          this.sessionStorageFactory.asScoped(request).set(cookie);
+          return response.redirected({
+            headers: {
+              location: `${this.coreSetup.http.basePath.serverBasePath}/app/opensearch-dashboards`,
+            },
+          });
+        } catch (error) {
+          context.security_plugin.logger.error(
+            `SAML IDP initiated authentication workflow failed: ${error}`
+          );
+        }
+        return response.internalError();
+      }
+    );
+
+    this.router.get(
+      {
+        path: SAML_AUTH_LOGOUT,
+        validate: false,
+      },
+      async (context, request, response) => {
+        try {
+          const authInfo = await this.securityClient.authinfo(request);
+          this.sessionStorageFactory.asScoped(request).clear();
+          // TODO: need a default logout page
+          const redirectUrl =
+            authInfo.sso_logout_url || this.coreSetup.http.basePath.serverBasePath || '/';
+          return response.redirected({
+            headers: {
+              location: redirectUrl,
+            },
+          });
+        } catch (error) {
+          context.security_plugin.logger.error(`SAML logout failed: ${error}`);
+          return response.badRequest();
+        }
+      }
+    );
+  }
+}
diff --git a/src/plugins/dashboards_security/server/auth/types/saml/saml_auth.ts b/src/plugins/dashboards_security/server/auth/types/saml/saml_auth.ts
new file mode 100644
index 000000000000..a9f712d08be9
--- /dev/null
+++ b/src/plugins/dashboards_security/server/auth/types/saml/saml_auth.ts
@@ -0,0 +1,136 @@
+/*
+ *   Copyright OpenSearch Contributors
+ *
+ *   Licensed under the Apache License, Version 2.0 (the "License").
+ *   You may not use this file except in compliance with the License.
+ *   A copy of the License is located at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   or in the "license" file accompanying this file. This file is distributed
+ *   on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ *   express or implied. See the License for the specific language governing
+ *   permissions and limitations under the License.
+ */
+
+import { escape } from 'querystring';
+import { CoreSetup } from 'opensearch-dashboards/server';
+import { SecurityPluginConfigType } from '../../..';
+import {
+  SessionStorageFactory,
+  IRouter,
+  ILegacyClusterClient,
+  OpenSearchDashboardsRequest,
+  AuthToolkit,
+  Logger,
+  LifecycleResponseFactory,
+  IOpenSearchDashboardsResponse,
+  AuthResult,
+} from '../../../../../../src/core/server';
+import {
+  SecuritySessionCookie,
+  clearOldVersionCookieValue,
+} from '../../../session/security_cookie';
+import { SamlAuthRoutes } from './routes';
+import { AuthenticationType } from '../authentication_type';
+import { AuthType, jwtKey } from '../../../../common';
+
+export class SamlAuthentication extends AuthenticationType {
+  public static readonly AUTH_HEADER_NAME = 'authorization';
+
+  public readonly type: string = 'saml';
+
+  constructor(
+    config: SecurityPluginConfigType,
+    sessionStorageFactory: SessionStorageFactory<SecuritySessionCookie>,
+    router: IRouter,
+    esClient: ILegacyClusterClient,
+    coreSetup: CoreSetup,
+    logger: Logger
+  ) {
+    super(config, sessionStorageFactory, router, esClient, coreSetup, logger);
+  }
+
+  private generateNextUrl(request: OpenSearchDashboardsRequest): string {
+    const path =
+      this.coreSetup.http.basePath.serverBasePath +
+      (request.url.path || '/app/opensearch-dashboards');
+    return escape(path);
+  }
+
+  private redirectToLoginUri(request: OpenSearchDashboardsRequest, toolkit: AuthToolkit) {
+    const nextUrl = this.generateNextUrl(request);
+    const clearOldVersionCookie = clearOldVersionCookieValue(this.config);
+    return toolkit.redirected({
+      location: `${this.coreSetup.http.basePath.serverBasePath}/auth/saml/login?nextUrl=${nextUrl}`,
+      'set-cookie': clearOldVersionCookie,
+    });
+  }
+
+  public async init() {
+    const samlAuthRoutes = new SamlAuthRoutes(
+      this.router,
+      this.config,
+      this.sessionStorageFactory,
+      this.coreSetup
+    );
+    samlAuthRoutes.setupRoutes();
+  }
+
+  requestIncludesAuthInfo(request: OpenSearchDashboardsRequest): boolean {
+    return request.headers[SamlAuthentication.AUTH_HEADER_NAME] ? true : false;
+  }
+
+  async getAdditionalAuthHeader(request: OpenSearchDashboardsRequest): Promise<any> {
+    return {};
+  }
+
+  getCookie(request: OpenSearchDashboardsRequest, authInfo: any): SecuritySessionCookie {
+    return {
+      username: authInfo.user_name,
+      credentials: {
+        authHeaderValue: request.headers[SamlAuthentication.AUTH_HEADER_NAME],
+      },
+      authType: AuthType.SAML,
+      expiryTime: Date.now() + this.config.session.ttl,
+    };
+  }
+
+  // Can be improved to check if the token is expiring.
+  async isValidCookie(cookie: SecuritySessionCookie): Promise<boolean> {
+    // Validate JWT token in cookie
+    var jwt = require('jsonwebtoken');
+    try {
+      const token = cookie.credentials.authHeaderValue;
+      const decodedToken = jwt.verify(token, jwtKey);
+    } catch (error: any) {
+      this.logger.error(`Failed to validate token: ${error}`);
+    //   return false;
+    }
+
+    return (
+      cookie.authType === AuthType.SAML &&
+      cookie.username &&
+      cookie.expiryTime &&
+      cookie.credentials?.authHeaderValue
+    );
+  }
+
+  handleUnauthedRequest(
+    request: OpenSearchDashboardsRequest,
+    response: LifecycleResponseFactory,
+    toolkit: AuthToolkit
+  ): IOpenSearchDashboardsResponse | AuthResult {
+    if (this.isPageRequest(request)) {
+      return this.redirectToLoginUri(request, toolkit);
+    } else {
+      return response.unauthorized();
+    }
+  }
+
+  buildAuthHeaderFromCookie(cookie: SecuritySessionCookie): any {
+    const headers: any = {};
+    headers[SamlAuthentication.AUTH_HEADER_NAME] = cookie.credentials?.authHeaderValue;
+    return headers;
+  }
+}
diff --git a/src/plugins/dashboards_security/server/auth/types/saml/utils/AuthToken.ts b/src/plugins/dashboards_security/server/auth/types/saml/utils/AuthToken.ts
new file mode 100644
index 000000000000..ac91f7060302
--- /dev/null
+++ b/src/plugins/dashboards_security/server/auth/types/saml/utils/AuthToken.ts
@@ -0,0 +1,25 @@
+import { X509Certificate } from 'crypto';
+import { XMLParser } from 'fast-xml-parser';
+import { jwtKey } from '../../../../../common'
+import { SamlAuthentication } from '../saml_auth';
+import { SAMLResponse } from './SAMLResponse';
+// import { jsonwebtoken } from 'jsonwebtoken';
+
+export class AuthToken {
+    
+    token: any;
+    jwt: any;
+
+    constructor(samlResponse: SAMLResponse) {
+        this.jwt = require('jsonwebtoken');
+        const jwtExpirySeconds = "1d";
+        const user = {
+            "cgliu@amazon.com": "123456",
+        }
+        this.token = this.jwt.sign({ username: "cgliu@amazon.com" }, jwtKey, {
+            algorithm: "HS256",
+            expiresIn: jwtExpirySeconds,
+        })
+        // this.token = "bearer " + this.token;
+    }
+}
\ No newline at end of file
diff --git a/src/plugins/dashboards_security/server/auth/types/saml/utils/SAMLResponse.ts b/src/plugins/dashboards_security/server/auth/types/saml/utils/SAMLResponse.ts
new file mode 100644
index 000000000000..3209612ad7d2
--- /dev/null
+++ b/src/plugins/dashboards_security/server/auth/types/saml/utils/SAMLResponse.ts
@@ -0,0 +1,45 @@
+import { X509Certificate } from 'crypto';
+import { XMLParser } from 'fast-xml-parser';
+
+export class SAMLResponse {
+    private acsUrl: string | undefined;
+    private samlResponseDocument: any;
+    private jsonObj: any;
+    private cert: X509Certificate | undefined;
+
+    constructor(request: any) {
+        if (request !== null) {
+            this.acsUrl = 'http://localhost:5601/_opendistro/_security/saml/acs';
+            this.samlResponseDocument = request.body.SAMLResponse;
+            const SAML = require("saml-encoder-decoder-js");
+            const xmlParser = new XMLParser();
+            // TODO: 
+            // - Validate SAML Response 
+            // - Set the SAML Response expiry in cookie
+            // - Consider how identiy info updates in IDP are synced with SP(Just in time/Real Time updates)
+            SAML.decodeSamlPost(this.samlResponseDocument, (err: string | undefined, xml: any) => {
+                if (err) {
+                    throw new Error(err);
+                }
+                this.jsonObj = xmlParser.parse(xml);
+            });
+            // this.cert = new X509Certificate("fs.readFileSync('public-cert.pem')");
+        }
+    }
+
+    public isValid(samlResponse: SAMLResponse) {
+        // TODO:
+        // - validateDestination()
+        // - this.settings.getIdpx509cert()
+        // - expiry - getSessionNotOnOrAfter()
+        // - Validate responseInResponseTo()
+        // - If IDP sets getWantNameIdEncrypted to true, validate if NameID is encrypted.
+        // - Validate if issuer is not empty and equal to the IDP Entity ID
+        // - If IDP sets getWantAssertionsSigned to true, validate if Assertion is signed.
+        // - Validate if there's a signature
+        return true;
+    }
+
+
+
+}
\ No newline at end of file
diff --git a/src/plugins/dashboards_security/server/backend/opensearch_security_client.ts b/src/plugins/dashboards_security/server/backend/opensearch_security_client.ts
new file mode 100755
index 000000000000..bee1be56a872
--- /dev/null
+++ b/src/plugins/dashboards_security/server/backend/opensearch_security_client.ts
@@ -0,0 +1,235 @@
+/*
+ *   Copyright OpenSearch Contributors
+ *
+ *   Licensed under the Apache License, Version 2.0 (the "License").
+ *   You may not use this file except in compliance with the License.
+ *   A copy of the License is located at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   or in the "license" file accompanying this file. This file is distributed
+ *   on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ *   express or implied. See the License for the specific language governing
+ *   permissions and limitations under the License.
+ */
+
+import { ILegacyClusterClient, OpenSearchDashboardsRequest } from '../../../../../src/core/server';
+import { User } from '../auth/user';
+
+export class SecurityClient {
+  constructor(private readonly esClient: ILegacyClusterClient) {}
+
+  public async authenticate(request: OpenSearchDashboardsRequest, credentials: any): Promise<User> {
+    const authHeader = Buffer.from(`${credentials.username}:${credentials.password}`).toString(
+      'base64'
+    );
+    try {
+      const esResponse = await this.esClient
+        .asScoped(request)
+        .callAsCurrentUser('opensearch_security.authinfo', {
+          headers: {
+            authorization: `Basic ${authHeader}`,
+          },
+        });
+      return {
+        username: credentials.username,
+        roles: esResponse.roles,
+        backendRoles: esResponse.backend_roles,
+        tenants: esResponse.tenants,
+        selectedTenant: esResponse.user_requested_tenant,
+        credentials,
+        proxyCredentials: credentials,
+      };
+    } catch (error: any) {
+      throw new Error(error.message);
+    }
+  }
+
+  public async authenticateWithHeader(
+    request: OpenSearchDashboardsRequest,
+    headerName: string,
+    headerValue: string,
+    whitelistedHeadersAndValues: any = {},
+    additionalAuthHeaders: any = {}
+  ): Promise<User> {
+    try {
+      const credentials: any = {
+        headerName,
+        headerValue,
+      };
+      const headers: any = {};
+      if (headerValue) {
+        headers[headerName] = headerValue;
+      }
+
+      // cannot get config elasticsearch.requestHeadersWhitelist from kibana.yml file in new platfrom
+      // meanwhile, do we really need to save all headers in cookie?
+      const esResponse = {
+        user: 'User [name=admin, backend_roles=[admin], requestedTenant=null]',
+        user_name: 'cgliu@amazon.com',
+        user_requested_tenant: null,
+        remote_address: '127.0.0.1:61197',
+        backend_roles: [ 'admin' ],
+        custom_attribute_names: [],
+        roles: [ 'own_index', 'all_access' ],
+        tenants: { global_tenant: true, admin_tenant: true, admin: true },
+        principal: null,
+        peer_certificates: '0',
+        sso_logout_url: 'https://cgliu.onelogin.com/trust/saml2/http-redirect/slo/1970238?SAMLRequest=fVJda8IwFP0rJe%2BxTbt%2BGLRMcBsFpzDHHvYit02qhTRxuSnIfv1ineAGG%2BTp5Jxzzz3JDKFXR74yezO4F%2FkxSHTBqVca%2BXgzJ4PV3AB2yDX0Erlr%2BHbxvOLxJOJHa5xpjCI3kv8VgCit64wmQbWck836YbV5qtY7EFmeQ5TQRBaM3uWipRAXMRV1Clk9bfxJSPAmLXrtnHgrb4A4yEqjA%2B08FMUJjRiN2WuU87TgLHsnwdLv02lwo%2Brg3BF5GDZ71Q0To6Uy%2B05PGtOHzg7ownP%2BODzTqJWis7LxmDIhm%2BbevSBBOTtT%2BDjZllc%2FZRpQB4OOT%2BMomoW3nItg7YuolsGjsT24vxtiEzYinaDtSOWyh04thLASkZRj8Hvo4dOMsb9HXdzLYHZ5zK3n%2Bn0rLeSp3KVtFrO8TWgt68g3mwKdZg2jbZYWeV0ULYj04vNLeQV%2F%2FI3yCw%3D%3D'
+      }
+      // const esResponse = await this.esClient
+      //   .asScoped(request)
+      //   .callAsCurrentUser('opensearch_security.authinfo', {
+      //     headers,
+      //   });
+      return {
+        username: esResponse.user_name,
+        roles: esResponse.roles,
+        backendRoles: esResponse.backend_roles,
+        tenants: esResponse.tenants,
+        selectedTenant: esResponse.user_requested_tenant,
+        credentials,
+      };
+    } catch (error: any) {
+      throw new Error(error.message);
+    }
+  }
+
+  public async authenticateWithHeaders(
+    request: OpenSearchDashboardsRequest,
+    additionalAuthHeaders: any = {}
+  ): Promise<User> {
+    try {
+      const esResponse = await this.esClient
+        .asScoped(request)
+        .callAsCurrentUser('opensearch_security.authinfo', {
+          headers: additionalAuthHeaders,
+        });
+      return {
+        username: esResponse.user_name,
+        roles: esResponse.roles,
+        backendRoles: esResponse.backend_roles,
+        tenants: esResponse.tenants,
+        selectedTenant: esResponse.user_requested_tenant,
+      };
+    } catch (error: any) {
+      throw new Error(error.message);
+    }
+  }
+
+  public async authinfo(request: OpenSearchDashboardsRequest, headers: any = {}) {
+    try {
+      // return await this.esClient
+      //   .asScoped(request)
+      //   .callAsCurrentUser('opensearch_security.authinfo', {
+      //     headers,
+      //   });
+      return {
+        user: 'User [name=admin, backend_roles=[admin], requestedTenant=null]',
+        user_name: 'cgliu@amazon.com',
+        user_requested_tenant: null,
+        remote_address: '127.0.0.1:61197',
+        backend_roles: [ 'admin' ],
+        custom_attribute_names: [],
+        roles: [ 'own_index', 'all_access' ],
+        tenants: { global_tenant: true, admin_tenant: true, admin: true },
+        principal: null,
+        peer_certificates: '0',
+        sso_logout_url: 'https://cgliu.onelogin.com/trust/saml2/http-redirect/slo/1970238?SAMLRequest=fVJda8IwFP0rJe%2BxTbt%2BGLRMcBsFpzDHHvYit02qhTRxuSnIfv1ineAGG%2BTp5Jxzzz3JDKFXR74yezO4F%2FkxSHTBqVca%2BXgzJ4PV3AB2yDX0Erlr%2BHbxvOLxJOJHa5xpjCI3kv8VgCit64wmQbWck836YbV5qtY7EFmeQ5TQRBaM3uWipRAXMRV1Clk9bfxJSPAmLXrtnHgrb4A4yEqjA%2B08FMUJjRiN2WuU87TgLHsnwdLv02lwo%2Brg3BF5GDZ71Q0To6Uy%2B05PGtOHzg7ownP%2BODzTqJWis7LxmDIhm%2BbevSBBOTtT%2BDjZllc%2FZRpQB4OOT%2BMomoW3nItg7YuolsGjsT24vxtiEzYinaDtSOWyh04thLASkZRj8Hvo4dOMsb9HXdzLYHZ5zK3n%2Bn0rLeSp3KVtFrO8TWgt68g3mwKdZg2jbZYWeV0ULYj04vNLeQV%2F%2FI3yCw%3D%3D'
+      }
+    } catch (error: any) {
+      throw new Error(error.message);
+    }
+  }
+
+  // Multi-tenancy APIs
+  public async getMultitenancyInfo(request: OpenSearchDashboardsRequest) {
+    try {
+      return await this.esClient
+        .asScoped(request)
+        .callAsCurrentUser('opensearch_security.multitenancyinfo');
+    } catch (error: any) {
+      throw new Error(error.message);
+    }
+  }
+
+  public async getTenantInfoWithInternalUser() {
+    try {
+      return this.esClient.callAsInternalUser('opensearch_security.tenantinfo');
+    } catch (error: any) {
+      throw new Error(error.message);
+    }
+  }
+
+  public async getTenantInfo(request: OpenSearchDashboardsRequest) {
+    try {
+      return await this.esClient
+        .asScoped(request)
+        .callAsCurrentUser('opensearch_security.tenantinfo');
+    } catch (error: any) {
+      throw new Error(error.message);
+    }
+  }
+
+  public async getSamlHeader(request: OpenSearchDashboardsRequest) {
+    try {
+      // response is expected to be an error
+      await this.esClient.asScoped(request).callAsCurrentUser('opensearch_security.authinfo');
+    } catch (error: any) {
+      // the error looks like
+      // wwwAuthenticateDirective:
+      //   '
+      //     X-Security-IdP realm="Open Distro Security"
+      //     location="https://<your-auth-domain.com>/api/saml2/v1/sso?SAMLRequest=<some-encoded-string>"
+      //     requestId="<request_id>"
+      //   '
+
+      // if (!error.wwwAuthenticateDirective) {
+      //   throw error;
+      // }
+
+      try {
+        return {
+          location: 'https://cgliu.onelogin.com/trust/saml2/http-redirect/sso/62513ad7-0fb6-4ef7-8065-c7d48f5ba802?SAMLRequest=fVJNj9owFPwrke%2FGTiAhsQCJLv1AooAWtodekHFewJJjp35O2%2F33NaGrbg%2B7t6fnmfHM6M1QtqYTyz5c7SP86AFD8rs1FsXwMCe9t8JJ1CisbAFFUOKw%2FLoR2YiLzrvglDPkFeV9hkQEH7SzJFmv5mS3%2FbjZfV5vT1Wual5mQKumKuikgTROqqBlDtWkgHPTyIIk38Bj5M5JlIoCiD2sLQZpQ1zxbEx5SrP0yKciK8Q4%2F06SVcyjrQwD6xpCh4IxdTG6HzkLxl20HSnXsuB7DOzmP2M3GPVQaw8q7tCxIsvTsaynlDfn6A6aKS15kVM1rSdlk59lyTOS7P%2B28UHbWtvL%2B0Wc7yAUX47HPd3vDkeSLF%2FKeXAW%2Bxb8AfxPreDpcXM3H70bp6S5OgwiL3jKTq6DKITBO3ZCUL3X4XnIwaRCspjdRjE05Rcv%2Bf9pVBnnM%2FYaM7vfwzYaXq%2F2zmj1nHxyvpXh7TzpKB02uqbNABW9xQ6UbjTUMZYx7teDBxlgTmLRQBK2uP%2F6%2F%2BEt%2FgA%3D',
+          requestId: 'ONELOGIN_95cd082e-9f96-4fe1-9fc6-85e946ebffa6'
+        }
+        // const locationRegExp = /location="(.*?)"/;
+        // const requestIdRegExp = /requestId="(.*?)"/;
+
+        // const locationExecArray = locationRegExp.exec(error.wwwAuthenticateDirective);
+        // const requestExecArray = requestIdRegExp.exec(error.wwwAuthenticateDirective);
+        // if (locationExecArray && requestExecArray) {
+        //   return {
+        //     location: locationExecArray[1],
+        //     requestId: requestExecArray[1],
+        //   };
+        // }
+        throw Error('failed parsing SAML config');
+      } catch (parsingError: any) {
+        console.log(parsingError);
+        throw new Error(parsingError);
+      }
+    }
+    throw new Error(`Invalid SAML configuration.`);
+  }
+
+  public async authToken(
+    requestId: string | undefined,
+    samlResponse: any,
+    acsEndpoint: any | undefined = undefined
+  ) {
+    const body = {
+      RequestId: requestId,
+      SAMLResponse: samlResponse,
+      acsEndpoint,
+    };
+    try {
+      return await this.esClient.asScoped().callAsCurrentUser('opensearch_security.authtoken', {
+        body,
+      });
+    } catch (error: any) {
+      console.log(error);
+      throw new Error('failed to get token');
+    }
+  }
+}

From 1a54ce5aaedca8f959db82b4561ce6971e655fe4 Mon Sep 17 00:00:00 2001
From: Chang Liu <lc12251109@gmail.com>
Date: Wed, 15 Feb 2023 12:14:32 -0800
Subject: [PATCH 6/6] Validate SAML asserts, issue token, validate token

Signed-off-by: Chang Liu <lc12251109@gmail.com>
---
 .../dashboards_security/common/index.ts       |   5 +-
 src/plugins/dashboards_security/package.json  |   5 +-
 .../server/auth/types/saml/routes.ts          | 151 +++++++++++-------
 .../server/auth/types/saml/utils/HapiSaml.ts  |  64 ++++++++
 .../auth/types/saml/utils/SAMLResponse.ts     |  62 +++----
 .../server/auth/types/saml/utils/metadata.xml |  39 +++++
 6 files changed, 229 insertions(+), 97 deletions(-)
 create mode 100644 src/plugins/dashboards_security/server/auth/types/saml/utils/HapiSaml.ts
 create mode 100644 src/plugins/dashboards_security/server/auth/types/saml/utils/metadata.xml

diff --git a/src/plugins/dashboards_security/common/index.ts b/src/plugins/dashboards_security/common/index.ts
index 37cedca9cbb1..eac3231d6e84 100644
--- a/src/plugins/dashboards_security/common/index.ts
+++ b/src/plugins/dashboards_security/common/index.ts
@@ -28,7 +28,10 @@ export const AUTH_HEADER_NAME = 'authorization';
 export const AUTH_GRANT_TYPE = 'authorization_code';
 export const AUTH_RESPONSE_TYPE = 'code';
 
-export const jwtKey = "6aff3042-1327-4f3d-82f0-40a157ac4464"
+export const jwtKey = '6aff3042-1327-4f3d-82f0-40a157ac4464';
+
+export const idpCert =
+  'MIIDzzCCAregAwIBAgIUKizt/svOXO4USLQ3spS2Bn507LYwDQYJKoZIhvcNAQEFBQAwQTEMMAoGA1UECgwDQVdTMRUwEwYDVQQLDAxPbmVMb2dpbiBJZFAxGjAYBgNVBAMMEU9uZUxvZ2luIEFjY291bnQgMB4XDTIzMDExMzIwMTQzNVoXDTI4MDExMzIwMTQzNVowQTEMMAoGA1UECgwDQVdTMRUwEwYDVQQLDAxPbmVMb2dpbiBJZFAxGjAYBgNVBAMMEU9uZUxvZ2luIEFjY291bnQgMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwTX1daRM90aJmDCWTL3Iuj4GvK2nHRNZoLP9dzscbFJNMIQEXdyREHSVnFO18KWDfwX3gOgvcuijJUk+r5XCf1oJueUNhme/Q8eSHQe1TOhOVPXuI9BxMyPupeKfmFelIylTNvUoCQo2A/dJURRN2rjz4pOoCqadOlgm2So//J8I/JiZVO6S1YleAjWY5VYOMJMq8QKBBMKkmxok+reA36lmvi2JtUZWpZVo62XVcjP9+uOONyXo7O3VEu8Vwezex2sXFyCm699G1aeRCtHQ3yKmhf0Rm0D+RgZKnG+9i6aeJFTXluBqOrz6CtXtW0SV2NKIeK36EcMH1unlG4/VMwIDAQABo4G+MIG7MAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFKsWx05elVPbItGUYA3SBXVehP7VMHwGA1UdIwR1MHOAFKsWx05elVPbItGUYA3SBXVehP7VoUWkQzBBMQwwCgYDVQQKDANBV1MxFTATBgNVBAsMDE9uZUxvZ2luIElkUDEaMBgGA1UEAwwRT25lTG9naW4gQWNjb3VudCCCFCos7f7LzlzuFEi0N7KUtgZ+dOy2MA4GA1UdDwEB/wQEAwIHgDANBgkqhkiG9w0BAQUFAAOCAQEAh0Kg8BQrOuWO30A6Qj+VL2Ke0/Y96hgdjYxk4zcIwZcIxfb5U733ftF2H0r8RKBYNrWpEmPwa4RnaTqwRaY/pahZ7kznzgMVUMhT9QZe4uNDLu5HgzAuOdhpYk2qv6+GYqcbMNtKPEtTjp0/KwMntgBkn9dPBSiydqojtwh0i2e2rhFh4gBDvuXdHZCcOWCKYm24IOoEI41Q4JIu1jAk6LM3jErcZdx+Lqa9rvSn6jdC6/jwhR1anqqLU9qGIjN99640z/JIOdK8wPei2veLpZbKIDtG/iaSNkdrFhEE1WNXTnnPImQNVgvIT9QdyOLLdzuQ25G3Qraj47JEMm0Xmw==';
 
 export enum AuthType {
   BASIC = 'basicauth',
diff --git a/src/plugins/dashboards_security/package.json b/src/plugins/dashboards_security/package.json
index d5ebb1f8c625..e0f6e971ed32 100644
--- a/src/plugins/dashboards_security/package.json
+++ b/src/plugins/dashboards_security/package.json
@@ -36,6 +36,9 @@
   "dependencies": {
     "@hapi/cryptiles": "5.0.0",
     "@hapi/wreck": "^17.1.0",
-    "html-entities": "1.3.1"
+    "html-entities": "1.3.1",
+    "node-saml": "^4.0.0-beta.2",
+    "@node-saml/passport-saml": "4.0.2",
+    "jsonwebtoken": "9.0.0"
   }
 }
diff --git a/src/plugins/dashboards_security/server/auth/types/saml/routes.ts b/src/plugins/dashboards_security/server/auth/types/saml/routes.ts
index 10b083b411f3..31fef97d3c59 100644
--- a/src/plugins/dashboards_security/server/auth/types/saml/routes.ts
+++ b/src/plugins/dashboards_security/server/auth/types/saml/routes.ts
@@ -1,3 +1,8 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
 /*
  *   Copyright OpenSearch Contributors
  *
@@ -14,6 +19,8 @@
  */
 
 import { schema } from '@osd/config-schema';
+import { compileSchema } from 'ajv/dist/compile';
+import { XMLParser } from 'fast-xml-parser';
 import {
   IRouter,
   SessionStorageFactory,
@@ -24,10 +31,9 @@ import { SecurityPluginConfigType } from '../../..';
 import { SecurityClient } from '../../../backend/opensearch_security_client';
 import { CoreSetup } from '../../../../../../../src/core/server';
 import { validateNextUrl } from '../../../utils/next_url';
-import { AuthType, SAML_AUTH_LOGIN, SAML_AUTH_LOGOUT } from '../../../../common';
-import { compileSchema } from 'ajv/dist/compile';
-import { XMLParser } from "fast-xml-parser";
+import { AuthType, idpCert, SAML_AUTH_LOGIN, SAML_AUTH_LOGOUT } from '../../../../common';
 import { AuthToken } from './utils/AuthToken';
+import { HapiSaml } from './utils/HapiSaml';
 
 export class SamlAuthRoutes {
   constructor(
@@ -119,70 +125,99 @@ export class SamlAuthRoutes {
         }
 
         try {
-          const SAML = require("saml-encoder-decoder-js");
+          const authInfo = await this.securityClient.authinfo(request);
+
+          const samlOptions = {
+            // passport saml settings
+
+            saml: {
+              // this should be the same as the assert path in config below
+              callbackUrl: '/auth/saml/login',
+              // logout functionality is untested at this time.
+              logoutCallbackUrl: 'http://localhost/api/sso/v1/notifylogout',
+              logoutUrl:
+                authInfo.sso_logout_url || this.coreSetup.http.basePath.serverBasePath || '/',
+
+              entryPoint: 'https://cgliu.onelogin.com/trust/saml2/http-redirect/slo/1970238',
+              privateKey: '',
+              // IdP Public Signing Key
+              cert: idpCert,
+              issuer: 'one_login',
+            },
+            // hapi-saml-sp settings
+            config: {
+              // public cert provided in metadata
+              signingCert: '',
+              // Plugin Routes
+              routes: {
+                metadata: {
+                  path: './utils/metadata.xml',
+                  options: {
+                    description: 'Fetch SAML metadata',
+                    tags: ['api'],
+                  },
+                },
+                assert: {
+                  path: `/_opendistro/_security/saml/acs`,
+                  options: {
+                    description: 'SAML login endpoint',
+                    tags: ['api'],
+                  },
+                },
+              },
+              assertHooks: {
+                // This will get called after your SAML identity provider sends a
+                // POST request back to the assert endpoint specified above (e.g. /login/saml)
+                onResponse: (
+                  profile: any,
+                  request: any,
+                  h: { redirect: (arg0: string) => any }
+                ) => {
+                  // your custom handling code goes in here.  I can't help much with this,
+                  // but you could set a cookie, or generate a JWT and h.redirect() your user to your
+                  // front end with that.
+                  return h.redirect('https://your.frontend.test');
+                },
+              },
+            },
+          };
+
+          const hapiSaml = new HapiSaml(samlOptions);
+          const saml = hapiSaml.getSamlLib();
+
+          const SAMLResponse = request.body.SAMLResponse;
+          let profile = null;
+          try {
+            profile = (await saml.validatePostResponseAsync({ SAMLResponse })) || {};
+          } catch (error: any) {
+            context.security_plugin.logger.error(`Error while validating SAML response: ${error}`);
+            return response.internalError();
+          }
+
+          if (profile === null) {
+            return response.internalError();
+          }
+
+          const SAML = require('saml-encoder-decoder-js');
           const xmlParser = new XMLParser();
           const samlResponse = request.body.SAMLResponse;
-          // TODO: 
-          // - Validate SAML Response 
-          // - Set the SAML Response expiry in cookie
-          // - Consider how identiy info updates in IDP are synced with SP(Just in time/Real Time updates)
-          SAML.decodeSamlPost(samlResponse, function(err: string | undefined, xml: any) {
-              if (err) {
-                  throw new Error(err);
-              }
-              const jsonObj = xmlParser.parse(xml);
-              const username = jsonObj["samlp:Response"]["saml:Assertion"]["saml:Subject"]["saml:NameID"];
-          });
-          
-
-          // const credentials = await this.securityClient.authToken(
-          //   requestId,
-          //   request.body.SAMLResponse,
-          //   undefined
-          // );
-          // const user = await this.securityClient.authenticateWithHeader(
-          //   request,
-          //   'authorization',
-          //   credentials.authorization
-          // );
 
-          let expiryTime = Date.now() + this.config.session.ttl;
-          // const [headerEncoded, payloadEncoded, signature] = credentials.authorization.split('.');
-          // if (!payloadEncoded) {
-          //   context.security_plugin.logger.error('JWT token payload not found');
-          // }
-          // const tokenPayload = JSON.parse(Buffer.from(payloadEncoded, 'base64').toString());
+          SAML.decodeSamlPost(samlResponse, function (err: string | undefined, xml: any) {
+            if (err) {
+              throw new Error(err);
+            }
+            const jsonObj = xmlParser.parse(xml);
+            const username =
+              jsonObj['samlp:Response']['saml:Assertion']['saml:Subject']['saml:NameID'];
+          });
 
-          // if (tokenPayload.exp) {
-          //   expiryTime = parseInt(tokenPayload.exp, 10) * 1000;
-          // }
-          // const cookie: SecuritySessionCookie = {
-          //   username: user.username,
-          //   credentials: {
-          //     authHeaderValue: credentials.authorization,
-          //   },
-          //   authType: AuthType.SAML, // TODO: create constant
-          //   expiryTime,
-          // };
-          // console.log("######cookie");
-          // console.log(cookie);
+          const expiryTime = Date.now() + this.config.session.ttl;
 
           const authToken = new AuthToken(samlResponse);
           const credentials = authToken.token;
-          console.log("######### credentials");
-          console.log(credentials);
-
-          // const cookie: SecuritySessionCookie = {
-          //   username: "cgliu@amazon.com",
-          //   credentials: {
-          //     authHeaderValue: "bearer eyJhbGciOiJIUzUxMiJ9.eyJuYmYiOjE2NzUyMTM3NzksImV4cCI6MTY3NTMwMDE3OSwic3ViIjoiY2dsaXVAYW1hem9uLmNvbSIsInNhbWxfbmlmIjoiZW1haWwiLCJzYW1sX3NpIjoiXzE5N2U0M2MxLTczNjMtNGQxMi05MGEzLTYyMTNjZDdkZmMzYSJ9.M-msJk-lZnzwl9jn0RUaVauB1uLFIGe9ePG_WCCMyLHFCR0YPYhdqyyCE8OHqbB5xa4GN92sMCRkSTIsJ07j7A",
-          //   },
-          //   authType: AuthType.SAML, // TODO: create constant
-          //   expiryTime,
-          // };
 
           const cookie: SecuritySessionCookie = {
-            username: "cgliu@amazon.com",
+            username: 'cgliu@amazon.com',
             credentials: {
               authHeaderValue: authToken.token,
             },
diff --git a/src/plugins/dashboards_security/server/auth/types/saml/utils/HapiSaml.ts b/src/plugins/dashboards_security/server/auth/types/saml/utils/HapiSaml.ts
new file mode 100644
index 000000000000..e7693ed51b92
--- /dev/null
+++ b/src/plugins/dashboards_security/server/auth/types/saml/utils/HapiSaml.ts
@@ -0,0 +1,64 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+import { SAML } from 'node-saml';
+
+('use strict');
+
+// const Saml = require('passport-saml/lib/node-saml/saml');
+// const Saml = SAML
+
+export class HapiSaml {
+  saml: any;
+  props: {};
+
+  constructor(options: any) {
+    console.log('!!!options');
+    console.log(options);
+
+    this.saml = null;
+    this.props = {};
+    this.load(options);
+  }
+
+  load(options: any) {
+    if (!options.saml) {
+      throw new Error('Missing options.saml');
+    }
+
+    if (!options.config && !options.config.routes) {
+      throw new Error('Missing options.config.routes');
+    }
+
+    if (!options.config.routes.metadata) {
+      throw new Error('Missing options.config.routes.metadata');
+    }
+
+    if (!options.config.routes.assert) {
+      throw new Error('Missing options.config.routes.assert');
+    }
+
+    if (!options.config && !options.config.assertHooks.onRequest) {
+      throw new Error('Missing options.config.assertHooks.onRequest');
+    }
+
+    if (!options.config && !options.config.assertHooks.onResponse) {
+      throw new Error('Missing options.config.assertHooks.onResponse');
+    }
+
+    console.log('777777');
+
+    this.saml = new SAML(options.saml);
+    this.props = Object.assign({}, options.saml);
+    this.props.decryptionCert = options.config.decryptionCert;
+    this.props.signingCert = options.config.signingCert;
+  }
+
+  getSamlLib() {
+    return this.saml;
+  }
+}
+
+exports.HapiSaml = HapiSaml;
diff --git a/src/plugins/dashboards_security/server/auth/types/saml/utils/SAMLResponse.ts b/src/plugins/dashboards_security/server/auth/types/saml/utils/SAMLResponse.ts
index 3209612ad7d2..21cba518b73b 100644
--- a/src/plugins/dashboards_security/server/auth/types/saml/utils/SAMLResponse.ts
+++ b/src/plugins/dashboards_security/server/auth/types/saml/utils/SAMLResponse.ts
@@ -1,45 +1,33 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
 import { X509Certificate } from 'crypto';
 import { XMLParser } from 'fast-xml-parser';
 
 export class SAMLResponse {
-    private acsUrl: string | undefined;
-    private samlResponseDocument: any;
-    private jsonObj: any;
-    private cert: X509Certificate | undefined;
+  private acsUrl: string | undefined;
+  private samlResponseDocument: any;
+  private jsonObj: any;
+  private cert: X509Certificate | undefined;
 
-    constructor(request: any) {
-        if (request !== null) {
-            this.acsUrl = 'http://localhost:5601/_opendistro/_security/saml/acs';
-            this.samlResponseDocument = request.body.SAMLResponse;
-            const SAML = require("saml-encoder-decoder-js");
-            const xmlParser = new XMLParser();
-            // TODO: 
-            // - Validate SAML Response 
-            // - Set the SAML Response expiry in cookie
-            // - Consider how identiy info updates in IDP are synced with SP(Just in time/Real Time updates)
-            SAML.decodeSamlPost(this.samlResponseDocument, (err: string | undefined, xml: any) => {
-                if (err) {
-                    throw new Error(err);
-                }
-                this.jsonObj = xmlParser.parse(xml);
-            });
-            // this.cert = new X509Certificate("fs.readFileSync('public-cert.pem')");
+  constructor(request: any) {
+    if (request !== null) {
+      this.acsUrl = 'http://localhost:5601/_opendistro/_security/saml/acs';
+      this.samlResponseDocument = request.body.SAMLResponse;
+      const SAML = require('saml-encoder-decoder-js');
+      const xmlParser = new XMLParser();
+      SAML.decodeSamlPost(this.samlResponseDocument, (err: string | undefined, xml: any) => {
+        if (err) {
+          throw new Error(err);
         }
+        this.jsonObj = xmlParser.parse(xml);
+      });
     }
+  }
 
-    public isValid(samlResponse: SAMLResponse) {
-        // TODO:
-        // - validateDestination()
-        // - this.settings.getIdpx509cert()
-        // - expiry - getSessionNotOnOrAfter()
-        // - Validate responseInResponseTo()
-        // - If IDP sets getWantNameIdEncrypted to true, validate if NameID is encrypted.
-        // - Validate if issuer is not empty and equal to the IDP Entity ID
-        // - If IDP sets getWantAssertionsSigned to true, validate if Assertion is signed.
-        // - Validate if there's a signature
-        return true;
-    }
-
-
-
-}
\ No newline at end of file
+  public isValid(samlResponse: SAMLResponse) {
+    return true;
+  }
+}
diff --git a/src/plugins/dashboards_security/server/auth/types/saml/utils/metadata.xml b/src/plugins/dashboards_security/server/auth/types/saml/utils/metadata.xml
new file mode 100644
index 000000000000..2a13412db3e8
--- /dev/null
+++ b/src/plugins/dashboards_security/server/auth/types/saml/utils/metadata.xml
@@ -0,0 +1,39 @@
+<?xml version="1.0"?>
+<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://app.onelogin.com/saml/metadata/62513ad7-0fb6-4ef7-8065-c7d48f5ba802">
+  <IDPSSODescriptor xmlns:ds="http://www.w3.org/2000/09/xmldsig#" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+    <KeyDescriptor use="signing">
+      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+        <ds:X509Data>
+          <ds:X509Certificate>MIIDzzCCAregAwIBAgIUKizt/svOXO4USLQ3spS2Bn507LYwDQYJKoZIhvcNAQEF
+BQAwQTEMMAoGA1UECgwDQVdTMRUwEwYDVQQLDAxPbmVMb2dpbiBJZFAxGjAYBgNV
+BAMMEU9uZUxvZ2luIEFjY291bnQgMB4XDTIzMDExMzIwMTQzNVoXDTI4MDExMzIw
+MTQzNVowQTEMMAoGA1UECgwDQVdTMRUwEwYDVQQLDAxPbmVMb2dpbiBJZFAxGjAY
+BgNVBAMMEU9uZUxvZ2luIEFjY291bnQgMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAwTX1daRM90aJmDCWTL3Iuj4GvK2nHRNZoLP9dzscbFJNMIQEXdyR
+EHSVnFO18KWDfwX3gOgvcuijJUk+r5XCf1oJueUNhme/Q8eSHQe1TOhOVPXuI9Bx
+MyPupeKfmFelIylTNvUoCQo2A/dJURRN2rjz4pOoCqadOlgm2So//J8I/JiZVO6S
+1YleAjWY5VYOMJMq8QKBBMKkmxok+reA36lmvi2JtUZWpZVo62XVcjP9+uOONyXo
+7O3VEu8Vwezex2sXFyCm699G1aeRCtHQ3yKmhf0Rm0D+RgZKnG+9i6aeJFTXluBq
+Orz6CtXtW0SV2NKIeK36EcMH1unlG4/VMwIDAQABo4G+MIG7MAwGA1UdEwEB/wQC
+MAAwHQYDVR0OBBYEFKsWx05elVPbItGUYA3SBXVehP7VMHwGA1UdIwR1MHOAFKsW
+x05elVPbItGUYA3SBXVehP7VoUWkQzBBMQwwCgYDVQQKDANBV1MxFTATBgNVBAsM
+DE9uZUxvZ2luIElkUDEaMBgGA1UEAwwRT25lTG9naW4gQWNjb3VudCCCFCos7f7L
+zlzuFEi0N7KUtgZ+dOy2MA4GA1UdDwEB/wQEAwIHgDANBgkqhkiG9w0BAQUFAAOC
+AQEAh0Kg8BQrOuWO30A6Qj+VL2Ke0/Y96hgdjYxk4zcIwZcIxfb5U733ftF2H0r8
+RKBYNrWpEmPwa4RnaTqwRaY/pahZ7kznzgMVUMhT9QZe4uNDLu5HgzAuOdhpYk2q
+v6+GYqcbMNtKPEtTjp0/KwMntgBkn9dPBSiydqojtwh0i2e2rhFh4gBDvuXdHZCc
+OWCKYm24IOoEI41Q4JIu1jAk6LM3jErcZdx+Lqa9rvSn6jdC6/jwhR1anqqLU9qG
+IjN99640z/JIOdK8wPei2veLpZbKIDtG/iaSNkdrFhEE1WNXTnnPImQNVgvIT9Qd
+yOLLdzuQ25G3Qraj47JEMm0Xmw==</ds:X509Certificate>
+        </ds:X509Data>
+      </ds:KeyInfo>
+    </KeyDescriptor>
+    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://cgliu.onelogin.com/trust/saml2/http-redirect/slo/1970238"/>
+
+      <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
+
+    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://cgliu.onelogin.com/trust/saml2/http-redirect/sso/62513ad7-0fb6-4ef7-8065-c7d48f5ba802"/>
+    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://cgliu.onelogin.com/trust/saml2/http-post/sso/62513ad7-0fb6-4ef7-8065-c7d48f5ba802"/>
+    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://cgliu.onelogin.com/trust/saml2/soap/sso/62513ad7-0fb6-4ef7-8065-c7d48f5ba802"/>
+  </IDPSSODescriptor>
+</EntityDescriptor>
\ No newline at end of file