Add new settings for SAML and OIDC that allow for cookie splitting

[cwillum]

Description

Two new settings are added to opensearch_dashboards.yml that allow for splitting session payloads into multiple cookies to help prevent from hitting cookie limits.

Issues Resolved

Added documentation for these settings in SAML and OIDC backend configuration.

Fixes #3691

Checklist

• By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and subject to the Developers Certificate of Origin.
  For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[cwillum]

@opensearch-project/security Hi team. Could you have a look at these brief additions to SAML and OIDC configuration sections? They include description of the new setting that allows you to split cookies for session management (merged in #1352.) Can you also confirm that the http.max_header_sizesetting is complete and accurate? I looked for it in opensearch.yml.example and couldn't find an example of it. Neither in documentation. Thanks.

[DarshitChanpura]

@cwillum The changes look good to me!

[DarshitChanpura]

@opensearch-project/security Hi team. Could you have a look at these brief additions to SAML and OIDC configuration sections? They include description of the new setting that allows you to split cookies for session management (merged in #1352.)

These changes look good to me. The description is accurate.

Can you also confirm that the http.max_header_sizesetting is complete and accurate? I looked for it in opensearch.yml.example and couldn't find an example of it. Neither in documentation. Thanks.

This description looks good to me. http.max_header_size setting applies to all components of the header and not just the token. And, as you correctly mentioned, if the ID token size overflows or cause the aggregate header-size to overflow then it might throw an exception.

[cwillum]

@DarshitChanpura Big thanks for the review.

[kolchfa-aws]

LGTM. Left some suggestions for clarification.

[natebower]

Suggested change

	Note that reducing the number of additional cookies can cause some of the cookies in use before the change to stop working. We recommend establishing a fixed number of additional cookies and not changing the configuration after that.
	Note that reducing the number of additional cookies can cause some of the cookies that were in use before the change to stop working. We recommend establishing a fixed number of additional cookies and not changing the configuration after that.

[opensearch-trigger-bot]

The backport to 2.1 failed:

The process '/usr/bin/git' failed with exit code 128

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/backport-2.1 2.1
# Navigate to the new working tree
pushd ../.worktrees/backport-2.1
# Create a new branch
git switch --create backport/backport-3807-to-2.1
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 773559ac755d6df14e0d49d93bceae71f644b84e
# Push it to GitHub
git push --set-upstream origin backport/backport-3807-to-2.1
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/backport-2.1

Then, create a pull request where the base branch is 2.1 and the compare/head branch is backport/backport-3807-to-2.1.

[opensearch-trigger-bot]

The backport to 2.1 failed:

The process '/usr/bin/git' failed with exit code 128

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/backport-2.1 2.1
# Navigate to the new working tree
pushd ../.worktrees/backport-2.1
# Create a new branch
git switch --create backport/backport-3807-to-2.1
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 773559ac755d6df14e0d49d93bceae71f644b84e
# Push it to GitHub
git push --set-upstream origin backport/backport-3807-to-2.1
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/backport-2.1

Then, create a pull request where the base branch is 2.1 and the compare/head branch is backport/backport-3807-to-2.1.

[cwillum]

• I was mistaken about the plan to backport this feature. This feature will be released for 2.7. I've reverted all backports.