OpenID authentication against ADFS server - no authorization header

[2020-06-25T04:19:46,308][DEBUG][c.a.o.s.a.BackendRegistry] [odfe-node1] Check authdomain for rest internal/0 or 2 in total
[2020-06-25T04:19:46,309][TRACE][c.a.o.s.a.BackendRegistry] [odfe-node1] Try to extract auth creds from basic http authenticator
[2020-06-25T04:19:46,309][TRACE][c.a.o.s.a.BackendRegistry] [odfe-node1] No 'Authorization' header, send 403
[2020-06-25T04:19:46,309][DEBUG][c.a.o.s.a.BackendRegistry] [odfe-node1] Check authdomain for rest noop/1 or 2 in total
[2020-06-25T04:19:46,309][TRACE][c.a.o.s.a.BackendRegistry] [odfe-node1] Try to extract auth creds from jwt-key-by-oidc http authenticator
[2020-06-25T04:19:46,309][TRACE][c.a.o.s.a.BackendRegistry] [odfe-node1] No 'Authorization' header, send 403
[2020-06-25T04:19:46,310][DEBUG][c.a.o.s.a.BackendRegistry] [odfe-node1] User still not authenticated after checking 2 auth domains

I have a docker compose configured opendistro stack that I’ve been able to get working against google’s openid service, but I’m not having any luck against a local Active Directory 2016 server running openid.

Kibana redirects me properly to the identity providers login page, and the browser follows back to the appropriate redirect_uri, however elastic is unable to find an authorization header in the exchange with the idp server.

I haven’t been able to find any documentation that says that ADFS uses a different header name, or provides the values in the params. Is there a way to see the request that elastic is receiving back from the ADFS server?

I’ve currently turned on trace logging for com.amazon.dlic.auth.http.jwt, and com.amazon.opendistroforelasticsearch.security as well as adding logging.verbose: true to my kibana.yml, but I haven’t been able to inspect the message to see if the Bearer token is hidden somewhere else.