Configure SAML federation for Amazon OpenSearch Serverless with AWS IAM Identification Heart

Amazon OpenSearch Serverless is a serverless possibility of Amazon OpenSearch Service that makes it straightforward so that you can run large-scale search and analytics workloads with out having to configure, handle, or scale OpenSearch clusters. It mechanically provisions and scales the underlying sources to ship quick knowledge ingestion and question responses for even essentially the most demanding and unpredictable workloads. With OpenSearch Serverless, you’ll be able to configure SAML to allow customers to entry knowledge by way of OpenSearch Dashboards utilizing an exterior SAML id supplier (IdP).

AWS IAM Identification Heart (Successor to AWS Single Signal-On) helps you securely create or join your workforce identities and handle their entry centrally throughout AWS accounts and purposes, OpenSearch Dashboards being considered one of them.

On this publish, we present you tips on how to configure SAML authentication for OpenSearch Dashboards utilizing IAM Identification Heart as its IdP.

Answer overview

The next diagram illustrates how the answer permits customers or teams to authenticate into OpenSearch Dashboards utilizing single sign-on (SSO) with IAM Identification Heart utilizing its built-in listing because the id supply.

The workflow steps are as follows:

1. A person accesses the OpenSearch Dashboard URL of their browser and chooses the SAML supplier.
2. OpenSearch Serverless redirects the login to the desired IdP.
3. The IdP supplies a login type for the person to specify the credentials for authentication.
4. After the person is authenticated efficiently, a SAML assertion is shipped again to OpenSearch Serverless.

OpenSearch Serverless validates the SAML assertion, and the person logs in to OpenSearch Dashboards.

Stipulations

To get began, you could have an energetic OpenSearch Serverless assortment. Discuss with Creating and managing Amazon OpenSearch Serverless collections to study extra about creating a set. Moreover, you could have the right AWS Identification and Entry Administration (IAM) permissions for configuring SAML authentication together with related IAM permissions for configuring the knowledge entry coverage.

IAM Identification Heart needs to be enabled, and it is best to have the related IAM permissions to create an utility in IAM Identification Heart and create and handle customers and teams.

Create and configure the applying in IAM Identification Heart

To arrange your utility in IAM Identification Heart, full the next steps:

1. On the IAM Identification Heart dashboard, select Functions within the navigation pane.
2. Select Add utility
   
3. For Customized utility, choose Add customized SAML 2.0 utility.
4. Select Subsequent.
   
5. Underneath Configure utility, enter a reputation and outline for the applying.
6. Underneath IAM Identification Heart metadata, select Obtain beneath IAM Identification Heart SAML metadata file.
   

We use this metadata file to create a SAML supplier beneath OpenSearch Serverless. It comprises the general public certificates used to confirm the signature of the IAM Identification Heart SAML assertions.

7. Underneath Utility properties, depart Utility begin URL and Relay state clean.
8. For Session length, select 1 hour (the default worth).
   

Word that the session length you configure on this step takes priority over the OpenSearch Dashboards timeout setting specified within the configuration of the SAML supplier particulars on the OpenSearch Serverless finish.

9. Underneath Utility metadata, choose Manually sort your metadata values.
10. For Utility ACS URL, enter your URL utilizing the format https://assortment.<REGION>.aoss.amazonaws.com/_saml/acs. For instance, we enter https://assortment.us-east-1.aoss.amazonaws.com/_saml/acs for this publish.
11. For Utility SAML viewers, enter your service supplier within the format aws:opensearch:<aws account id>.
    
12. Select Submit.

Now you modify the attribute settings. The attribute mappings you configure right here grow to be a part of the SAML assertion that’s despatched to the applying.

13. On the Actions menu, select Edit attribute mappings.
    
14. Configure Topic to map to ${person:e mail}, with the format unspecified.

Utilizing ${person:e mail} right here ensures that the e-mail tackle for the person in IAM Identification Heart is handed within the <NameId> tag of the SAML response.

15. Select Save adjustments.
    

Now we assign a person to the applying.

16. Create a person in IAM Identification Heart to make use of to log in to OpenSearch Dashboards.

Alternatively, you should use an present person.

17. On the IAM Identification Heart console, navigate to your utility and select Assign Customers and choose the person(s) you want to assign.
    

You could have now created a customized SAML utility. Subsequent, you’ll configure the SAML supplier in OpenSearch Serverless.

Create a SAML supplier

The SAML supplier you create on this step may be assigned to any assortment in the identical Area. Full the next steps:

1. On the OpenSearch Service console, beneath Serverless within the navigation pane, select SAML authentication beneath Safety.
2. Select Create SAML supplier.
   
3. Enter a reputation and outline to your SAML supplier.
4. Enter the metadata out of your IdP that you simply downloaded earlier.
   
5. Underneath Further settings, you’ll be able to optionally add customized person ID and group attributes. We depart these settings clean for now.
6. Select Create a SAML supplier.
   

You could have now configured a SAML supplier for OpenSearch Serverless. Subsequent, we stroll you thru configuring the information entry coverage for accessing collections.

Create the information entry coverage

On this part, you arrange knowledge entry insurance policies for OpenSearch Serverless and permit entry to the customers. Full the next steps:

1. On the OpenSearch Service console, beneath Serverless within the navigation pane, select Information entry insurance policies beneath Safety.
2. Select Create entry coverage.
   
3. Enter a reputation and outline to your entry coverage.
4. For Coverage definition methodology, choose Visible Editor.
5. Within the Guidelines part, enter a rule title.
6. Underneath Choose principals, for Add principals, select SAML customers and teams.
   
7. For SAML supplier title, select the SAML supplier you created earlier.
   
8. Specify the person within the format person/<e mail> (for instance, person/take a look at@instance.com).

The worth of the e-mail tackle ought to match the e-mail tackle in IAM Identification Heart.

9. Select Save.
10. Select Grant and specify the permissions.

You possibly can configure what entry you wish to present for the particular person on the assortment stage and particular indexes on the index sample stage.

You must choose the entry the person wants based mostly on the least privilege mannequin. Discuss with Supported coverage permissions and Supported OpenSearch API operations and permissions to arrange extra granular entry to your customers.

11. Select Save and configure any extra guidelines, if required.
    

Now you can evaluate and edit your configuration if wanted.

12. Select Create to create the information entry coverage.
    

Now you’ve got the information entry coverage that may permit the customers to carry out the allowed actions on OpenSearch Dashboards.

Entry OpenSearch Dashboards

To sign up to OpenSearch Dashboards, full the next steps:

1. On the OpenSearch Service dashboard, beneath Serverless within the navigation pane, select Dashboard.
2. Find your dashboard and duplicate the OpenSearch Dashboards URL (within the format <collection-endpoint>/_dashboards).
   
3. Enter this URL into a brand new browser tab.
4. On the OpenSearch login web page, select your IdP and specify your SSO credentials.
5. Select Login.
   

Configure SAML authentication utilizing teams in IAM Identification Heart

Teams will help you set up your customers and permissions in a coherent approach. With teams, you’ll be able to add a number of customers from the IdP, after which use groupid because the identifier within the knowledge entry coverage. For extra data, consult with Add teams and Add customers to teams.

To configure group entry to OpenSearch Dashboards, full the next steps:

1. On the IAM Identification Heart console, navigate to your utility.
2. Within the Attribute mappings part, add an extra person as group and map it to ${person:teams}, with the format unspecified.
3. Select Save adjustments.
   
4. For the SAML supplier in OpenSearch Serverless, beneath Further settings, for Group attribute, enter group.
   
5. For the information entry coverage, create a brand new rule or add an extra principal within the earlier rule.
6. Select the SAML supplier title and enter group/<GroupId>.
   

You possibly can fetch the worth for the group ID by navigating to the Group part on the IAM Identification Heart console.

Clear up

Should you don’t wish to proceed utilizing the answer, remember to delete the sources you created:

1. On the IAM Identification Heart console, take away the applying.
2. On OpenSearch Dashboards, delete the next sources:
   1. Delete your assortment.
   2. Delete the information entry coverage.
   3. Delete the SAML supplier.

Conclusion

On this publish, you realized tips on how to arrange IAM Identification Heart as an IdP to entry OpenSearch Dashboards utilizing SAML as SSO. You additionally realized on tips on how to arrange customers and teams inside IAM Identification Heart and management the entry of customers and teams for OpenSearch Dashboards. For extra particulars, consult with SAML authentication for Amazon OpenSearch Serverless.

Keep tuned for a sequence of posts specializing in the varied choices out there so that you can construct efficient log analytics and search options utilizing OpenSearch Serverless. It’s also possible to consult with the Getting began with Amazon OpenSearch Serverless workshop to know extra about OpenSearch Serverless.

In case you have suggestions about this publish, submit it within the feedback part. In case you have questions on this publish, begin a brand new thread on the OpenSearch Service discussion board or contact AWS Help.

In regards to the Authors

Utkarsh Agarwal is a Cloud Help Engineer within the Help Engineering crew at Amazon Internet Companies. He makes a speciality of Amazon OpenSearch Service. He supplies steerage and technical help to clients thus enabling them to construct scalable, extremely out there and safe options in AWS Cloud. In his free time, he enjoys watching films, TV sequence and naturally cricket! Recently, he his additionally trying to grasp the artwork of cooking in his free time – The style buds are excited, however the kitchen would possibly disagree.

Ravi Bhatane is a software program engineer with Amazon OpenSearch Serverless Service. He’s captivated with safety, distributed methods, and constructing scalable providers. When he’s not coding, Ravi enjoys pictures and exploring new mountain climbing trails along with his buddies.

Prashant Agrawal is a Sr. Search Specialist Options Architect with Amazon OpenSearch Service. He works carefully with clients to assist them migrate their workloads to the cloud and helps present clients fine-tune their clusters to attain higher efficiency and save on price. Earlier than becoming a member of AWS, he helped varied clients use OpenSearch and Elasticsearch for his or her search and log analytics use instances. When not working, you could find him touring and exploring new locations. In brief, he likes doing Eat → Journey → Repeat.