Close Menu
    Big Data

    Configure SAML federation with Amazon OpenSearch Serverless and Keycloak

    adminBy Updated:No Comments7 Mins Read
    Configure SAML federation with Amazon OpenSearch Serverless and Keycloak
    Configure SAML federation with Amazon OpenSearch Serverless and Keycloak


    Amazon OpenSearch Serverless is a serverless model of Amazon OpenSearch Service, a totally managed open search and analytics platform. On Amazon OpenSearch Service you possibly can run petabyte-scale search and analytics workloads with out the heavy lifting of managing the underlying OpenSearch Service clusters and Amazon OpenSearch Serverless helps workloads as much as 30TB of information for time-series collections. Amazon OpenSearch Serverless supplies an set up of OpenSearch Dashboards with each assortment created.

    The community configuration for an OpenSearch Serverless assortment controls how the gathering will be accessed over the community. You could have the choice to make the gathering publicly accessible over the web from any community, or to limit entry to the gathering solely privately by way of OpenSearch Serverless-managed digital non-public cloud (VPC) endpoints. This community entry setting will be outlined individually for the gathering’s OpenSearch endpoint (used for knowledge operations) and its corresponding OpenSearch Dashboards endpoint (used for visualizing and analyzing knowledge). On this publish, we work with a publicly accessible OpenSearch Serverless assortment.

    SAML allows customers to entry a number of functions or providers with a single set of credentials, eliminating the necessity for separate logins for every software or service. This improves the person expertise and reduces the overhead of managing a number of credentials. We offer SAML authentication for OpenSearch Serverless. With this you should utilize your current identification supplier (IdP) to supply single sign-on (SSO) for the OpenSearch Dashboards endpoints of serverless collections. OpenSearch Serverless helps IdPs that adhere to the SAML 2.0 commonplace, together with providers like AWS IAM Identification Heart, Okta, Keycloak, Energetic Listing Federation Companies (AD FS), and Auth0. This SAML authentication mechanism is solely supposed for accessing the OpenSearch Dashboards interface by way of an internet browser.

    On this publish, we present you how you can configure SAML authentication for controlling entry to public OpenSearch Dashboards utilizing Keycloak as an IdP.

    Answer overview

    The next diagram illustrates a pattern structure of an answer that permits customers to authenticate to OpenSearch Dashboards utilizing SSO with Keycloak.

    The sign-in circulate contains the next steps:

    1. A person accesses OpenSearch Dashboards in a browser and chooses an IdP from the checklist.
    2. OpenSearch Serverless generates a SAML authentication request.
    3. OpenSearch Service redirects the request again to the browser.
    4. The browser redirects the person to the chosen IdP (Keycloak). Keycloak supplies a login web page, the place customers can present their login credentials.
    5. If authentication was profitable, Keycloak returns the SAML response to the browser.
    6. The SAML assertions is distributed again to OpenSearch Serverless.
    7. OpenSearch Serverless validates the SAML assertion, and logs the person in to OpenSearch Dashboards.

    Conditions

    To get began, you need to have the next conditions:

    1. An lively OpenSearch Serverless assortment
    2. A working Keycloak server (on premises or within the cloud)
    3. The next AWS Identification and Entry Administration (IAM) permissions to configure SAML authentication in OpenSearch Serverless:
      • aoss:CreateSecurityConfig – Create a SAML supplier.
      • aoss:ListSecurityConfig – Checklist all SAML suppliers within the present account.
      • aoss:GetSecurityConfig – View SAML supplier data.
      • aoss:UpdateSecurityConfig – Modify a given SAML supplier configuration, together with the XML metadata.
      • aoss:DeleteSecurityConfig – Delete a SAML supplier.

    Create and configure a shopper in Keycloak

    Full the next steps to create your Keycloak shopper:

    1. Login to your Keycloak admin web page.
    2. Within the navigation pane, select Shopper.
    3. Select Create shopper
    4. For Shopper sort, select SAML.
    5. For Shopper ID enter aws:opensearch:AWS_ACCOUNT_ID, the place AWS_ACCOUNT_ID is your AWS account ID.
    6. Enter a reputation and outline to your shopper.
    7. Select Subsequent.
    8. For Legitimate redirect URIs, enter the handle of the assertion shopper service (ACS), the place REGION is the AWS Area through which you could have created the OpenSearch Serverless assortment.
    9. For Grasp SAML Processing URL, additionally enter the previous ACS handle.
    10. Full your shopper creation.
    11. After you create the shopper, you must disable the Signing keys config setting, as a result of OpenSearch Serverless signed and encrypted requests are usually not supported. For extra particulars, consult with Concerns.
    12. After you could have created the shopper and disabled the shopper signature, you possibly can export the SAML 2.0 IdP Metadata by selecting the hyperlink on the Realm settings web page. You want this metadata, whenever you create the SAML supplier in OpenSearch Serverless.

    Create a SAML supplier

    When your OpenSearch Serverless assortment is lively, you then create a SAML supplier. This SAML supplier will be assigned to any assortment in the identical Area. Full the next steps:

    1. On the OpenSearch Service console, below Serverless within the navigation pane, select SAML authentication below Safety.
    2. Select Create SAML supplier.
    3. Enter a reputation and outline to your SAML supplier.
    4. Enter the IdP metadata you downloaded earlier from Keycloak.
    5. Below Extra settings, you possibly can optionally add customized person ID and group attributes (for this instance, we go away this empty).
    6. Select Create a SAML supplier.

    You could have now configured a SAML supplier for OpenSearch Serverless. Subsequent, you configure the info entry coverage for accessing collections.

    Create an information entry coverage

    After you could have configured SAML supplier, you must create knowledge entry insurance policies for OpenSearch Serverless to permit entry to the customers.

    1. On the OpenSearch Service console, below Serverless within the navigation pane, select Knowledge entry insurance policies below Safety.
    2. Select Create entry coverage.
    3. Enter a reputation and non-obligatory description to your entry coverage.
    4. For Coverage definition methodology, choose Visible editor.
    5. For Rule identify, enter a reputation.
    6. Below Choose principals, for Add principals, select SAML customers and teams.

    7. For SAML supplier identify, select the supplier you created earlier than.
    8. Select Save.

    9. Specify the person or group within the format person/USERNAME or group/GROUPNAME. The worth of the USERNAME or GROUPNAME ought to match the worth you laid out in Keycloak for user-/groupname.
    10. Select Save.
    11. Select Grant to grant permissions to assets.
    12. Within the Grant assets and permissions part, you possibly can specify entry you need to present for a given person on the assortment degree, and in addition on the index sample degree.
      For extra details about how you can arrange extra granular entry to your customers, consult with Supported OpenSearch API operations and permissions and Supported coverage permissions.
    13. Select Save.
    14. You possibly can create extra guidelines if wanted.
    15. Select Create to create the info entry coverage.

    Now, you could have knowledge entry coverage that can permit customers to entry the OpenSearch Dashboards and carry out the allowed actions there.

    Entry the OpenSearch Dashboards

    Full the next steps to check in to the OpenSearch Dashboards:

    1. On the OpenSearch Service console, below Serverless within the navigation pane, select Dashboard.
    2. Within the Assortment part, find your assortment and select Dashboard.

      The OpenSearch login web page will open in a brand new browser tab.
    3. Select your IdP supplier on the dropdown menu and select Login.

      You can be redirected to the Keycloak sign-in web page.
    4. Log in along with your SSO credentials.

    After a profitable login, you can be redirected to OpenSearch Dashboards, and you’ll carry out the actions allowed by the info entry coverage.

    You could have efficiently federated OpenSearch Dashboards with Keycloak as an IdP.

    Cleansing up

    Whenever you’re executed with this resolution, delete the assets you created should you not want them.

    1. Delete your OpenSearch Serverless assortment.
    2. Delete your knowledge entry coverage.
    3. Delete the SAML supplier.

    Conclusion

    On this publish, we demonstrated how you can arrange Keycloak as an IdP to entry an OpenSearch Serverless dashboard utilizing SAML authentication. For extra particulars, consult with SAML authentication for Amazon OpenSearch Serverless

    In regards to the Creator

    Arpad Csoke is a Options Architect at Amazon Net Companies. His obligations embrace serving to giant enterprise prospects perceive and make the most of the AWS setting, appearing as a technical guide to contribute to fixing their points.



    Supply hyperlink

    Post Views: 79
    Share.

    Related Posts

    Add A Comment

    Leave A Reply