Configure SAML federation with Amazon OpenSearch Serverless and Keycloak

Amazon OpenSearch Serverless is a serverless model of Amazon OpenSearch Service, a completely managed open search and analytics platform. On Amazon OpenSearch Service you’ll be able to run petabyte-scale search and analytics workloads with out the heavy lifting of managing the underlying OpenSearch Service clusters and Amazon OpenSearch Serverless helps workloads as much as 30TB of knowledge for time-series collections. Amazon OpenSearch Serverless gives an set up of OpenSearch Dashboards with each assortment created.

The community configuration for an OpenSearch Serverless assortment controls how the gathering may be accessed over the community. You may have the choice to make the gathering publicly accessible over the web from any community, or to limit entry to the gathering solely privately by means of OpenSearch Serverless-managed digital non-public cloud (VPC) endpoints. This community entry setting may be outlined individually for the gathering’s OpenSearch endpoint (used for information operations) and its corresponding OpenSearch Dashboards endpoint (used for visualizing and analyzing information). On this publish, we work with a publicly accessible OpenSearch Serverless assortment.

SAML permits customers to entry a number of functions or companies with a single set of credentials, eliminating the necessity for separate logins for every software or service. This improves the person expertise and reduces the overhead of managing a number of credentials. We offer SAML authentication for OpenSearch Serverless. With this you should utilize your current id supplier (IdP) to supply single sign-on (SSO) for the OpenSearch Dashboards endpoints of serverless collections. OpenSearch Serverless helps IdPs that adhere to the SAML 2.0 commonplace, together with companies like AWS IAM Identification Heart, Okta, Keycloak, Lively Listing Federation Providers (AD FS), and Auth0. This SAML authentication mechanism is solely meant for accessing the OpenSearch Dashboards interface by means of an online browser.

On this publish, we present you tips on how to configure SAML authentication for controlling entry to public OpenSearch Dashboards utilizing Keycloak as an IdP.

Answer overview

The next diagram illustrates a pattern structure of an answer that permits customers to authenticate to OpenSearch Dashboards utilizing SSO with Keycloak.

The sign-in circulate contains the next steps:

1. A person accesses OpenSearch Dashboards in a browser and chooses an IdP from the record.
2. OpenSearch Serverless generates a SAML authentication request.
3. OpenSearch Service redirects the request again to the browser.
4. The browser redirects the person to the chosen IdP (Keycloak). Keycloak gives a login web page, the place customers can present their login credentials.
5. If authentication was profitable, Keycloak returns the SAML response to the browser.
6. The SAML assertions is shipped again to OpenSearch Serverless.
7. OpenSearch Serverless validates the SAML assertion, and logs the person in to OpenSearch Dashboards.

Stipulations

To get began, you need to have the next stipulations:

1. An lively OpenSearch Serverless assortment
2. A working Keycloak server (on premises or within the cloud)
3. The next AWS Identification and Entry Administration (IAM) permissions to configure SAML authentication in OpenSearch Serverless:
   • aoss:CreateSecurityConfig – Create a SAML supplier.
   • aoss:ListSecurityConfig – Record all SAML suppliers within the present account.
   • aoss:GetSecurityConfig – View SAML supplier data.
   • aoss:UpdateSecurityConfig – Modify a given SAML supplier configuration, together with the XML metadata.
   • aoss:DeleteSecurityConfig – Delete a SAML supplier.

Create and configure a shopper in Keycloak

Full the next steps to create your Keycloak shopper:

1. Login to your Keycloak admin web page.
2. Within the navigation pane, select Shopper.
3. Select Create shopper
   
4. For Shopper sort, select SAML.
5. For Shopper ID enter aws:opensearch:AWS_ACCOUNT_ID, the place AWS_ACCOUNT_ID is your AWS account ID.
6. Enter a reputation and outline in your shopper.
7. Select Subsequent.
   
8. For Legitimate redirect URIs, enter the handle of the assertion client service (ACS), the place REGION is the AWS Area by which you’ve got created the OpenSearch Serverless assortment.
9. For Grasp SAML Processing URL, additionally enter the previous ACS handle.
10. Full your shopper creation.
    
11. After you create the shopper, it’s a must to disable the Signing keys config setting, as a result of OpenSearch Serverless signed and encrypted requests will not be supported. For extra particulars, confer with Concerns.
12. After you’ve got created the shopper and disabled the shopper signature, you’ll be able to export the SAML 2.0 IdP Metadata by selecting the hyperlink on the Realm settings web page. You want this metadata, if you create the SAML supplier in OpenSearch Serverless.
    

Create a SAML supplier

When your OpenSearch Serverless assortment is lively, you then create a SAML supplier. This SAML supplier may be assigned to any assortment in the identical Area. Full the next steps:

1. On the OpenSearch Service console, underneath Serverless within the navigation pane, select SAML authentication underneath Safety.
2. Select Create SAML supplier.
   
3. Enter a reputation and outline in your SAML supplier.
4. Enter the IdP metadata you downloaded earlier from Keycloak.
   
5. Below Extra settings, you’ll be able to optionally add customized person ID and group attributes (for this instance, we go away this empty).
6. Select Create a SAML supplier.
   

You may have now configured a SAML supplier for OpenSearch Serverless. Subsequent, you configure the info entry coverage for accessing collections.

Create a knowledge entry coverage

After you’ve got configured SAML supplier, it’s a must to create information entry insurance policies for OpenSearch Serverless to permit entry to the customers.

1. On the OpenSearch Service console, underneath Serverless within the navigation pane, select Knowledge entry insurance policies underneath Safety.
2. Select Create entry coverage.
   
3. Enter a reputation and non-compulsory description in your entry coverage.
4. For Coverage definition methodology, choose Visible editor.
   
5. For Rule title, enter a reputation.
6. Below Choose principals, for Add principals, select SAML customers and teams.
   
   
7. For SAML supplier title, select the supplier you created earlier than.
8. Select Save.
   
   
9. Specify the person or group within the format person/USERNAME or group/GROUPNAME. The worth of the USERNAME or GROUPNAME ought to match the worth you laid out in Keycloak for user-/groupname.
   
10. Select Save.
11. Select Grant to grant permissions to assets.
12. Within the Grant assets and permissions part, you’ll be able to specify entry you wish to present for a given person on the assortment stage, and likewise on the index sample stage.
    For extra details about tips on how to arrange extra granular entry in your customers, confer with Supported OpenSearch API operations and permissions and Supported coverage permissions.
13. Select Save.
    
14. You’ll be able to create extra guidelines if wanted.
15. Select Create to create the info entry coverage.
    

Now, you’ve got information entry coverage that may permit customers to entry the OpenSearch Dashboards and carry out the allowed actions there.

Entry the OpenSearch Dashboards

Full the next steps to register to the OpenSearch Dashboards:

1. On the OpenSearch Service console, underneath Serverless within the navigation pane, select Dashboard.
   
2. Within the Assortment part, find your assortment and select Dashboard.
   
   The OpenSearch login web page will open in a brand new browser tab.
3. Select your IdP supplier on the dropdown menu and select Login.
   
   You may be redirected to the Keycloak sign-in web page.
4. Log in together with your SSO credentials.
   

After a profitable login, you may be redirected to OpenSearch Dashboards, and you may carry out the actions allowed by the info entry coverage.

You may have efficiently federated OpenSearch Dashboards with Keycloak as an IdP.

Cleansing up

While you’re finished with this answer, delete the assets you created when you now not want them.

1. Delete your OpenSearch Serverless assortment.
2. Delete your information entry coverage.
3. Delete the SAML supplier.

Conclusion

On this publish, we demonstrated tips on how to arrange Keycloak as an IdP to entry an OpenSearch Serverless dashboard utilizing SAML authentication. For extra particulars, confer with SAML authentication for Amazon OpenSearch Serverless

---

Concerning the Creator

Arpad Csoke is a Options Architect at Amazon Net Providers. His obligations embody serving to massive enterprise clients perceive and make the most of the AWS surroundings, performing as a technical marketing consultant to contribute to fixing their points.