Configure SAML federation with Amazon OpenSearch Serverless and Keycloak

Amazon OpenSearch Serverless is a serverless model of Amazon OpenSearch Service, a completely managed open search and analytics platform. On Amazon OpenSearch Service you’ll be able to run petabyte-scale search and analytics workloads with out the heavy lifting of managing the underlying OpenSearch Service clusters and Amazon OpenSearch Serverless helps workloads as much as 30TB of knowledge for time-series collections. Amazon OpenSearch Serverless offers an set up of OpenSearch Dashboards with each assortment created.

The community configuration for an OpenSearch Serverless assortment controls how the gathering may be accessed over the community. You’ve gotten the choice to make the gathering publicly accessible over the web from any community, or to limit entry to the gathering solely privately by means of OpenSearch Serverless-managed digital non-public cloud (VPC) endpoints. This community entry setting may be outlined individually for the gathering’s OpenSearch endpoint (used for information operations) and its corresponding OpenSearch Dashboards endpoint (used for visualizing and analyzing information). On this submit, we work with a publicly accessible OpenSearch Serverless assortment.

SAML allows customers to entry a number of functions or companies with a single set of credentials, eliminating the necessity for separate logins for every software or service. This improves the consumer expertise and reduces the overhead of managing a number of credentials. We offer SAML authentication for OpenSearch Serverless. With this you should utilize your current id supplier (IdP) to supply single sign-on (SSO) for the OpenSearch Dashboards endpoints of serverless collections. OpenSearch Serverless helps IdPs that adhere to the SAML 2.0 commonplace, together with companies like AWS IAM Id Middle, Okta, Keycloak, Lively Listing Federation Companies (AD FS), and Auth0. This SAML authentication mechanism is solely supposed for accessing the OpenSearch Dashboards interface by means of an online browser.

On this submit, we present you the right way to configure SAML authentication for controlling entry to public OpenSearch Dashboards utilizing Keycloak as an IdP.

Answer overview

The next diagram illustrates a pattern structure of an answer that permits customers to authenticate to OpenSearch Dashboards utilizing SSO with Keycloak.

The sign-in stream consists of the next steps:

1. A consumer accesses OpenSearch Dashboards in a browser and chooses an IdP from the record.
2. OpenSearch Serverless generates a SAML authentication request.
3. OpenSearch Service redirects the request again to the browser.
4. The browser redirects the consumer to the chosen IdP (Keycloak). Keycloak offers a login web page, the place customers can present their login credentials.
5. If authentication was profitable, Keycloak returns the SAML response to the browser.
6. The SAML assertions is distributed again to OpenSearch Serverless.
7. OpenSearch Serverless validates the SAML assertion, and logs the consumer in to OpenSearch Dashboards.

Stipulations

To get began, you need to have the next stipulations:

1. An lively OpenSearch Serverless assortment
2. A working Keycloak server (on premises or within the cloud)
3. The next AWS Id and Entry Administration (IAM) permissions to configure SAML authentication in OpenSearch Serverless:
   • aoss:CreateSecurityConfig – Create a SAML supplier.
   • aoss:ListSecurityConfig – Record all SAML suppliers within the present account.
   • aoss:GetSecurityConfig – View SAML supplier data.
   • aoss:UpdateSecurityConfig – Modify a given SAML supplier configuration, together with the XML metadata.
   • aoss:DeleteSecurityConfig – Delete a SAML supplier.

Create and configure a consumer in Keycloak

Full the next steps to create your Keycloak consumer:

1. Login to your Keycloak admin web page.
2. Within the navigation pane, select Consumer.
3. Select Create consumer
   
4. For Consumer sort, select SAML.
5. For Consumer ID enter aws:opensearch:AWS_ACCOUNT_ID, the place AWS_ACCOUNT_ID is your AWS account ID.
6. Enter a reputation and outline in your consumer.
7. Select Subsequent.
   
8. For Legitimate redirect URIs, enter the deal with of the assertion client service (ACS), the place REGION is the AWS Area wherein you might have created the OpenSearch Serverless assortment.
9. For Grasp SAML Processing URL, additionally enter the previous ACS deal with.
10. Full your consumer creation.
    
11. After you create the consumer, you must disable the Signing keys config setting, as a result of OpenSearch Serverless signed and encrypted requests are usually not supported. For extra particulars, consult with Issues.
12. After you might have created the consumer and disabled the consumer signature, you’ll be able to export the SAML 2.0 IdP Metadata by selecting the hyperlink on the Realm settings web page. You want this metadata, while you create the SAML supplier in OpenSearch Serverless.
    

Create a SAML supplier

When your OpenSearch Serverless assortment is lively, you then create a SAML supplier. This SAML supplier may be assigned to any assortment in the identical Area. Full the next steps:

1. On the OpenSearch Service console, beneath Serverless within the navigation pane, select SAML authentication beneath Safety.
2. Select Create SAML supplier.
   
3. Enter a reputation and outline in your SAML supplier.
4. Enter the IdP metadata you downloaded earlier from Keycloak.
   
5. Beneath Extra settings, you’ll be able to optionally add customized consumer ID and group attributes (for this instance, we go away this empty).
6. Select Create a SAML supplier.
   

You’ve gotten now configured a SAML supplier for OpenSearch Serverless. Subsequent, you configure the information entry coverage for accessing collections.

Create an information entry coverage

After you might have configured SAML supplier, you must create information entry insurance policies for OpenSearch Serverless to permit entry to the customers.

1. On the OpenSearch Service console, beneath Serverless within the navigation pane, select Information entry insurance policies beneath Safety.
2. Select Create entry coverage.
   
3. Enter a reputation and non-obligatory description in your entry coverage.
4. For Coverage definition technique, choose Visible editor.
   
5. For Rule title, enter a reputation.
6. Beneath Choose principals, for Add principals, select SAML customers and teams.
   
   
7. For SAML supplier title, select the supplier you created earlier than.
8. Select Save.
   
   
9. Specify the consumer or group within the format consumer/USERNAME or group/GROUPNAME. The worth of the USERNAME or GROUPNAME ought to match the worth you laid out in Keycloak for user-/groupname.
   
10. Select Save.
11. Select Grant to grant permissions to assets.
12. Within the Grant assets and permissions part, you’ll be able to specify entry you need to present for a given consumer on the assortment stage, and in addition on the index sample stage.
    For extra details about the right way to arrange extra granular entry in your customers, consult with Supported OpenSearch API operations and permissions and Supported coverage permissions.
13. Select Save.
    
14. You’ll be able to create extra guidelines if wanted.
15. Select Create to create the information entry coverage.
    

Now, you might have information entry coverage that can permit customers to entry the OpenSearch Dashboards and carry out the allowed actions there.

Entry the OpenSearch Dashboards

Full the next steps to register to the OpenSearch Dashboards:

1. On the OpenSearch Service console, beneath Serverless within the navigation pane, select Dashboard.
   
2. Within the Assortment part, find your assortment and select Dashboard.
   
   The OpenSearch login web page will open in a brand new browser tab.
3. Select your IdP supplier on the dropdown menu and select Login.
   
   You may be redirected to the Keycloak sign-in web page.
4. Log in together with your SSO credentials.
   

After a profitable login, you may be redirected to OpenSearch Dashboards, and you may carry out the actions allowed by the information entry coverage.

You’ve gotten efficiently federated OpenSearch Dashboards with Keycloak as an IdP.

Cleansing up

Once you’re carried out with this resolution, delete the assets you created when you now not want them.

1. Delete your OpenSearch Serverless assortment.
2. Delete your information entry coverage.
3. Delete the SAML supplier.

Conclusion

On this submit, we demonstrated the right way to arrange Keycloak as an IdP to entry an OpenSearch Serverless dashboard utilizing SAML authentication. For extra particulars, consult with SAML authentication for Amazon OpenSearch Serverless

In regards to the Creator

Arpad Csoke is a Options Architect at Amazon Net Companies. His obligations embrace serving to massive enterprise clients perceive and make the most of the AWS atmosphere, appearing as a technical guide to contribute to fixing their points.