Configure SAML federation with Amazon OpenSearch Serverless and Keycloak

Amazon OpenSearch Serverless is a serverless model of Amazon OpenSearch Service, a totally managed open search and analytics platform. On Amazon OpenSearch Service you may run petabyte-scale search and analytics workloads with out the heavy lifting of managing the underlying OpenSearch Service clusters and Amazon OpenSearch Serverless helps workloads as much as 30TB of knowledge for time-series collections. Amazon OpenSearch Serverless offers an set up of OpenSearch Dashboards with each assortment created.

The community configuration for an OpenSearch Serverless assortment controls how the gathering may be accessed over the community. You’ve the choice to make the gathering publicly accessible over the web from any community, or to limit entry to the gathering solely privately by way of OpenSearch Serverless-managed digital personal cloud (VPC) endpoints. This community entry setting may be outlined individually for the gathering’s OpenSearch endpoint (used for knowledge operations) and its corresponding OpenSearch Dashboards endpoint (used for visualizing and analyzing knowledge). On this submit, we work with a publicly accessible OpenSearch Serverless assortment.

SAML permits customers to entry a number of purposes or companies with a single set of credentials, eliminating the necessity for separate logins for every utility or service. This improves the person expertise and reduces the overhead of managing a number of credentials. We offer SAML authentication for OpenSearch Serverless. With this you need to use your current id supplier (IdP) to supply single sign-on (SSO) for the OpenSearch Dashboards endpoints of serverless collections. OpenSearch Serverless helps IdPs that adhere to the SAML 2.0 normal, together with companies like AWS IAM Identification Heart, Okta, Keycloak, Energetic Listing Federation Providers (AD FS), and Auth0. This SAML authentication mechanism is solely meant for accessing the OpenSearch Dashboards interface by way of an internet browser.

On this submit, we present you the right way to configure SAML authentication for controlling entry to public OpenSearch Dashboards utilizing Keycloak as an IdP.

Resolution overview

The next diagram illustrates a pattern structure of an answer that permits customers to authenticate to OpenSearch Dashboards utilizing SSO with Keycloak.

The sign-in stream contains the next steps:

1. A person accesses OpenSearch Dashboards in a browser and chooses an IdP from the listing.
2. OpenSearch Serverless generates a SAML authentication request.
3. OpenSearch Service redirects the request again to the browser.
4. The browser redirects the person to the chosen IdP (Keycloak). Keycloak offers a login web page, the place customers can present their login credentials.
5. If authentication was profitable, Keycloak returns the SAML response to the browser.
6. The SAML assertions is distributed again to OpenSearch Serverless.
7. OpenSearch Serverless validates the SAML assertion, and logs the person in to OpenSearch Dashboards.

Stipulations

To get began, it is best to have the next stipulations:

1. An lively OpenSearch Serverless assortment
2. A working Keycloak server (on premises or within the cloud)
3. The next AWS Identification and Entry Administration (IAM) permissions to configure SAML authentication in OpenSearch Serverless:
   • aoss:CreateSecurityConfig – Create a SAML supplier.
   • aoss:ListSecurityConfig – Listing all SAML suppliers within the present account.
   • aoss:GetSecurityConfig – View SAML supplier info.
   • aoss:UpdateSecurityConfig – Modify a given SAML supplier configuration, together with the XML metadata.
   • aoss:DeleteSecurityConfig – Delete a SAML supplier.

Create and configure a consumer in Keycloak

Full the next steps to create your Keycloak consumer:

1. Login to your Keycloak admin web page.
2. Within the navigation pane, select Consumer.
3. Select Create consumer
   
4. For Consumer kind, select SAML.
5. For Consumer ID enter aws:opensearch:AWS_ACCOUNT_ID, the place AWS_ACCOUNT_ID is your AWS account ID.
6. Enter a reputation and outline on your consumer.
7. Select Subsequent.
   
8. For Legitimate redirect URIs, enter the handle of the assertion client service (ACS), the place REGION is the AWS Area during which you might have created the OpenSearch Serverless assortment.
9. For Grasp SAML Processing URL, additionally enter the previous ACS handle.
10. Full your consumer creation.
    
11. After you create the consumer, it’s a must to disable the Signing keys config setting, as a result of OpenSearch Serverless signed and encrypted requests are usually not supported. For extra particulars, check with Concerns.
12. After you might have created the consumer and disabled the consumer signature, you may export the SAML 2.0 IdP Metadata by selecting the hyperlink on the Realm settings web page. You want this metadata, once you create the SAML supplier in OpenSearch Serverless.
    

Create a SAML supplier

When your OpenSearch Serverless assortment is lively, you then create a SAML supplier. This SAML supplier may be assigned to any assortment in the identical Area. Full the next steps:

1. On the OpenSearch Service console, beneath Serverless within the navigation pane, select SAML authentication beneath Safety.
2. Select Create SAML supplier.
   
3. Enter a reputation and outline on your SAML supplier.
4. Enter the IdP metadata you downloaded earlier from Keycloak.
   
5. Beneath Extra settings, you may optionally add customized person ID and group attributes (for this instance, we go away this empty).
6. Select Create a SAML supplier.
   

You’ve now configured a SAML supplier for OpenSearch Serverless. Subsequent, you configure the info entry coverage for accessing collections.

Create a knowledge entry coverage

After you might have configured SAML supplier, it’s a must to create knowledge entry insurance policies for OpenSearch Serverless to permit entry to the customers.

1. On the OpenSearch Service console, beneath Serverless within the navigation pane, select Knowledge entry insurance policies beneath Safety.
2. Select Create entry coverage.
   
3. Enter a reputation and non-obligatory description on your entry coverage.
4. For Coverage definition technique, choose Visible editor.
   
5. For Rule title, enter a reputation.
6. Beneath Choose principals, for Add principals, select SAML customers and teams.
   
   
7. For SAML supplier title, select the supplier you created earlier than.
8. Select Save.
   
   
9. Specify the person or group within the format person/USERNAME or group/GROUPNAME. The worth of the USERNAME or GROUPNAME ought to match the worth you laid out in Keycloak for user-/groupname.
   
10. Select Save.
11. Select Grant to grant permissions to sources.
12. Within the Grant sources and permissions part, you may specify entry you wish to present for a given person on the assortment stage, and likewise on the index sample stage.
    For extra details about the right way to arrange extra granular entry on your customers, check with Supported OpenSearch API operations and permissions and Supported coverage permissions.
13. Select Save.
    
14. You’ll be able to create extra guidelines if wanted.
15. Select Create to create the info entry coverage.
    

Now, you might have knowledge entry coverage that may permit customers to entry the OpenSearch Dashboards and carry out the allowed actions there.

Entry the OpenSearch Dashboards

Full the next steps to check in to the OpenSearch Dashboards:

1. On the OpenSearch Service console, beneath Serverless within the navigation pane, select Dashboard.
   
2. Within the Assortment part, find your assortment and select Dashboard.
   
   The OpenSearch login web page will open in a brand new browser tab.
3. Select your IdP supplier on the dropdown menu and select Login.
   
   You’ll be redirected to the Keycloak sign-in web page.
4. Log in along with your SSO credentials.
   

After a profitable login, you can be redirected to OpenSearch Dashboards, and you may carry out the actions allowed by the info entry coverage.

You’ve efficiently federated OpenSearch Dashboards with Keycloak as an IdP.

Cleansing up

Once you’re performed with this answer, delete the sources you created in the event you not want them.

1. Delete your OpenSearch Serverless assortment.
2. Delete your knowledge entry coverage.
3. Delete the SAML supplier.

Conclusion

On this submit, we demonstrated the right way to arrange Keycloak as an IdP to entry an OpenSearch Serverless dashboard utilizing SAML authentication. For extra particulars, check with SAML authentication for Amazon OpenSearch Serverless

Concerning the Creator

Arpad Csoke is a Options Architect at Amazon Internet Providers. His tasks embrace serving to giant enterprise clients perceive and make the most of the AWS atmosphere, appearing as a technical advisor to contribute to fixing their points.