Amazon OpenSearch is an open search and log analytics service, powered by the Apache Lucene search library.
In this blog post, we provide step-by-step guidance for SP-initiated SSO by showing how to set up a trial Ping Identity account. We’ll show how to build users and groups within your organization’s directory and enable SSO in OpenSearch Dashboards.
To use this feature, you must enable fine-grained access control. Rather than authenticating through Amazon Cognito or the internal user database, SAML authentication for OpenSearch Dashboards lets you use third-party identity providers to log in.
Ping Identity is an AWS Competency Partner, and the provider of the PingOne Cloud Platform is a multi-tenant Identity-as-a-Service (IDaaS) platform. Ping Identity supports both service provider (SP)-initiated and identity provider (IdP)-initiated SSO.
Overview of Ping Identity SAML authenticated solution
Figure 1 shows a sample architecture of a generic integrated solution between Ping Identity and OpenSearch Dashboards over SAML authentication.
The sign-in flow is as follows:
- User opens browser window and navigates to Amazon OpenSearch Dashboards
- Amazon OpenSearch generates SAML authentication request
- Amazon OpenSearch redirects request back to browser
- Browser redirects to Ping Identity URL
- Ping Identity parses SAML request, authenticates user, and generates SAML response
- Ping Identity returns encoded SAML response to browser
- Browser sends SAML response back to Amazon OpenSearch Assertion Consumer Service (ACS) URL
- ACS verifies SAML response
- User logs into Amazon OpenSearch domain
For this walkthrough, you should have the following prerequisites:
- An AWS account
- A virtual private cloud (VPC)-based Amazon OpenSearch domain with fine-grained access control enabled
- Ping Identity account with user and a group
- A browser with network connectivity to Ping Identity, Amazon OpenSearch domain, and Amazon OpenSearch Dashboards.
The steps in this post are structured into the following sections:
- Identity provider (Ping Identity) setup
- Prepare Amazon OpenSearch for SAML configuration
- Identity provider (Ping Identity) SAML configuration
- Finish Amazon OpenSearch for SAML configuration
Identity provider (Ping Identity) setup
Step 1: Sign up for a Ping Identity account
- Sign up for a Ping Identity account, then click on the Sign up button to complete your account setup.
- If you already have an account with Ping Identity, login to your Ping Identity account.
Step 2: Create Population in Ping Identity
- Choose Identities in the left menu and click Populations to proceed.
- Click on the blue + button next to Populations, enter the name as IT, then click on the Save button (see Figure 2).
Step 3: Create a group in Ping Identity
- Choose Groups from the left menu and click on the blue + button next to Groups. For this example, we will create a group called opensearch for Kibana access. Click on the Save button to complete the group creation.
Step 4: Create users in Ping Identity
- Choose Users in left menu, then click the + Add User button.
- Provide GIVEN NAME, FAMILY NAME, EMAIL ADDRESS, and choose Population as users, as created in Step 1. Choose your own USERNAME. Click on the SAVE button to create your user.
- Add more users as needed.
Step 5: Assign role and group to users
- Click on Identities/users in the left menu, and click on Users. Then click on the edit button for a particular user, as shown in Figure 3.
- Click on the Edit button, click on + Add Role button, and click on the edit button to assign a role to the user.
- For this example, choose Environment Admin, as shown in Figure 4. You can choose different roles depending on your use case.
- For this example, assign administrator responsibilities for our users. Click on Show Environments, and drag Administrators into the ADDED RESPONSIBILITES section. Then click on the Add Role button.
- Add Group to users. Go to the Groups tab, search for the opensearch group created in Step 3. Click on the + button next to opensearch to add into group memberships.
Prepare Amazon OpenSearch for SAML configuration
Once the Amazon OpenSearch domain is up and running, we can proceed with configuration.
- Under Actions, choose Edit security configuration, as shown in Figure 5.
- Under SAML authentication for OpenSearch Dashboards/Kibana, select Enable SAML authentication check box (Figure 6). When we enable SAML, it will create different URLs required for configuring SAML with your identity provider.
We will be using the Service Provider entity ID and SP-initiated SSO URL as highlighted in Figure 6 for Ping Identity SAML configuration. We will complete the rest of the Amazon OpenSearch SAML configuration after the Ping Identity SAML configuration.
Ping Identity SAML configuration
Go back to PingIdentity.com, and navigate to Connections on the left menu. Then select Applications, and click on Application +.
- For this example, we are creating an application called “Kibana”
- Select WEB APP as APPLICATION TYPE and CHOOSE CONNECTION TYPE as SAML, and click on Configure button to proceed as shown in Figure 7.
- On the “Create App Profile” page, click on the Next button, and choose the “Manually Enter” option for PROVIDE APP METADATA. Enter the following under Configure SAML Connection section
- ACS URL https://vpc-XXXXX-XXXXX-west-2.es.amazonaws.com/_dashboards/_opendistro/_security/saml/acs (SP-initiated SSO URL)
- Choose Sign Assertion & Response under SIGNING KEY
- ENTITY ID: https://vpc-XXXXX-XXXXX.us-west-2.es.amazonaws.com (Service provider entity ID)
- ASSERTION VALIDITY DURATION (IN SECONDS) as 3600
- Choose default options, then click on the Save and Continue button as shown in Figure 8
- Enter the following under Configure Attribute Mapping, then click on Save and Close.
- Set User ID to default
- Click on +ADD ATTRIBUTE button to add following SAML attributes
- OUTGOING VALUE: Group Names, SAML ATTRIBUTE: saml_group
- OUTGOING VALUE: Username, SAML ATTRIBUTE: saml_username
- Select the Policies tab and click on edit icon on the right.
- Add the Single_Factor policy to the application, then click on Save.
- Select the Access tab, add the opensearch group to the application, then click on Save to complete SAML configuration.
- Finally, go to the Configuration tab, click on the Download Metadata button to download the Ping Identity metadata for the Amazon OpenSearch SAML configuration. Enable opensearch SAML application (Figure 9).
Amazon OpenSearch SAML configuration
- Switch back to Amazon OpenSearch domain:
- Navigate to the Amazon OpenSearch console.
- Click on Actions, then click on Modify Security configuration.
- Select the Enable SAML authentication check box.
- Under Import IdP metadata section:
- Metadata from IdP: Import the Ping Identity identity provider metadata from the downloaded XML file, shown in Figure 10.
- SAML master backend role: opensearch (Ping Identity group). Provide SAML backend role/group SAML assertion key for group SSO into Kibana.
- Under Optional SAML settings:
- Leave the Subject Key as saml_subject from Ping Identity SAML application attribute name.
- Role key should be saml_group. You can view a sample assertion during the configuration process by tools like SAML-tracer. This can help you examine and troubleshoot the contents of real assertions.
- Session time to live (mins): 60
- Click on the Submit button to complete Amazon OpenSearch SAML configuration for Kibana. We have successfully completed SAML configuration and are now ready for testing.
Validating Access with Ping Identity Users
- The OpenSearch Dashboards URL can be found in the Overview tab within “General Information” in the Amazon OpenSearch console (Figure 11). The first access to the OpenSearch Dashboards URL redirects you to the Ping Identity login screen.
- If your OpenSearch domain is hosted within a private VPC, you will not be able to access OpenSearch Dashboards over public internet. But you can still use SAML as long as your browser can communicate with both your OpenSearch cluster and your identity provider.
- You can create a Mac or Windows EC2 instance within the same VPC and access Amazon OpenSearch Dashboards from an EC2 instance’s web browser to validate your SAML configuration. Or you can access your Amazon OpenSearch Dashboards through Site-to-Site VPN if you are trying to access it from your on-premises environment.
- Now copy and paste the OpenSearch Dashboards URL in your browser, and enter user credentials.
- After successful login, you will be redirected into the OpenSearch Dashboards home page. Explore our sample data and visualizations in OpenSearch Dashboards, as shown in Figure 12.
- You have successfully federated Amazon OpenSearch Dashboards with Ping Identity as an identity provider. You can connect OpenSearch Dashboards by using your Ping Identity credentials.
After you test out this solution, remember to delete all the resources you created to avoid incurring future charges. Refer to these links:
- Deleting your Amazon OpenSearch domain
- Reach out to Ping Identity to delete your account (If needed)
In this blog post, we have demonstrated how to set up Ping Identity as an identity provider over SAML authentication for Amazon OpenSearch Dashboards access. With this solution, you now have an OpenSearch Dashboard that uses Ping Identity as the custom identity provider for your users. This reduces the customer login process to one set of credentials and improves employee productivity.
Get started by checking the Amazon OpenSearch Developer Guide, which provides guidance on how to build applications using Amazon OpenSearch for your operational analytics.