Configure SAML federation for Amazon OpenSearch Serverless with Okta

Fashionable purposes apply safety controls throughout many programs and their subsystems. Maintaining all of those programs in sync can be a significant endeavor if you happen to tried to implement it individually. Centralized identification administration is the way in which to take care of a single identification supplier (IdP) that may authenticate actors and handle and distribute their rights.

OpenSearch is an open-source search and analytics suite that allows you to ingest, retailer, analyze, and visualize full textual content and log knowledge. Amazon OpenSearch Serverless makes it easy to deploy, scale, and function OpenSearch within the AWS Cloud, liberating you from the undifferentiated heavy lifting of sizing, scaling, and working an OpenSearch cluster. Once you use OpenSearch Serverless, you may combine along with your current Safety Assertion Markup Language 2.0 (SAML)-compliant IdP to offer granular entry management to your OpenSearch Serverless collections. Our clients use a wide range of IdPs, together with AWS IAM Id Heart (successor to AWS SSO), Okta, Keycloak, Lively Listing Federation Companies (AD FS), and Auth0.

On this submit, you’ll learn to use Okta as your IdP and combine it with OpenSearch Serverless to securely handle your customers and teams for safe entry to your knowledge.

Answer overview

The circulate of entry requests is depicted within the following determine.

Once you navigate to OpenSearch Dashboards, the workflow steps are as follows:

1. OpenSearch Serverless generates a SAML authentication request.
2. OpenSearch Serverless redirects your request again to the browser.
3. The browser redirects to the Okta URL through the Okta software setup.
4. Okta parses the SAML request, authenticates the consumer, and generates a SAML response.
5. Okta returns the encoded SAML response to the browser.
6. The browser sends the SAML response again to the OpenSearch Serverless Assertion Client Companies (ACS) URL.
7. ACS verifies the SAML response and logs within the consumer with the permissions outlined within the knowledge entry coverage.

Stipulations

Full the next prerequisite steps:

1. Create an OpenSearch Serverless assortment. For directions, discuss with Preview: Amazon OpenSearch Serverless – Run Search and Analytics Workloads with out Managing Clusters.
2. Make a remark of your AWS account ID to make use of whereas configuring your software in Okta.
3. Create an Okta account, which you’ll use as an IdP.
4. Create customers and a bunch in Okta:
   1. Log in to your Okta account, and within the navigation pane, select Listing, then select Teams.
   2. Select Add Group and title itopensearch-serverless, then select Save.
   3. Select Assign Folks so as to add customers.
   4. You may add customers to theopensearch-serverlessgroup by selecting the plus signal subsequent to the consumer title, or you may select Add All.
   5. Add your customers, then select Save.
   6. To create new customers, select Folks within the navigation pane below Listing, then select Add Individual.
   7. Present your first title, final title, consumer title (e mail ID), and first e mail handle.
   8. For Password, select Set by admin and First-time password.
   9. To create your consumer, select Save.
   10. Within the navigation pane, select Teams, then select theopensearch-serverless group you created earlier.

The next graphic offers a fast demonstration of organising a consumer and group.

Configure an software in Okta

To configure an software in Okta, full the next steps:

1. Navigate to the Functions web page on the Okta console.
2. Select App Integration, choose SAML 2.0 internet software, then select Subsequent.
3. For Identify, enter a reputation for the app (for instance, myweblogs), then select Subsequent.
4. Underneath Software ACS URL, enter the URL utilizing the format https://assortment.<REGION>.aoss.amazonaws.com/_saml/acs (exchange <REGION> with the corresponding Area) to generate the IdP metadata.
5. Choose Use this for Recipient URL and Vacation spot URL to make use of the identical ACS URL because the recipient and vacation spot.
6. Specify aws:opensearch:<AWS-Account-ID> below Viewers URI (SP Entity ID). This specifies who the assertion is meant for throughout the SAML assertion.
7. Underneath Group Attribute Statements, enter a reputation that’s related to your software, akin to mygroup, and choose unspecified because the title format. (Don’t overlook this title, you’ll want it later.)
8. Choose equals because the filter and enter opensearch-serverless.
9. Choose I’m a software program vendor. I’d wish to combine my app with Okta and select End.
10. After an app is created, select the sign-on tab, scroll right down to the metadata particulars, and duplicate the worth for Metadata URL.

The next graphic offers a fast demonstration of organising an software in Okta through the previous steps.

Subsequent, you affiliate the customers and teams to the appliance that you just created within the earlier step.

11. On the Functions web page, select the app you created earlier.
12. On the Assignments tab, select Assign.
13. Choose Assign To Teams and select the group you want to assign to (opensearch-serverlesson this case).
14. Select Executed.

The next graphic offers a fast demonstration of assigning teams to the appliance through the previous steps.

Arrange SAML on OpenSearch Serverless

On this part, you create a SAML supplier that you just’ll use to your OpenSearch Serverless assortment. Full the next steps:

1. Open the OpenSearch Serverless console on a brand new tab.
2. Within the navigation pane, below Serverless, select SAML authentication.
3. Choose Add SAML supplier.
4. Present a recognizable title (for instance, okta) and an outline.
5. Open a brand new tab and enter the copied metadata URL into your browser.

You need to see the metadata for the Okta software.

6. Pay attention to this metadata and duplicate it to your clipboard.
7. On the OpenSearch Service console tab, enter this metadata within the Present metadata out of your IdP part.
8. Underneath Further settings, enter mygroup or the group attribute supplied within the Okta configuration.
9. Select Create a SAML supplier.

The SAML supplier has now been created.

The next graphic offers a fast demonstration of organising the SAML supplier in OpenSearch Serverless through the previous steps.

Replace the information entry coverage

It’s worthwhile to configure the correct permissions within the knowledge entry insurance policies related along with your OpenSearch assortment so your Okta group members can entry the OpenSearch Dashboards endpoint.

1. On the OpenSearch Serverless console, open your assortment.
2. Select the information entry coverage related to the gathering within the Knowledge Entry part.
3. Select Edit.
4. Select Principals and Add a SAML principal.
5. Choose the SAML supplier you created earlier and enter group/opensearch-serverless subsequent to it.
6. The OpenSearch Dashboards endpoint could be accessed by all group members. You may grant entry to collections, indexes, or each.
7. Select Save.

Log in to OpenSearch Dashboards

Now that you’ve set permissions to entry the dashboards, select the Dashboards URL below the overall data for the OpenSearch Serverless assortment. This could take you to the web site
https://collection-endpoint/_dashboards/

You will note a listing with all of the entry choices. Select the SAML supplier that you just created (okta on this case) and log in utilizing your Okta credentials. You’ll now be logged into OpenSearch Dashboards with the permissions which are a part of the information entry coverage. You may carry out searches or create visualizations from the dashboard.

Clear up

To keep away from undesirable expenses, delete the OpenSearch Serverless assortment, knowledge entry coverage, and SAML supplier created as a part of this demonstration.

Abstract

On this submit, you discovered how you can arrange Okta as an IdP to entry OpenSearch Dashboards utilizing SAML. You additionally discovered how you can arrange customers and teams inside Okta and configure their entry to OpenSearch Dashboards. For extra particulars, discuss with SAML authentication for Amazon OpenSearch Serverless.

You too can discuss with the Getting began with Amazon OpenSearch Serverless workshop to know extra about OpenSearch Serverless.

In case you have suggestions about this submit, submit it within the feedback part. In case you have questions on this submit, begin a brand new thread on the OpenSearch Service discussion board or contact AWS Help.

Concerning the Authors

Aish Gunasekar is a Specialist Options architect with a concentrate on Amazon OpenSearch Service. Her ardour at AWS is to assist clients design extremely scalable architectures and assist them of their cloud adoption journey. Outdoors of labor, she enjoys climbing and baking.

Prashant Agrawal is a Sr. Search Specialist Options Architect with Amazon OpenSearch Service. He works intently with clients to assist them migrate their workloads to the cloud and helps current clients fine-tune their clusters to realize higher efficiency and save on price. Earlier than becoming a member of AWS, he helped numerous clients use OpenSearch and Elasticsearch for his or her search and log analytics use instances. When not working, yow will discover him touring and exploring new locations. Briefly, he likes doing Eat → Journey → Repeat.