Position-based entry management in Amazon OpenSearch Service by way of SAML integration with AWS IAM Id Middle


    Amazon OpenSearch Service is a managed service that makes it easy to safe, deploy, and function OpenSearch clusters at scale within the AWS Cloud. AWS IAM Id Middle (successor to AWS Single Signal-On) helps you securely create or join your workforce identities and handle their entry centrally throughout AWS accounts and functions. To construct a powerful least-privilege safety posture, clients additionally wished fine-grained entry management to handle dashboard permission by consumer function. On this submit, we display a step-by-step process to implement IAM Id Middle to OpenSearch Service by way of native SAML integration, and configure role-based entry management in OpenSearch Dashboards through the use of group attributes in IAM Id Middle. You may comply with the steps on this submit to attain each authentication and authorization for OpenSearch Service based mostly on the teams configured in IAM Id Middle.

    Resolution overview

    Let’s overview find out how to map customers and teams in IAM Id Middle to OpenSearch Service safety roles. Backend roles in OpenSearch Service are used to map exterior identities or attributes of workgroups to pre-defined OpenSearch Service safety roles.

    The next diagram reveals the answer structure. Create two teams, assign a consumer to every group and edit attribute mappings in IAM Id Middle. If in case you have built-in IAM Id Middle together with your Id Supplier (IdP), you need to use current customers and teams mapped to your IdP for this check. The answer makes use of two roles: all_access for directors, and alerting_full_access for builders who’re solely allowed to handle OpenSearch Service alerts. You may arrange backend function mapping in OpenSearch Dashboards by group ID. Primarily based on the next diagram, you’ll be able to map the function all_access to the group Admin, and alerting_full_access to Developer. Consumer janedoe is within the group Admin, and consumer johnstiles is within the group Developer.

    Then you’ll log in as every consumer to confirm the entry management by wanting on the completely different dashboard views.

    Let’s get began!


    Full the next prerequisite steps:

    1. Have an AWS account.
    2. Have an Amazon OpenSearch Service area.
    3. Allow IAM Id Middle in the identical Area because the OpenSearch Service area.
    4. Check your customers in IAM Id Middle (to create customers, confer with Add customers).

    Allow SAML in Amazon OpenSearch Service and replica SAML parameters

    To configure SAML in OpenSearch Service, full the next steps:

    1. On the OpenSearch Service console, select Domains within the navigation pane.
    2. Select your area.
    3. On the Safety configuration tab, verify that Advantageous-grained entry management is enabled.
    4. On the Actions menu, select Edit safety configuration.
    5. Choose Allow SAML authentication.

    You too can configure SAML throughout area creation in case you are creating a brand new OpenSearch area. For extra info, confer with SAML authentication for OpenSearch Dashboards.

    1. Copy the values for Service supplier entity ID and IdP-Initiated SSO URL.

    Create a SAML utility in IAM Id Middle

    To create a SAML utility in IAM Id Middle, full the next steps:

    1. On the IAM Id Middle console, select Purposes within the navigation pane.
    2. Select Add utility.
    3. Choose Add buyer SAML 2.0 utility, then select Subsequent.
    4. Enter your utility title for Show title.
    5. Underneath IAM Id Middle metadata, select Obtain to obtain the SAML metadata file.
    6. Underneath Utility metadata, choose Manually kind your metadata values.
    7. For Utility ACS URL, enter the IdP-initiated URL you copied earlier.
    8. For Utility SAML viewers, enter the service supplier entity ID you copied earlier.
    9. Select Submit.
    10. On the Actions menu, select Edit attribute mappings.
    11. Create attributes and map the next values:
      1. Topic map to ${consumer:e-mail}, the format is emailAddress.
      2. Position map to ${consumer:teams}, the format is unspecified.
    12. Select Save adjustments.
    13. On the IAM Id Middle console, select Teams within the navigation pane.
    14. Create two teams: Developer and Admin.
    15. Assign consumer janedoe to the group Admin.
    16. Assign consumer johnstiles to the group Developer.
    17. Open the Admin group and replica the group ID.

    End SAML configuration and map the SAML major backend function

    To finish your SAML configuration and map the SAML major backend function, full the next steps:

    1. On the OpenSearch Service console, select Domains within the navigation pane.
    2. Open your area and select Edit safety configuration.
    3. Underneath SAML authentication for OpenSearch Dashboards/Kibana, for Import IdP metadata, select Import from XML file.
    4. Add the IdP metadata downloaded from the IAM Id Middle metadata file.

    The IdP entity ID might be auto populated.

    1. Underneath SAML grasp backend function, enter the group ID of the Admin group you copied earlier.
    2. For Roles key, enter Position for the SAML assertion.

    It is because we outlined and mapped Position to ${consumer:teams} as a SAML attribute in IAM Id Middle.

    1. Select Save adjustments.

    Configure backend function mapping for the Developer group

    You’ve gotten utterly built-in IAM Id Middle with OpenSearch Service and mapped the Admin group as the first function (all_access) in OpenSearch Service. Now you’ll log in to OpenSearch Dashboards as Admin and configure mapping for the Developer group.

    There are two methods to log in to OpenSearch Dashboards:

    • OpenSearch Dashboards URL – On the OpenSearch Service console, navigate to your area and select the Dashboards URL below Normal Data. (For instance, https://opensearch-domain-name-random-keys.us-west-2.es.amazonaws.com/_dashboards)
    • AWS entry portal URL – On the IAM Id Middle console, select Dashboard within the navigation pane and select the entry portal URL below Settings abstract. (For instance, https://d-1234567abc.awsapps.com/begin)

    Full the next steps:

    1. Log in because the consumer within the Admin group (janedoe).
    2. Select the tile in your OpenSearch Service utility to be redirected to OpenSearch Dashboards.
    3. Select the menu icon, then select Safety, Roles.
    4. Select the alerting_full_access function and on the Mapped customers tab, select Handle mapping.
    5. For Backend roles, enter the group ID of Developer.
    6. Select Map to use the change.

    Now you could have efficiently mapped the Developer group to the alerting_full_access function in OpenSearch Service.

    Confirm permissions

    To confirm permissions, full the next steps:

    1. Log off of the Admin account in OpenSearch Service as log in as a Developer consumer.
    2. Select the OpenSearch Service utility tile to be redirected to OpenSearch Dashboards.

    You may see there are solely alerting associated options obtainable on the drop-down menu. This Developer consumer can’t see the entire Admin options, akin to Safety.

    Clear up

    After you check the answer, keep in mind to delete the entire sources you created to keep away from incurring future prices:

    1. Delete your Amazon OpenSearch Service area.
    2. Delete the SAML utility, customers, and teams in IAM Id Middle.


    Within the submit, we walked by way of an answer of find out how to map roles in Amazon OpenSearch Service to teams in IAM Id Middle through the use of SAML attributes to attain role-based entry management for accessing OpenSearch Dashboards. We related IAM Id Middle customers to OpenSearch Dashboards, and likewise mapped predefined OpenSearch Service safety roles to IAM Id Middle teams based mostly on group attributes. This makes it simpler to handle permissions with out updating the mapping when new customers belonging to the identical workgroup wish to log in to OpenSearch Dashboards. You may comply with the identical process to supply fine-grained entry to workgroups based mostly on staff capabilities or compliance necessities.

    In regards to the Authors

    Scott Chang is a Resolution Structure at AWS based mostly in San Francisco. He has over 14 years of hands-on expertise in Networking additionally accustomed to Safety and Website Reliability Engineering. He works with considered one of main strategic clients in west area to design extremely scalable, progressive and safe cloud options.

    Muthu Pitchaimani is a Search Specialist with Amazon OpenSearch service. He builds giant scale search functions and options. Muthu is within the matters of networking and safety and relies out of Austin, Texas


    Please enter your comment!
    Please enter your name here