Amazon OpenSearch Service is a completely managed search and analytics service powered by the Apache Lucene search library that may be operated inside a digital non-public cloud (VPC). A VPC is a digital community that’s devoted to your AWS account. It’s logically remoted from different digital networks within the AWS Cloud. Putting an OpenSearch Service area inside a VPC allows a safe communication between OpenSearch Service and different companies throughout the VPC with out the necessity for an web gateway, NAT system, or a VPN connection. All site visitors stays securely throughout the AWS Cloud, offering a protected surroundings to your knowledge. To hook up with an OpenSearch Service area working inside a non-public VPC, enterprise prospects use certainly one of two obtainable choices: both combine their VPC with their enterprise community by VPN or AWS Direct Join, or make the cluster endpoint publicly accessible by a reverse proxy. Seek advice from How can I entry OpenSearch Dashboards from outdoors of a VPC utilizing Amazon Cognito authentication for an in depth analysis of the obtainable choices and the corresponding execs and cons.
For managing entry to OpenSearch Dashboards in enterprise prospects’ environments, OpenSearch Service helps Safety Assertion Markup Language (SAML) integration with the shopper’s present identification suppliers (IdPs) to supply single sign-on (SSO). Though SAML integration for publicly accessible OpenSearch Dashboards works out of the field, enabling SAML for OpenSearch Dashboards inside a VPC requires cautious design with varied configurations.
This publish outlines an end-to-end answer for integrating SAML authentication for OpenSearch Service domains working in a VPC. It offers a step-by-step deployment guideline and is accompanied by AWS Cloud Growth Package (AWS CDK) purposes, which automate all the mandatory configurations.
Overview of answer
The next diagram describes the step-by-step authentication movement for accessing a non-public OpenSearch Service area by SSO utilizing SAML identification federation. The entry is enabled over public web by non-public NGINX reverse proxy servers working on Amazon Elastic Container Service (Amazon ECS) for prime availability.
The workflow consists of the next steps:
- The person navigates to the OpenSearch Dashboards URL of their browser.
- The browser resolves the area IP handle and sends the request.
- AWS WAF guidelines be sure that solely enable listed IP handle ranges are allowed.
- Software Load Balancer forwards the request to NGINX reverse proxy.
- NGINX provides the mandatory headers and forwards the request to OpenSearch Dashboards.
- OpenSearch Dashboards detects that the request isn’t authenticated. It replies with a redirect to the built-in SAML IdP for authentication.
- The person is redirected to the SSO login web page.
- The IdP verifies the person’s identification and generates a SAML assertion token.
- The person is redirected again to the OpenSearch Dashboards URL.
- The request goes by the Steps 1–5 once more till it reaches OpenSearch. This time, OpenSearch Dashboards detects the accompanying SAML assertion and permits the request.
Within the following sections, we arrange a NGINX reverse proxy in non-public subnets to supply entry to OpenSearch Dashboards for a site deployed inside VPC non-public subnets. We then allow SAML authentication for OpenSearch Dashboards utilizing a SAML 2.0 software and use a customized area endpoint to entry OpenSearch Dashboards to see the SAML authentication in motion.
Conditions
Earlier than you get began, full the prerequisite steps on this part.
Set up required instruments
First, set up the AWS CDK. For extra info, consult with the AWS CDK v2 Developer Information.
Put together required AWS assets
Full the next steps to arrange your AWS assets:
- Create an AWS account.
- Create an Amazon Route 53 public hosted zone reminiscent of
mydomain.com
for use for routing web site visitors to your area. For directions, consult with Making a public hosted zone. - Request an AWS Certificates Supervisor (ACM) public certificates for the hosted zone. For directions, consult with Requesting a public certificates.
- Create a VPC with private and non-private subnets.
- Allow AWS IAM Identification Middle. For directions, consult with Allow IAM Identification Middle.
Put together your OpenSearch Service cluster
This publish is accompanied with a standalone AWS CDK software (opensearch-domain) that deploys a pattern OpenSearch Service area in non-public VPC subnets. The deployed area is for demonstration functions solely, and is optionally available.
When you have an present OpenSearch Service area in VPC that you simply need to use for SAML integration, apply the next configurations:
- On the Cluster configuration tab, select Edit and choose Allow customized endpoint within the Customized endpoint part.
- For Customized hostname, enter a completely certified area title (FQDN) reminiscent of
opensearch.mydomain.com
, which you need to use to entry your cluster. Observe that the area title of the offered FQDN (for instance,mydomain.com
) have to be the identical as the general public hosted zone you created earlier. - For AWS certificates, select the SSL certificates you created earlier.
- Within the Abstract part, optionally allow dry run evaluation and choose Dry run or deselect it and select Save adjustments.
In any other case, obtain the accompanied opensearch-domain AWS CDK software and unzip it. Then, edit the cdk.json
file on the basis of the unzipped folder and configure the required parameters:
- vpc_cidr – The CIDR block through which to create the VPC. It’s possible you’ll depart the default of 10.0.0.0/16.
- opensearch_cluster_name – The title of the OpenSearch Service cluster. It’s possible you’ll depart the default worth of
opensearch
. It is going to even be used, along with thehosted_zone_name
parameter, to construct the FQDN of the customized area URL. - hosted_zone_id – The Route 53 public hosted zone ID.
- hosted_zone_name – The Route 53 public hosted zone title (for instance,
mydomain.com
). The outcome FQDN with the default instance values will then beopensearch.mydomain.com
.
Lastly, run the next instructions to deploy the AWS CDK software:
With the conditions in place, consult with the next sections for a step-by-step information to deploy this answer.
Create a SAML 2.0 software
We use IAM Identification Middle because the supply of identification for our SAML integration. The identical configuration ought to apply to different SAML 2.0-compliant IdPs. Seek the advice of your IdP documentation.
- On the IAM Identification Middle console, select Teams within the navigation pane.
- Create a brand new group known as
Opensearch Admin
, and add customers to it.
This would be the SAML group that receives full permissions in OpenSearch Dashboards. Be aware of the group ID. - Select Functions within the navigation pane.
- Create a brand new customized SAML 2.0 software.
- Obtain the IAM Identification Middle SAML metadata file to make use of in a later step.
- For Software begin URL, enter
[Custom Domain URL]/_dashboards/
.
The customized area URL consists of communication protocol (https://) adopted by the FQDN, which you used to your OpenSearch Service cluster within the conditions (for instance, https://opensearch.mydomain.com). Look underneath your OpenSearch Service cluster configurations, if unsure. - For Software ACS URL, enter
[Custom Domain URL]/_dashboards/_opendistro/_security/saml/acs
. - For Software SAML viewers, enter
[Custom Domain URL]
(with none trailing slash). - Select Submit.
- Within the Assigned customers part, choose Opensearch Admin and select Assign Customers.
- On the Actions menu, select Edit attribute mappings.
- Outline attribute mappings as proven within the following screenshot and select Save adjustments.
Deploy the AWS CDK software
Full the next steps to deploy the AWS CDK software:
- Obtain and unzip the opensearch-domain-saml-integration AWS CDK software.
- Add your non-public SSL key and certificates to AWS Secrets and techniques Supervisor and create two secrets and techniques known as
Key
andCrt
. For instance, see the next code:You should use the next command to generate a self-signed certificates. That is for testing solely; don’t use this for manufacturing environments.
- Edit the
cdk.json
file and set the required parameters contained in the nestedconfig
object:
- aws_region – The goal AWS Area to your deployment (for instance,
eu-central-1
). - vpc_id – The ID of the VPC into which the OpenSearch Service area has been deployed.
- opensearch_cluster_security_group_id – The ID of the safety group utilized by the OpenSearch Service area or every other safety group that enables inbound connections to that area on port 80 and 443. This group ID shall be utilized by the Software Load Balancer to ahead site visitors to your OpenSearch Service area.
- hosted_zone_id – The Route 53 public hosted zone ID.
- hosted_zone – The Route 53 public hosted zone title (for instance,
mydomain.com
). - opensearch_custom_domain_name – An FQDN reminiscent of
opensearch.mydomain.com
, which you need to use to entry your cluster. Observe that the area title of the offered FQDN (mydomain.com
) have to be the identical because thehosted_zone
parameter. - opensearch_custom_domain_certificate_arn – The ARN of the certificates saved in ACM.
- opensearch_domain_endpoint – The OpenSearch Service VPC area endpoint (for instance,
vpc-opensearch-abc123.eu-central-1.es.amazonaws.com
). - vpc_dns_resolver – This have to be 10.0.0. in case your VPC CIDR is 10.0.0.0/16. See Amazon DNS server for additional particulars.
- alb_waf_ip_whitelist_cidrs – That is an optionally available checklist of zero or extra IP CIDR ranges that shall be routinely enable listed in AWS WAF to allow entry to the OpenSearch Service area. If not specified, after the deployment you will want to manually add related IP CIDR ranges to the AWS WAF IP set to permit entry. For instance,
["1.2.3.4/32", "5.6.7.0/24"]
.
- Deploy the OpenSearch Service area SAML integration AWS CDK software:
Allow SAML authentication to your OpenSearch Service cluster
When the appliance deployment is full, allow SAML authentication to your cluster:
- On the OpenSearch Service console, navigate to your area.
- On the Safety configuration tab, select Edit.
- Choose Allow SAML authentication.
- Select Import from XML file and import the IAM Identification Middle SAML metadata file that you simply downloaded in an earlier step.
- For SAML grasp backend position, use the group ID you saved earlier.
- Broaden the Further settings part and for Roles, enter the SAML 2.0 attribute title you mapped earlier while you created the SAML 2.0 software in AWS Identification Middle.
- Configure the area entry coverage for SAML integration.
- Submit adjustments and anticipate OpenSearch Service to use the configurations earlier than continuing to the following part.
Take a look at the answer
Full the next steps to see the answer in motion:
- On the IAM Identification Middle console, select Dashboard within the navigation pane.
- Within the Settings abstract part, select the hyperlink underneath AWS entry portal URL.
- Check in together with your person title and password (register your password if that is your first login).
In case your account was efficiently added to the admin group, a SAML software brand is seen. - Select Customized SAML 2.0 software to be redirected to the OpenSearch Service dashboards by SSO with none further login makes an attempt.
Alternatively, you may skip logging in to the entry portal and instantly level your browser to the OpenSearch Dashboards URL. In that case, OpenSearch Dashboards would first redirect you to the entry portal to log in, which might redirect you again to the OpenSearch Dashboards UI after a profitable login, leading to the identical consequence as proven within the following screenshot.
Troubleshooting
Your public-facing IP have to be enable listed by the AWS WAF rule, in any other case a 403 Forbidden error shall be returned. Permit checklist your IP CIDR vary through the AWS CDK alb_waf_ip_whitelist_cidrs
property as described within the set up information and redeploy the AWS CDK software for adjustments to take impact.
Clear up
If you’re completed with this configuration, clear up the assets to keep away from future fees.
- On the OpenSearch Service console, navigate to the Safety configuration tab of your OpenSearch Service area and select Edit.
- Deselect Allow SAML authentication and select Save adjustments.
- After the Amazon SAML integration is disabled, delete the
opensearch-domain-saml-integration
stack utilizingcdk destroy
. - Optionally, when you used the offered OpenSearch Service pattern AWS CDK stack (
opensearch-domain
), delete it utilizingcdk destroy
.
Conclusion
OpenSearch Service permits enterprise prospects to make use of their most popular federated IdPs reminiscent of SAML utilizing IAM Identification Middle for clusters working inside non-public VPC subnets following AWS finest practices.
On this publish, we confirmed you find out how to combine an OpenSearch Service area inside a VPC with an present SAML IdP for SSO entry to OpenSearch Dashboards utilizing IAM Identification Middle. The offered answer securely manages community entry to the assets utilizing AWS WAF to limit entry solely to licensed community segments or particular IP addresses.
To get began, consult with How can I entry OpenSearch Dashboards from outdoors of a VPC utilizing Amazon Cognito authentication for additional comparability of OpenSearch Service area in non-public VPC entry patterns.
Concerning the Authors
Mahdi Ebrahimi is a Senior Cloud Infrastructure Architect with Amazon Internet Providers. He excels in designing distributed, highly-available software program methods. Mahdi is devoted to delivering cutting-edge options that empower his prospects to innovate within the quickly evolving panorama within the automotive trade.
Dmytro Protsiv is a Cloud Functions Architect for with Amazon Internet Providers. He’s keen about serving to prospects to resolve their enterprise challenges round software modernization.
Luca Menichetti is a Massive Information Architect with Amazon Internet Providers. He helps prospects develop performant and reusable options to course of knowledge at scale. Luca is passioned about managing organisation’s knowledge structure, enabling knowledge analytics and machine studying. Having labored across the Hadoop ecosystem for a decade, he actually enjoys tackling issues in NoSQL environments.
Krithivasan Balasubramaniyan is a Principal Guide with Amazon Internet Providers. He allows international enterprise prospects of their digital transformation journey and helps architect cloud native options.
Muthu Pitchaimani is a Search Specialist with Amazon OpenSearch Service. He builds large-scale search purposes and options. Muthu is within the subjects of networking and safety, and relies out of Austin, Texas.