20.4 C
London
Monday, September 2, 2024

Construct SAML identification federation for Amazon OpenSearch Service domains inside a VPC


Amazon OpenSearch Service is a completely managed search and analytics service powered by the Apache Lucene search library that may be operated inside a digital non-public cloud (VPC). A VPC is a digital community that’s devoted to your AWS account. It’s logically remoted from different digital networks within the AWS Cloud. Putting an OpenSearch Service area inside a VPC allows a safe communication between OpenSearch Service and different companies throughout the VPC with out the necessity for an web gateway, NAT system, or a VPN connection. All site visitors stays securely throughout the AWS Cloud, offering a protected surroundings to your knowledge. To hook up with an OpenSearch Service area working inside a non-public VPC, enterprise prospects use certainly one of two obtainable choices: both combine their VPC with their enterprise community by VPN or AWS Direct Join, or make the cluster endpoint publicly accessible by a reverse proxy. Seek advice from How can I entry OpenSearch Dashboards from outdoors of a VPC utilizing Amazon Cognito authentication for an in depth analysis of the obtainable choices and the corresponding execs and cons.

For managing entry to OpenSearch Dashboards in enterprise prospects’ environments, OpenSearch Service helps Safety Assertion Markup Language (SAML) integration with the shopper’s present identification suppliers (IdPs) to supply single sign-on (SSO). Though SAML integration for publicly accessible OpenSearch Dashboards works out of the field, enabling SAML for OpenSearch Dashboards inside a VPC requires cautious design with varied configurations.

This publish outlines an end-to-end answer for integrating SAML authentication for OpenSearch Service domains working in a VPC. It offers a step-by-step deployment guideline and is accompanied by AWS Cloud Growth Package (AWS CDK) purposes, which automate all the mandatory configurations.

Overview of answer

The next diagram describes the step-by-step authentication movement for accessing a non-public OpenSearch Service area by SSO utilizing SAML identification federation. The entry is enabled over public web by non-public NGINX reverse proxy servers working on Amazon Elastic Container Service (Amazon ECS) for prime availability.

Construct SAML identification federation for Amazon OpenSearch Service domains inside a VPC

The workflow consists of the next steps:

  1. The person navigates to the OpenSearch Dashboards URL of their browser.
  2. The browser resolves the area IP handle and sends the request.
  3. AWS WAF guidelines be sure that solely enable listed IP handle ranges are allowed.
  4. Software Load Balancer forwards the request to NGINX reverse proxy.
  5. NGINX provides the mandatory headers and forwards the request to OpenSearch Dashboards.
  6. OpenSearch Dashboards detects that the request isn’t authenticated. It replies with a redirect to the built-in SAML IdP for authentication.
  7. The person is redirected to the SSO login web page.
  8. The IdP verifies the person’s identification and generates a SAML assertion token.
  9. The person is redirected again to the OpenSearch Dashboards URL.
  10. The request goes by the Steps 1–5 once more till it reaches OpenSearch. This time, OpenSearch Dashboards detects the accompanying SAML assertion and permits the request.

Within the following sections, we arrange a NGINX reverse proxy in non-public subnets to supply entry to OpenSearch Dashboards for a site deployed inside VPC non-public subnets. We then allow SAML authentication for OpenSearch Dashboards utilizing a SAML 2.0 software and use a customized area endpoint to entry OpenSearch Dashboards to see the SAML authentication in motion.

Conditions

Earlier than you get began, full the prerequisite steps on this part.

Set up required instruments

First, set up the AWS CDK. For extra info, consult with the AWS CDK v2 Developer Information.

Put together required AWS assets

Full the next steps to arrange your AWS assets:

  1. Create an AWS account.
  2. Create an Amazon Route 53 public hosted zone reminiscent of mydomain.com for use for routing web site visitors to your area. For directions, consult with Making a public hosted zone.
  3. Request an AWS Certificates Supervisor (ACM) public certificates for the hosted zone. For directions, consult with Requesting a public certificates.
  4. Create a VPC with private and non-private subnets.
  5. Allow AWS IAM Identification Middle. For directions, consult with Allow IAM Identification Middle.

Put together your OpenSearch Service cluster

This publish is accompanied with a standalone AWS CDK software (opensearch-domain) that deploys a pattern OpenSearch Service area in non-public VPC subnets. The deployed area is for demonstration functions solely, and is optionally available.

When you have an present OpenSearch Service area in VPC that you simply need to use for SAML integration, apply the next configurations:

  1. On the Cluster configuration tab, select Edit and choose Allow customized endpoint within the Customized endpoint part.
  2. For Customized hostname, enter a completely certified area title (FQDN) reminiscent of opensearch.mydomain.com, which you need to use to entry your cluster. Observe that the area title of the offered FQDN (for instance, mydomain.com) have to be the identical as the general public hosted zone you created earlier.
  3. For AWS certificates, select the SSL certificates you created earlier.
  4. Within the Abstract part, optionally allow dry run evaluation and choose Dry run or deselect it and select Save adjustments.

In any other case, obtain the accompanied opensearch-domain AWS CDK software and unzip it. Then, edit the cdk.json file on the basis of the unzipped folder and configure the required parameters:

  • vpc_cidr – The CIDR block through which to create the VPC. It’s possible you’ll depart the default of 10.0.0.0/16.
  • opensearch_cluster_name – The title of the OpenSearch Service cluster. It’s possible you’ll depart the default worth of opensearch. It is going to even be used, along with the hosted_zone_name parameter, to construct the FQDN of the customized area URL.
  • hosted_zone_id – The Route 53 public hosted zone ID.
  • hosted_zone_name – The Route 53 public hosted zone title (for instance, mydomain.com). The outcome FQDN with the default instance values will then be opensearch.mydomain.com.

Lastly, run the next instructions to deploy the AWS CDK software:

cd opensearch-domain

# Create a Python surroundings and set up the reuired dependencies
python3 -m venv .venv
supply .venv/bin/activate
pip set up -r requirements-dev.txt
pip set up -r necessities.txt

# Deploy the CDK software
cdk deploy

With the conditions in place, consult with the next sections for a step-by-step information to deploy this answer.

Create a SAML 2.0 software

We use IAM Identification Middle because the supply of identification for our SAML integration. The identical configuration ought to apply to different SAML 2.0-compliant IdPs. Seek the advice of your IdP documentation.

  1. On the IAM Identification Middle console, select Teams within the navigation pane.
  2. Create a brand new group known as Opensearch Admin, and add customers to it.
    This would be the SAML group that receives full permissions in OpenSearch Dashboards. Be aware of the group ID.OpenSearch Admin Group
  3. Select Functions within the navigation pane.
  4. Create a brand new customized SAML 2.0 software.Create SAML application
  5. Obtain the IAM Identification Middle SAML metadata file to make use of in a later step.IAM Identity Center SAML metadata
  6. For Software begin URL, enter [Custom Domain URL]/_dashboards/.
    The customized area URL consists of communication protocol (https://) adopted by the FQDN, which you used to your OpenSearch Service cluster within the conditions (for instance, https://opensearch.mydomain.com). Look underneath your OpenSearch Service cluster configurations, if unsure.
  7. For Software ACS URL, enter [Custom Domain URL]/_dashboards/_opendistro/_security/saml/acs.
  8. For Software SAML viewers, enter [Custom Domain URL] (with none trailing slash).
    OpenSearch domain SAML properties
  9. Select Submit.
  10. Within the Assigned customers part, choose Opensearch Admin and select Assign Customers.Assign admin group to SAML application
  11. On the Actions menu, select Edit attribute mappings.Edit SAML application's attribute mapping
  12. Outline attribute mappings as proven within the following screenshot and select Save adjustments.Configure SAML application's attribute mappings

Deploy the AWS CDK software

Full the next steps to deploy the AWS CDK software:

  1. Obtain and unzip the opensearch-domain-saml-integration AWS CDK software.
  2. Add your non-public SSL key and certificates to AWS Secrets and techniques Supervisor and create two secrets and techniques known as Key and Crt. For instance, see the next code:
    KEY=$(cat non-public.key | base64) && aws secretsmanager create-secret --name Key --secret-string $KEY
    CRT=$(cat certificates.crt | base64) && aws secretsmanager create-secret --name Crt --secret-string $CRT

    You should use the next command to generate a self-signed certificates. That is for testing solely; don’t use this for manufacturing environments.

    openssl req -new -newkey rsa:4096 -days 1095 -nodes -x509 -subj '/' -keyout non-public.key -out certificates.crt

  3. Edit the cdk.json file and set the required parameters contained in the nested config object:
  • aws_region – The goal AWS Area to your deployment (for instance, eu-central-1).
  • vpc_id – The ID of the VPC into which the OpenSearch Service area has been deployed.
  • opensearch_cluster_security_group_id – The ID of the safety group utilized by the OpenSearch Service area or every other safety group that enables inbound connections to that area on port 80 and 443. This group ID shall be utilized by the Software Load Balancer to ahead site visitors to your OpenSearch Service area.
  • hosted_zone_id – The Route 53 public hosted zone ID.
  • hosted_zone – The Route 53 public hosted zone title (for instance, mydomain.com).
  • opensearch_custom_domain_name – An FQDN reminiscent of opensearch.mydomain.com, which you need to use to entry your cluster. Observe that the area title of the offered FQDN (mydomain.com) have to be the identical because the hosted_zone parameter.
  • opensearch_custom_domain_certificate_arn – The ARN of the certificates saved in ACM.
  • opensearch_domain_endpoint – The OpenSearch Service VPC area endpoint (for instance, vpc-opensearch-abc123.eu-central-1.es.amazonaws.com).
  • vpc_dns_resolver – This have to be 10.0.0. in case your VPC CIDR is 10.0.0.0/16. See Amazon DNS server for additional particulars.
  • alb_waf_ip_whitelist_cidrs – That is an optionally available checklist of zero or extra IP CIDR ranges that shall be routinely enable listed in AWS WAF to allow entry to the OpenSearch Service area. If not specified, after the deployment you will want to manually add related IP CIDR ranges to the AWS WAF IP set to permit entry. For instance, ["1.2.3.4/32", "5.6.7.0/24"].
  1. Deploy the OpenSearch Service area SAML integration AWS CDK software:
    cd opensearch-domain-saml-integration
    
    # Create a Python surroundings and set up the required dependencies
    python3 -m venv .venv
    supply .venv/bin/activate
    pip set up -r requirements-dev.txt
    pip set up -r necessities.txt
    
    # Deploy the CDK software
    cdk deploy

Allow SAML authentication to your OpenSearch Service cluster

When the appliance deployment is full, allow SAML authentication to your cluster:

  1. On the OpenSearch Service console, navigate to your area.
  2. On the Safety configuration tab, select Edit.Enable SAML authentication for OpenSearch domain
  3. Choose Allow SAML authentication.
  4. Select Import from XML file and import the IAM Identification Middle SAML metadata file that you simply downloaded in an earlier step.
  5. For SAML grasp backend position, use the group ID you saved earlier.
  6. Broaden the Further settings part and for Roles, enter the SAML 2.0 attribute title you mapped earlier while you created the SAML 2.0 software in AWS Identification Middle.
  7. Configure the area entry coverage for SAML integration.
  8. Submit adjustments and anticipate OpenSearch Service to use the configurations earlier than continuing to the following part.

Take a look at the answer

Full the next steps to see the answer in motion:

  1. On the IAM Identification Middle console, select Dashboard within the navigation pane.
  2. Within the Settings abstract part, select the hyperlink underneath AWS entry portal URL.Login to IAM Identity Centre
  3. Check in together with your person title and password (register your password if that is your first login).
    In case your account was efficiently added to the admin group, a SAML software brand is seen.
  4. Select Customized SAML 2.0 software to be redirected to the OpenSearch Service dashboards by SSO with none further login makes an attempt.Open SAML application
    Alternatively, you may skip logging in to the entry portal and instantly level your browser to the OpenSearch Dashboards URL. In that case, OpenSearch Dashboards would first redirect you to the entry portal to log in, which might redirect you again to the OpenSearch Dashboards UI after a profitable login, leading to the identical consequence as proven within the following screenshot.OpenSearch Dashboards UI after successful login

Troubleshooting

Your public-facing IP have to be enable listed by the AWS WAF rule, in any other case a 403 Forbidden error shall be returned. Permit checklist your IP CIDR vary through the AWS CDK alb_waf_ip_whitelist_cidrs property as described within the set up information and redeploy the AWS CDK software for adjustments to take impact.

Clear up

If you’re completed with this configuration, clear up the assets to keep away from future fees.

  1. On the OpenSearch Service console, navigate to the Safety configuration tab of your OpenSearch Service area and select Edit.
  2. Deselect Allow SAML authentication and select Save adjustments.
  3. After the Amazon SAML integration is disabled, delete the opensearch-domain-saml-integration stack utilizing cdk destroy.
  4. Optionally, when you used the offered OpenSearch Service pattern AWS CDK stack (opensearch-domain), delete it utilizing cdk destroy.

Conclusion

OpenSearch Service permits enterprise prospects to make use of their most popular federated IdPs reminiscent of SAML utilizing IAM Identification Middle for clusters working inside non-public VPC subnets following AWS finest practices.

On this publish, we confirmed you find out how to combine an OpenSearch Service area inside a VPC with an present SAML IdP for SSO entry to OpenSearch Dashboards utilizing IAM Identification Middle. The offered answer securely manages community entry to the assets utilizing AWS WAF to limit entry solely to licensed community segments or particular IP addresses.

To get began, consult with How can I entry OpenSearch Dashboards from outdoors of a VPC utilizing Amazon Cognito authentication for additional comparability of OpenSearch Service area in non-public VPC entry patterns.


Concerning the Authors

Mahdi Ebrahimi is a Senior Cloud Infrastructure Architect with Amazon Internet Providers. He excels in designing distributed, highly-available software program methods. Mahdi is devoted to delivering cutting-edge options that empower his prospects to innovate within the quickly evolving panorama within the automotive trade.

Dmytro Protsiv is a Cloud Functions Architect for with Amazon Internet Providers. He’s keen about serving to prospects to resolve their enterprise challenges round software modernization.

Luca Menichetti is a Massive Information Architect with Amazon Internet Providers. He helps prospects develop performant and reusable options to course of knowledge at scale. Luca is passioned about managing organisation’s knowledge structure, enabling knowledge analytics and machine studying. Having labored across the Hadoop ecosystem for a decade, he actually enjoys tackling issues in NoSQL environments.

Krithivasan Balasubramaniyan is a Principal Guide with Amazon Internet Providers. He allows international enterprise prospects of their digital transformation journey and helps architect cloud native options.

Muthu Pitchaimani is a Search Specialist with Amazon OpenSearch Service. He builds large-scale search purposes and options. Muthu is within the subjects of networking and safety, and relies out of Austin, Texas.

Latest news
Related news

LEAVE A REPLY

Please enter your comment!
Please enter your name here