Construct SAML identification federation for Amazon OpenSearch Service domains inside a VPC

Amazon OpenSearch Service is a completely managed search and analytics service powered by the Apache Lucene search library that may be operated inside a digital personal cloud (VPC). A VPC is a digital community that’s devoted to your AWS account. It’s logically remoted from different digital networks within the AWS Cloud. Inserting an OpenSearch Service area inside a VPC permits a safe communication between OpenSearch Service and different companies throughout the VPC with out the necessity for an web gateway, NAT system, or a VPN connection. All visitors stays securely throughout the AWS Cloud, offering a secure surroundings to your information. To hook up with an OpenSearch Service area working inside a non-public VPC, enterprise prospects use considered one of two obtainable choices: both combine their VPC with their enterprise community by VPN or AWS Direct Join, or make the cluster endpoint publicly accessible by a reverse proxy. Seek advice from How can I entry OpenSearch Dashboards from outdoors of a VPC utilizing Amazon Cognito authentication for an in depth analysis of the obtainable choices and the corresponding professionals and cons.

For managing entry to OpenSearch Dashboards in enterprise prospects’ environments, OpenSearch Service helps Safety Assertion Markup Language (SAML) integration with the client’s present identification suppliers (IdPs) to supply single sign-on (SSO). Though SAML integration for publicly accessible OpenSearch Dashboards works out of the field, enabling SAML for OpenSearch Dashboards inside a VPC requires cautious design with numerous configurations.

This put up outlines an end-to-end answer for integrating SAML authentication for OpenSearch Service domains working in a VPC. It gives a step-by-step deployment guideline and is accompanied by AWS Cloud Improvement Package (AWS CDK) purposes, which automate all the mandatory configurations.

Overview of answer

The next diagram describes the step-by-step authentication stream for accessing a non-public OpenSearch Service area by SSO utilizing SAML identification federation. The entry is enabled over public web by personal NGINX reverse proxy servers working on Amazon Elastic Container Service (Amazon ECS) for prime availability.

The workflow consists of the next steps:

1. The consumer navigates to the OpenSearch Dashboards URL of their browser.
2. The browser resolves the area IP tackle and sends the request.
3. AWS WAF guidelines ensure that solely enable listed IP tackle ranges are allowed.
4. Utility Load Balancer forwards the request to NGINX reverse proxy.
5. NGINX provides the mandatory headers and forwards the request to OpenSearch Dashboards.
6. OpenSearch Dashboards detects that the request will not be authenticated. It replies with a redirect to the built-in SAML IdP for authentication.
7. The consumer is redirected to the SSO login web page.
8. The IdP verifies the consumer’s identification and generates a SAML assertion token.
9. The consumer is redirected again to the OpenSearch Dashboards URL.
10. The request goes by the Steps 1–5 once more till it reaches OpenSearch. This time, OpenSearch Dashboards detects the accompanying SAML assertion and permits the request.

Within the following sections, we arrange a NGINX reverse proxy in personal subnets to offer entry to OpenSearch Dashboards for a website deployed inside VPC personal subnets. We then allow SAML authentication for OpenSearch Dashboards utilizing a SAML 2.0 software and use a customized area endpoint to entry OpenSearch Dashboards to see the SAML authentication in motion.

Conditions

Earlier than you get began, full the prerequisite steps on this part.

Set up required instruments

First, set up the AWS CDK. For extra info, confer with the AWS CDK v2 Developer Information.

Put together required AWS assets

Full the next steps to arrange your AWS assets:

1. Create an AWS account.
2. Create an Amazon Route 53 public hosted zone resembling mydomain.com for use for routing web visitors to your area. For directions, confer with Making a public hosted zone.
3. Request an AWS Certificates Supervisor (ACM) public certificates for the hosted zone. For directions, confer with Requesting a public certificates.
4. Create a VPC with private and non-private subnets.
5. Allow AWS IAM Id Heart. For directions, confer with Allow IAM Id Heart.

Put together your OpenSearch Service cluster

This put up is accompanied with a standalone AWS CDK software (opensearch-domain) that deploys a pattern OpenSearch Service area in personal VPC subnets. The deployed area is for demonstration functions solely, and is optionally available.

When you’ve got an present OpenSearch Service area in VPC that you simply need to use for SAML integration, apply the next configurations:

1. On the Cluster configuration tab, select Edit and choose Allow customized endpoint within the Customized endpoint part.
2. For Customized hostname, enter a completely certified area identify (FQDN) resembling opensearch.mydomain.com, which you need to use to entry your cluster. Word that the area identify of the supplied FQDN (for instance, mydomain.com) have to be the identical as the general public hosted zone you created earlier.
3. For AWS certificates, select the SSL certificates you created earlier.
4. Within the Abstract part, optionally allow dry run evaluation and choose Dry run or deselect it and select Save modifications.

In any other case, obtain the accompanied opensearch-domain AWS CDK software and unzip it. Then, edit the cdk.json file on the basis of the unzipped folder and configure the required parameters:

• vpc_cidr – The CIDR block wherein to create the VPC. It’s possible you’ll depart the default of 10.0.0.0/16.
• opensearch_cluster_name – The identify of the OpenSearch Service cluster. It’s possible you’ll depart the default worth of opensearch. It is going to even be used, along with the hosted_zone_name parameter, to construct the FQDN of the customized area URL.
• hosted_zone_id – The Route 53 public hosted zone ID.
• hosted_zone_name – The Route 53 public hosted zone identify (for instance, mydomain.com). The consequence FQDN with the default instance values will then be opensearch.mydomain.com.

Lastly, run the next instructions to deploy the AWS CDK software:

cd opensearch-domain

# Create a Python surroundings and set up the reuired dependencies
python3 -m venv .venv
supply .venv/bin/activate
pip set up -r requirements-dev.txt
pip set up -r necessities.txt

# Deploy the CDK software
cdk deploy

With the stipulations in place, confer with the next sections for a step-by-step information to deploy this answer.

Create a SAML 2.0 software

We use IAM Id Heart because the supply of identification for our SAML integration. The identical configuration ought to apply to different SAML 2.0-compliant IdPs. Seek the advice of your IdP documentation.

1. On the IAM Id Heart console, select Teams within the navigation pane.
2. Create a brand new group referred to as Opensearch Admin, and add customers to it.
   This would be the SAML group that receives full permissions in OpenSearch Dashboards. Be aware of the group ID.
3. Select Purposes within the navigation pane.
4. Create a brand new customized SAML 2.0 software.
5. Obtain the IAM Id Heart SAML metadata file to make use of in a later step.
6. For Utility begin URL, enter [Custom Domain URL]/_dashboards/.
   The customized area URL consists of communication protocol (https://) adopted by the FQDN, which you used to your OpenSearch Service cluster within the stipulations (for instance, https://opensearch.mydomain.com). Look underneath your OpenSearch Service cluster configurations, if doubtful.
7. For Utility ACS URL, enter [Custom Domain URL]/_dashboards/_opendistro/_security/saml/acs.
8. For Utility SAML viewers, enter [Custom Domain URL] (with none trailing slash).
   
9. Select Submit.
10. Within the Assigned customers part, choose Opensearch Admin and select Assign Customers.
11. On the Actions menu, select Edit attribute mappings.
12. Outline attribute mappings as proven within the following screenshot and select Save modifications.

Deploy the AWS CDK software

Full the next steps to deploy the AWS CDK software:

1. Obtain and unzip the opensearch-domain-saml-integration AWS CDK software.
2. Add your personal SSL key and certificates to AWS Secrets and techniques Supervisor and create two secrets and techniques referred to as Key and Crt. For instance, see the next code:

   KEY=$(cat personal.key | base64) && aws secretsmanager create-secret --name Key --secret-string $KEY
   CRT=$(cat certificates.crt | base64) && aws secretsmanager create-secret --name Crt --secret-string $CRT

   You should utilize the next command to generate a self-signed certificates. That is for testing solely; don’t use this for manufacturing environments.

   openssl req -new -newkey rsa:4096 -days 1095 -nodes -x509 -subj '/' -keyout personal.key -out certificates.crt

3. Edit the cdk.json file and set the required parameters contained in the nested config object:

• aws_region – The goal AWS Area to your deployment (for instance, eu-central-1).
• vpc_id – The ID of the VPC into which the OpenSearch Service area has been deployed.
• opensearch_cluster_security_group_id – The ID of the safety group utilized by the OpenSearch Service area or some other safety group that enables inbound connections to that area on port 80 and 443. This group ID shall be utilized by the Utility Load Balancer to ahead visitors to your OpenSearch Service area.
• hosted_zone_id – The Route 53 public hosted zone ID.
• hosted_zone – The Route 53 public hosted zone identify (for instance, mydomain.com).
• opensearch_custom_domain_name – An FQDN resembling opensearch.mydomain.com, which you need to use to entry your cluster. Word that the area identify of the supplied FQDN (mydomain.com) have to be the identical because the hosted_zone parameter.
• opensearch_custom_domain_certificate_arn – The ARN of the certificates saved in ACM.
• opensearch_domain_endpoint – The OpenSearch Service VPC area endpoint (for instance, vpc-opensearch-abc123.eu-central-1.es.amazonaws.com).
• vpc_dns_resolver – This have to be 10.0.0. in case your VPC CIDR is 10.0.0.0/16. See Amazon DNS server for additional particulars.
• alb_waf_ip_whitelist_cidrs – That is an optionally available checklist of zero or extra IP CIDR ranges that shall be robotically enable listed in AWS WAF to allow entry to the OpenSearch Service area. If not specified, after the deployment you will have to manually add related IP CIDR ranges to the AWS WAF IP set to permit entry. For instance, ["1.2.3.4/32", "5.6.7.0/24"].

4. Deploy the OpenSearch Service area SAML integration AWS CDK software:

   cd opensearch-domain-saml-integration
   
   # Create a Python surroundings and set up the required dependencies
   python3 -m venv .venv
   supply .venv/bin/activate
   pip set up -r requirements-dev.txt
   pip set up -r necessities.txt
   
   # Deploy the CDK software
   cdk deploy

Allow SAML authentication to your OpenSearch Service cluster

When the appliance deployment is full, allow SAML authentication to your cluster:

1. On the OpenSearch Service console, navigate to your area.
2. On the Safety configuration tab, select Edit.
3. Choose Allow SAML authentication.
4. Select Import from XML file and import the IAM Id Heart SAML metadata file that you simply downloaded in an earlier step.
5. For SAML grasp backend position, use the group ID you saved earlier.
6. Increase the Extra settings part and for Roles, enter the SAML 2.0 attribute identify you mapped earlier whenever you created the SAML 2.0 software in AWS Id Heart.
7. Configure the area entry coverage for SAML integration.
8. Submit modifications and look ahead to OpenSearch Service to use the configurations earlier than continuing to the following part.

Take a look at the answer

Full the next steps to see the answer in motion:

1. On the IAM Id Heart console, select Dashboard within the navigation pane.
2. Within the Settings abstract part, select the hyperlink underneath AWS entry portal URL.
3. Sign up together with your consumer identify and password (register your password if that is your first login).
   In case your account was efficiently added to the admin group, a SAML software emblem is seen.
4. Select Customized SAML 2.0 software to be redirected to the OpenSearch Service dashboards by SSO with none further login makes an attempt.
   Alternatively, you would skip logging in to the entry portal and straight level your browser to the OpenSearch Dashboards URL. In that case, OpenSearch Dashboards would first redirect you to the entry portal to log in, which might redirect you again to the OpenSearch Dashboards UI after a profitable login, leading to the identical end result as proven within the following screenshot.

Troubleshooting

Your public-facing IP have to be enable listed by the AWS WAF rule, in any other case a 403 Forbidden error shall be returned. Enable checklist your IP CIDR vary by way of the AWS CDK alb_waf_ip_whitelist_cidrs property as described within the set up information and redeploy the AWS CDK software for modifications to take impact.

Clear up

Whenever you’re completed with this configuration, clear up the assets to keep away from future expenses.

1. On the OpenSearch Service console, navigate to the Safety configuration tab of your OpenSearch Service area and select Edit.
2. Deselect Allow SAML authentication and select Save modifications.
3. After the Amazon SAML integration is disabled, delete the opensearch-domain-saml-integration stack utilizing cdk destroy.
4. Optionally, in the event you used the supplied OpenSearch Service pattern AWS CDK stack (opensearch-domain), delete it utilizing cdk destroy.

Conclusion

OpenSearch Service permits enterprise prospects to make use of their most popular federated IdPs resembling SAML utilizing IAM Id Heart for clusters working inside personal VPC subnets following AWS greatest practices.

On this put up, we confirmed you learn how to combine an OpenSearch Service area inside a VPC with an present SAML IdP for SSO entry to OpenSearch Dashboards utilizing IAM Id Heart. The supplied answer securely manages community entry to the assets utilizing AWS WAF to limit entry solely to approved community segments or particular IP addresses.

To get began, confer with How can I entry OpenSearch Dashboards from outdoors of a VPC utilizing Amazon Cognito authentication for additional comparability of OpenSearch Service area in personal VPC entry patterns.

In regards to the Authors

Mahdi Ebrahimi is a Senior Cloud Infrastructure Architect with Amazon Internet Providers. He excels in designing distributed, highly-available software program programs. Mahdi is devoted to delivering cutting-edge options that empower his prospects to innovate within the quickly evolving panorama within the automotive trade.

Dmytro Protsiv is a Cloud Purposes Architect for with Amazon Internet Providers. He’s enthusiastic about serving to prospects to resolve their enterprise challenges round software modernization.

Luca Menichetti is a Huge Information Architect with Amazon Internet Providers. He helps prospects develop performant and reusable options to course of information at scale. Luca is passioned about managing organisation’s information structure, enabling information analytics and machine studying. Having labored across the Hadoop ecosystem for a decade, he actually enjoys tackling issues in NoSQL environments.

Krithivasan Balasubramaniyan is a Principal Marketing consultant with Amazon Internet Providers. He permits world enterprise prospects of their digital transformation journey and helps architect cloud native options.

Muthu Pitchaimani is a Search Specialist with Amazon OpenSearch Service. He builds large-scale search purposes and options. Muthu is within the subjects of networking and safety, and relies out of Austin, Texas.