An AWS managed OpenSearch domain with SAML authentication enabled. Reference here
Always set up self-managed dashboards version 2.14.0 to disable the version check that is causing connectivity issues during B/G. Once the docker container with version 2.14.0 is running, add the following setting to the opensearch_dashboards.yml file to ensure the version check is disabled.
opensearch.ignoreVersionMismatch: true
- Create an EC2 instance within the identical VPC where the managed service OpenSearch domain is operating to run the self-managed dashboards and capture its endpoint.
- Create a new Application in your
IDPwith the self-managed dashboards endpoint which would generate a new IDP metadata - Copy the new IDP metadata of the newly created application and paste it into the IDP metadata text box found in the
Configure identity provider (IdP)section within the security configuration tab of the managed service domain in aws console - Replace the self-managed dashboards url in the security configuration file with the self-managed dashboards’ endpoint. The purpose of this is to guarantee that after the user is authenticated in IDP, the redirection occurs to the self-managed dashboards instead of the managed service dashboards.
Important
Customers do not have access to modify the security configuration file hence raise a support ticket to request a change to the self-managed URL endpoint
Refer here. By running this API call _opendistro/_security/api/securityconfig, customer can validate the kibana_url changes in security configuration file.
- Install docker and its dependencies on the EC2 instance
- Use the attched
docker-compose.ymlfile and run the self-managed opensearch dashboards - After the container is up and running, access it by using the command
docker exec -it <CONTAINER ID> bashand then modify theopensearch_dashboards.ymlfile by adding the SAML specific attributes. Once the modifications are made, restart the container usingdocker restart <CONTAINER ID>. Find the sampleopensearch_dashboards.ymlattached for reference. Additional Reference here - Post container restart you can access the self-managed OpenSearch Dashboards by hitting the EC2 endpoint with port 5601. By doing so, you can conveniently view and interact with all the saved objects in accordance with the Fine-Grained Access Control settings and SAML authentication.
Caution
If the endpoint is transitioned to self-managed dashboards and the customer intends to revert to the managed service dashboards endpoint, they must repeat the same procedure, which involves altering the kibana_url in the security configuration file back to the managed service dashboards endpoint. Until this change is made, the managed service dashboards endpoint will remain inaccessible.
Note
When using docker in EC2 instance, the self-managed OpenSearch Dashboards cannot be accessed over the internet. It is only accessible by machines within the same VPC.
- https://docs.aws.amazon.com/opensearch-service/latest/developerguide/saml.html
- https://opensearch.org/docs/latest/security/authentication-backends/saml/
- https://www.youtube.com/watch?v=TgnHBz4i63M
- https://www.youtube.com/watch?v=liJO_jOiIF8
- https://opster.com/guides/opensearch/opensearch-security/how-to-set-up-single-sign-on-using-saml/