Function-based entry management in Amazon OpenSearch Service by way of SAML integration with AWS IAM Id Heart

Amazon OpenSearch Service is a managed service that makes it easy to safe, deploy, and function OpenSearch clusters at scale within the AWS Cloud. AWS IAM Id Heart (successor to AWS Single Signal-On) helps you securely create or join your workforce identities and handle their entry centrally throughout AWS accounts and purposes. To construct a robust least-privilege safety posture, clients additionally needed fine-grained entry management to handle dashboard permission by consumer function. On this put up, we reveal a step-by-step process to implement IAM Id Heart to OpenSearch Service by way of native SAML integration, and configure role-based entry management in OpenSearch Dashboards through the use of group attributes in IAM Id Heart. You possibly can comply with the steps on this put up to realize each authentication and authorization for OpenSearch Service based mostly on the teams configured in IAM Id Heart.

Resolution overview

Let’s evaluate methods to map customers and teams in IAM Id Heart to OpenSearch Service safety roles. Backend roles in OpenSearch Service are used to map exterior identities or attributes of workgroups to pre-defined OpenSearch Service safety roles.

The next diagram reveals the answer structure. Create two teams, assign a consumer to every group and edit attribute mappings in IAM Id Heart. You probably have built-in IAM Id Heart together with your Id Supplier (IdP), you should utilize present customers and teams mapped to your IdP for this check. The answer makes use of two roles: all_access for directors, and alerting_full_access for builders who’re solely allowed to handle OpenSearch Service alerts. You possibly can arrange backend function mapping in OpenSearch Dashboards by group ID. Primarily based on the next diagram, you’ll be able to map the function all_access to the group Admin, and alerting_full_access to Developer. Person janedoe is within the group Admin, and consumer johnstiles is within the group Developer.

Then you’ll log in as every consumer to confirm the entry management by wanting on the totally different dashboard views.

Let’s get began!

Stipulations

Full the next prerequisite steps:

1. Have an AWS account.
2. Have an Amazon OpenSearch Service area.
3. Allow IAM Id Heart in the identical Area because the OpenSearch Service area.
4. Check your customers in IAM Id Heart (to create customers, consult with Add customers).

Allow SAML in Amazon OpenSearch Service and replica SAML parameters

To configure SAML in OpenSearch Service, full the next steps:

1. On the OpenSearch Service console, select Domains within the navigation pane.
2. Select your area.
3. On the Safety configuration tab, affirm that High quality-grained entry management is enabled.
   
4. On the Actions menu, select Edit safety configuration.
   
5. Choose Allow SAML authentication.

It’s also possible to configure SAML throughout area creation if you’re creating a brand new OpenSearch area. For extra data, consult with SAML authentication for OpenSearch Dashboards.

6. Copy the values for Service supplier entity ID and IdP-Initiated SSO URL.

Create a SAML software in IAM Id Heart

To create a SAML software in IAM Id Heart, full the next steps:

1. On the IAM Id Heart console, select Purposes within the navigation pane.
2. Select Add software.
   
3. Choose Add buyer SAML 2.0 software, then select Subsequent.
   
4. Enter your software identify for Show identify.
5. Underneath IAM Id Heart metadata, select Obtain to obtain the SAML metadata file.
   
6. Underneath Utility metadata, choose Manually kind your metadata values.
7. For Utility ACS URL, enter the IdP-initiated URL you copied earlier.
8. For Utility SAML viewers, enter the service supplier entity ID you copied earlier.
9. Select Submit.
   
10. On the Actions menu, select Edit attribute mappings.
    
11. Create attributes and map the next values:
    1. Topic map to ${consumer:electronic mail}, the format is emailAddress.
    2. Function map to ${consumer:teams}, the format is unspecified.
12. Select Save modifications.
    
13. On the IAM Id Heart console, select Teams within the navigation pane.
14. Create two teams: Developer and Admin.
    
15. Assign consumer janedoe to the group Admin.
    
16. Assign consumer johnstiles to the group Developer.
    
17. Open the Admin group and replica the group ID.
    

End SAML configuration and map the SAML major backend function

To finish your SAML configuration and map the SAML major backend function, full the next steps:

1. On the OpenSearch Service console, select Domains within the navigation pane.
2. Open your area and select Edit safety configuration.
3. Underneath SAML authentication for OpenSearch Dashboards/Kibana, for Import IdP metadata, select Import from XML file.
4. Add the IdP metadata downloaded from the IAM Id Heart metadata file.

The IdP entity ID might be auto populated.

5. Underneath SAML grasp backend function, enter the group ID of the Admin group you copied earlier.
6. For Roles key, enter Function for the SAML assertion.

It’s because we outlined and mapped Function to ${consumer:teams} as a SAML attribute in IAM Id Heart.

7. Select Save modifications.

Configure backend function mapping for the Developer group

You may have fully built-in IAM Id Heart with OpenSearch Service and mapped the Admin group as the first function (all_access) in OpenSearch Service. Now you’ll log in to OpenSearch Dashboards as Admin and configure mapping for the Developer group.

There are two methods to log in to OpenSearch Dashboards:

• OpenSearch Dashboards URL – On the OpenSearch Service console, navigate to your area and select the Dashboards URL beneath Basic Data. (For instance, https://opensearch-domain-name-random-keys.us-west-2.es.amazonaws.com/_dashboards)
• AWS entry portal URL – On the IAM Id Heart console, select Dashboard within the navigation pane and select the entry portal URL beneath Settings abstract. (For instance, https://d-1234567abc.awsapps.com/begin)

Full the next steps:

1. Log in because the consumer within the Admin group (janedoe).
   
2. Select the tile on your OpenSearch Service software to be redirected to OpenSearch Dashboards.
   
3. Select the menu icon, then select Safety, Roles.
   
4. Select the alerting_full_access function and on the Mapped customers tab, select Handle mapping.
   
5. For Backend roles, enter the group ID of Developer.
6. Select Map to use the change.
   

Now you could have efficiently mapped the Developer group to the alerting_full_access function in OpenSearch Service.

Confirm permissions

To confirm permissions, full the next steps:

1. Sign off of the Admin account in OpenSearch Service as log in as a Developer consumer.
2. Select the OpenSearch Service software tile to be redirected to OpenSearch Dashboards.

You possibly can see there are solely alerting associated options out there on the drop-down menu. This Developer consumer can’t see all the Admin options, corresponding to Safety.

Clear up

After you check the answer, keep in mind to delete all the sources you created to keep away from incurring future fees:

1. Delete your Amazon OpenSearch Service area.
2. Delete the SAML software, customers, and teams in IAM Id Heart.

Conclusion

Within the put up, we walked via an answer of methods to map roles in Amazon OpenSearch Service to teams in IAM Id Heart through the use of SAML attributes to realize role-based entry management for accessing OpenSearch Dashboards. We related IAM Id Heart customers to OpenSearch Dashboards, and in addition mapped predefined OpenSearch Service safety roles to IAM Id Heart teams based mostly on group attributes. This makes it simpler to handle permissions with out updating the mapping when new customers belonging to the identical workgroup need to log in to OpenSearch Dashboards. You possibly can comply with the identical process to offer fine-grained entry to workgroups based mostly on staff features or compliance necessities.

Concerning the Authors

Scott Chang is a Resolution Structure at AWS based mostly in San Francisco. He has over 14 years of hands-on expertise in Networking additionally conversant in Safety and Web site Reliability Engineering. He works with considered one of main strategic clients in west area to design extremely scalable, revolutionary and safe cloud options.

Muthu Pitchaimani is a Search Specialist with Amazon OpenSearch service. He builds giant scale search purposes and options. Muthu is within the subjects of networking and safety and is predicated out of Austin, Texas