Use Amazon OpenSearch Service with Kibana for Identity Federation – Auth0
September 8, 2021: Amazon Elasticsearch Service has been renamed to Amazon OpenSearch Service. See details.
Editor’s note: This is the second of a two-part series on the APN Blog. Read Part 1 >>
By Najah Naaji, Solutions Architect at AWS
By Tatsuro Handa, Cloud Support Engineer at AWS
In this APN Blog series, we are looking at how to use Amazon OpenSearch Service (successor to Amazon Elasticsearch Service) with Kibana for identity federation. This is our second post in the series, and we’ll walk you through the integration of Auth0 with OpenSearch using OpenID Connect (OIDC).
Auth0 is an AWS Competency Partner and popular Identity-as-a-Service (IDaaS) solution.
You can establish trust between Amazon Cognito User Pool and an OIDC-compatible Identity Provider (IdP), such as Google, Salesforce, and many others. With Amazon Cognito User Pool, you can extend your company’s directory so that OIDC providers are able to sign in to Kibana with the same security credentials.
Here, you will use Auth0 as the IdP to integrate with Amazon Cognito to sign in to Amazon OpenSearch Service and the Kibana dashboard.
The following diagram shows a brief architectural image, which we’ll build through this post.
Step 1: Create Auth0 Application
- Before starting, please create an Auth0 account if you don’t have one.
- Log in to Auth0 with your Auth0 credentials.
- In the left pane, select Applications, and then choose Create Application.
- For Name, type App.
- Select Regular Web Applications.
- Choose Create.
Your created web application will look like this:
Step 2: Set Up Amazon Cognito User Pool
Before federating Auth0 authentication with a user pool, we need to prepare both user pool and identity pool. This post from the AWS Database Blog shows how to set up a user pool and identity pool for Kibana on Amazon OpenSearch Service. For this example, we named the Cognito User Pool “Auth0.”
Follow these steps to create the OpenSearch domain.
Configure Cognito User Pool
Create a domain name to integrate with OpenSearch to provide support for the authentication UI. You need to select a unique domain for every region.
Configure the Amazon Cognito Domain
- In Amazon Cognito, navigate to your Auth0 User Pool.
- In the App integration section of the navigation pane, choose Domain Name.
- For Domain prefix, type auth0. Note that we used “auth0” as an example; please use a unique domain name in that Region. The format of the domain name is https://<CognitoDomainPrefix>.auth.<region>.amazoncognito.com.
- Choose Check Availability.
- Choose Save Changes to create the domain.
Configure Identity Providers
- In the Federations section of the navigation pane, choose Identity Providers.
- Select OpenID Connect.
- Fill the OpenID Connect fields as follows:
- Provider name: auth0
- Client ID: Use values from application section in Auth0 Applications details page
- Client secret (optional): Use values from application section in Auth0 Applications details page
- Attributes request method: POST
- Authorize scope: openid email
- For Issuer, type your Auth0 hosting URL, which looks like this by default: https://kibana.auth0.com. Please replace “kibana” with the domain you have created in Auth0, and choose Run Discovery. Wait for the discovery to run successfully.
- Choose Create Provider.
Configure Attribute Mapping
You will need to configure attribute mapping to map Auth0 provided attributes to user pool attributes.
Go to the Attribute mapping page of your Amazon Cognito console. Notice that on the OIDC tab, email is the address of the user that’s returned from the IdP and sub is the unique identifier of the user.
Configure the App Client Settings
- In the App Integration section of the navigation pane, choose App Client Settings.
- For Enabled Identity Providers, select Auth0 to enable federation.
- In the OAuth 2.0 section, make the following selections:
- For Allowed OAuth Flows, select Authorization Code Grant.
- For Allowed OAuth Scopes, select Email and OpenID.
Add the Cognito User Pool Domain to Auth0 Application Settings
- Log into the Auth0 website with your credentials.
- Choose Applications from the left pane.
- Click Settings from the configured Application.
- For Token Endpoint Authentication Method, choose Post.
- For Allowed Callback URLs, copy and paste the following URL. Remember to choose the appropriate region and domain in Amazon Cognito: https://<CognitoDomainPrefix>.auth.<region>.amazoncognito.com/oauth2/idpresponse.
- Choose Save Changes.
Step 3: Confirm Access with Auth0 User
Access the Kibana endpoint from the previously created OpenSearch cluster. The Kibana URL can be found in the Overview tab within “My Domains” of the OpenSearch console. The first access to Kibana URL redirects you to the Cognito UI Endpoint and provides the option to select the appropriate corporate ID.
Next, choose Auth0 as corporate ID. This option redirects you to the identity provider Auth0 to provide authentication details. Then log in with the username and password you created in Auth0. After login, you are redirected to the Kibana dashboard.
After login, you are redirected to the Kibana dashboard.
In this post, we provided the integration steps for Amazon OpenSearch Service and Kibana with Auth0 (OIDC) using Amazon Cognito pools for enterprise authentication.
You can also customize your login page and configure advanced security with Amazon Cognito. For more information, see the Amazon OpenSearch Service documentation.
Please check out the first post in our APN Blog series: Using Amazon OpenSearch Service with Kibana for Identity Federation – Active Directory.