Building SAML federation for Amazon OpenSearch Service with Ping Identity

Amazon OpenSearch Service is an open search and log analytics service, powered by the Apache Lucene search library.

In this blog post, we provide step-by-step guidance for SP-initiated SSO by showing how to set up a trial Ping Identity account. We’ll show how to build users and groups within your organization’s directory and enable SSO in OpenSearch Dashboards.

To use this feature, you must enable fine-grained access control. Rather than authenticating through Amazon Cognito or the internal user database, SAML authentication for OpenSearch Dashboards lets you use third-party identity providers to log in.

Ping Identity is an AWS Competency Partner, and the provider of the PingOne Cloud Platform is a multi-tenant Identity-as-a-Service (IDaaS) platform. Ping Identity supports both service provider (SP)-initiated and identity provider (IdP)-initiated SSO.

Overview of Ping Identity SAML authenticated solution

Figure 1 shows a sample architecture of a generic integrated solution between Ping Identity and OpenSearch Dashboards over SAML authentication.

Figure 1. SAML transactions between Amazon OpenSearch Service and Ping Identity

The sign-in flow is as follows:

1. User opens browser window and navigates to OpenSearch Dashboards
2. OpenSearch Service generates SAML authentication request
3. OpenSearch Service redirects request back to browser
4. Browser redirects to Ping Identity URL
5. Ping Identity parses SAML request, authenticates user, and generates SAML response
6. Ping Identity returns encoded SAML response to browser
7. Browser sends SAML response back to OpenSearch Service Assertion Consumer Service (ACS) URL
8. ACS verifies SAML response
9. User logs into OpenSearch Service domain

Prerequisites

For this walkthrough, you should have the following prerequisites:

1. An AWS account
2. A virtual private cloud (VPC)-based OpenSearch Service domain with fine-grained access control enabled
3. Ping Identity account with user and a group
4. A browser with network connectivity to Ping Identity, OpenSearch Service domain, and OpenSearch Dashboards.

The steps in this post are structured into the following sections:

1. Identity provider (Ping Identity) setup
2. Prepare OpenSearch Service for SAML configuration
3. Identity provider (Ping Identity) SAML configuration
4. Finish OpenSearch Service for SAML configuration
5. Validation
6. Cleanup

Identity provider (Ping Identity) setup

Step 1: Sign up for a Ping Identity account

• Sign up for a Ping Identity account, then click on the Sign up button to complete your account setup.
• If you already have an account with Ping Identity, login to your Ping Identity account.

Step 2: Create Population in Ping Identity

• Choose Identities in the left menu and click Populations to proceed.
• Click on the blue + button next to Populations, enter the Name as IT, choose Standard (default) from the Password Policy dropdown, then click on the Save button (see Figure 2).

Figure 2. Creating population in Ping Identity

Step 3: Create a group in Ping Identity

• Choose Groups from the left menu and click on the blue + button next to Groups. For this example, we will create a group called opensearch for OpenSearch Dashboards access.
• Enter Group Name = opensearch, then choose IT from Population dropdown (created in previous step).
• Click on the Save button to complete the group creation.

Step 4: Create users in Ping Identity

• Choose Users in left menu, then click the + Add User button.
• Provide GIVEN NAME, FAMILY NAME, EMAIL ADDRESS, and choose Population as IT, (created in Step 1). Choose your own USERNAME. Click on the SAVE button to create your user.
• Add more users as needed.

Step 5: Assign role and group to users

• Click on Identities/users in the left menu, and click on Users. Then click on the edit button for a particular user. You can also set up a one time password for a user by using Reset Password as shown in Figure 3.

Figure 3. Assigning roles and groups to users in Ping Identity

• Click on the Edit button, click on + Add Role button, and click on the edit button to assign a role to the user.
• For this example, choose Environment Admin, as shown in Figure 4. You can choose different roles depending on your use case.

Figure 4. Assigning roles to users in Ping Identity

• For this example, assign administrator responsibilities for our users. Click on Show Environments, and drag Administrators into the ADDED RESPONSIBILITES section. Then click on the Add Role button.
• Add Group to users. Go to the Groups tab, search for the opensearch group created in Step 3. Click on the + button next to opensearch to add into group memberships.

Prepare OpenSearch Service for SAML configuration

Once the OpenSearch Service domain is up and running, we can proceed with configuration.

• Under Actions, choose Edit security configuration, as shown in Figure 5.

Figure 5. Enabling Amazon OpenSearch Service security configuration for SAML

• Under SAML authentication for OpenSearch Dashboards/Kibana, select Enable SAML authentication check box (Figure 6). When we enable SAML, it will create different URLs required for configuring SAML with your identity provider.

Figure 6. Amazon OpenSearch Service URLs for SAML configuration

We will be using the Service Provider entity ID and SP-initiated SSO URL as highlighted in Figure 6 for Ping Identity SAML configuration. We will complete the rest of the OpenSearch Service SAML configuration after the Ping Identity SAML configuration.

Ping Identity SAML configuration

Go back to PingIdentity.com, and navigate to Connections on the left menu. Then select Applications, and click on Application +.

• For this example, we are creating an application called “opensearch”
• Select WEB APP as APPLICATION TYPE and CHOOSE CONNECTION TYPE as SAML, and click on Configure button to proceed as shown in Figure 7.

Figure 7. Configuring a new SAML application in Ping Identity

• Enter the following under the Configure SAML Connection section
  • Choose the “Manually Enter” option for Provide Application Metadata
  • ACS URLs https://vpc-XXXXX-XXXXX-west-2.es.amazonaws.com/_dashboards/_opendistro/_security/saml/acs (SP-initiated SSO URL)
  • ENTITY ID: https://vpc-XXXXX-XXXXX.us-west-2.es.amazonaws.com (Service provider entity ID)
  • Then click on the Save button as shown in Figure 8

Figure 8. Configuring SAML connection in Ping Identity

• Select the Attribute Mappings tab and enter the following by clicking on the edit icon on the right, followed by the +Add button. Then click on Save button.
  • saml_subject = user ID (default option)
  • saml_group = select Group Names from the dropdown
  • saml_username = select Username from the drop down

• Select the Policies tab and click on edit icon on the right and then, click on +Add policies button
  • Select Single_Factor policy to the application, then click on the Add button, followed by Save button.
• Select the Access tab and click on edit icon on the right
  • add the opensearch group to the application by clicking on +, then click on Save to complete SAML configuration.
• Finally, go to the Configuration tab, click on the Download Metadata button to download the Ping Identity metadata for the Amazon OpenSearch SAML configuration. Enable opensearch SAML application (Figure 9).

Figure 9. Downloading metadata in Ping Identity

OpenSearch Service SAML configuration

• Switch back to OpenSearch Service domain:
  • Navigate to the OpenSearch Service console.
  • Click on Actions, then click on Modify Security configuration.
  • Select the Enable SAML authentication check box.

• Under Import IdP metadata section:
  • Metadata from IdP: Import the Ping Identity identity provider metadata from the downloaded XML file, shown in Figure 10.
  • SAML master backend role: opensearch (Ping Identity group). Provide SAML backend role/group SAML assertion key for group SSO into Kibana.

Figure 10. Configuring Amazon OpenSearch Service SAML parameters

• Under Optional SAML settings:
  • Leave the Subject Key as saml_subject from Ping Identity SAML application attribute name.
  • Role key should be saml_group. You can view a sample assertion during the configuration process by tools like SAML-tracer. This can help you examine and troubleshoot the contents of real assertions.
  • Session time to live (mins): 60
• Click on the Submit button to complete OpenSearch Service SAML configuration for Kibana. We have successfully completed SAML configuration and are now ready for testing.

Validating Access with Ping Identity Users

• The OpenSearch Dashboards URL can be found in the Overview tab within “General Information” in the OpenSearch Service console (Figure 11). The first access to the OpenSearch Dashboards URL redirects you to the Ping Identity login screen.

Figure 11. Validating Ping Identity users access with Amazon OpenSearch Service

• If your OpenSearch Service domain is hosted within a private VPC, you will not be able to access OpenSearch Dashboards over public internet. But you can still use SAML as long as your browser can communicate with both your OpenSearch Service cluster and your identity provider.
• You can create a Mac or Windows EC2 instance within the same VPC and access OpenSearch Dashboards from an EC2 instance’s web browser to validate your SAML configuration. Or you can access your OpenSearch Dashboards through Site-to-Site VPN if you are trying to access it from your on-premises environment.
• Now copy and paste the OpenSearch Dashboards URL in your browser, and enter user credentials.
• After successful login, you will be redirected into the OpenSearch Dashboards home page. Explore our sample data and visualizations in OpenSearch Dashboards, as shown in Figure 12.

Figure 12. SAML authenticated OpenSearch Dashboards

• You have successfully federated OpenSearch Dashboards with Ping Identity as an identity provider. You can connect OpenSearch Dashboards by using your Ping Identity credentials.

Cleaning up

After you test out this solution, remember to delete all the resources you created to avoid incurring future charges. Refer to these links:

• Deleting your OpenSearch Service domain
• Reach out to Ping Identity to delete your account (If needed)

Conclusion

In this blog post, we have demonstrated how to set up Ping Identity as an identity provider over SAML authentication for OpenSearch Dashboards access. With this solution, you now have an OpenSearch Dashboard that uses Ping Identity as the custom identity provider for your users. This reduces the customer login process to one set of credentials and improves employee productivity.

Get started by checking the Amazon OpenSearch Service Developer Guide, which provides guidance on how to build applications using OpenSearch Service for your operational analytics.