What to achieve seamless authentication and authorization for users accessing your Amazon OpenSearch Serverless instance via Keycloak? One effective approach is to set up a SAML (Security Assertion Markup Language) federation between the two services. To initiate this integration, first, create an Identity Provider (IdP) in Keycloak. This IdP will authenticate users and issue SAML assertions that can be consumed by your OpenSearch Serverless instance. Next, configure Amazon OpenSearch Serverless to act as a Service Provider (SP), expecting incoming SAML assertions from the Keycloak IdP. Here’s a step-by-step guide to set up this SAML federation: 1. **Configure Keycloak**: In your Keycloak realm, go to the “Realm Settings” and enable the “SAML” protocol. 2. **Create a SAML Service Provider**: In Keycloak, navigate to “Realm Settings” > “Protocols” > “SAML” and click “Add new service provider”. Fill in the required details, such as the OpenSearch Serverless instance’s Entity ID and Single Sign-On URL. 3. **Configure Amazon OpenSearch Serverless**: In your Amazon OpenSearch Serverless dashboard, navigate to the “Security” tab and enable “SAML” authentication. Specify the Keycloak IdP’s Entity ID and Single Sign-On URL. By following these steps, you’ll establish a secure SAML federation between your Keycloak Identity Provider and Amazon OpenSearch Serverless instance. This integration enables single sign-on (SSO) for users accessing your OpenSearch Serverless instance, streamlining authentication and authorization processes.

Is a serverless, fully managed, open-source search and analytics platform. On Amazon OpenSearch Service, users can efficiently execute massive-scale search and analytics tasks without shouldering the burden of managing the underlying infrastructure, as the service handles the heavy lifting of maintaining petabyte-scale OpenSearch clusters. This scalability enables processing of workloads that encompass up to 30 terabytes of time-series data for collections, streamlining operations and reducing administrative complexity with Amazon OpenSearch Serverless. Amazon OpenSearch Serverless provides a setup for OpenSearch Dashboards with each index created.

The community configuration for an OpenSearch Serverless deployment determines access to the cluster across the network. You’ll have the option to make the gathering publicly accessible over the web from anywhere, or restrict access to private gatherings through OpenSearch’s managed, serverless endpoints for secure and controlled sharing. This community entry setting can be customized separately for both the OpenSearch endpoint, used for knowledge operations, and the OpenSearch Dashboards endpoint, utilized for visualizing and analyzing knowledge. We utilize a publicly accessible OpenSearch Serverless collection to power this publication.

SAML enables users to access multiple applications or organizations with a single set of login credentials, thereby streamlining authentication and eliminating the need for individual sign-ins. By consolidating multiple credentials into a single identity, this solution enhances consumer proficiency while streamlining the administrative burden of credential management. We provide support for OpenSearch Serverless. To enable seamless access to serverless collection’s OpenSearch Dashboards, utilize your existing identity provider (IdP) to provide single sign-on capabilities for all relevant endpoints. OpenSearch Serverless supports Identity Providers (IdPs) compliant with the widely adopted SAML 2.0 standard, including industry leaders such as AWS IAM Identity Center, Okta, Keycloak, Active Directory Federation Services (AD FS), and Auth0. This SAML authentication mechanism is exclusively designed for securely accessing the OpenSearch Dashboards interface via a web browser.

This article provides a step-by-step guide on how to configure SAML authentication for securing access to public OpenSearch Dashboards by using it as an Identity Provider (IdP).

Resolution overview

The diagram depicts the pattern structure for authenticating customers to OpenSearch Dashboards using Single Sign-On (SSO) integration with Keycloak, allowing seamless access.

The sign-in process includes the following steps:

1. A consumer accesses OpenSearch Dashboards through their preferred web browser and selects an identity provider (IdP) from the available options.
2. OpenSearch Serverless produces a SAML authentication request efficiently.
3. The OpenSearch Service promptly retransmits the request to the client’s browser.
4. Upon authentication, the browser redirects the user to the selected Identity Provider (Keycloak). Keycloak provides a customizable login webpage where users can enter their authentication credentials.
5. When authentication proves profitable, Keycloak dispatches the SAML response directly to the browser.
6. The SAML assertions are successfully distributed once more to OpenSearch Serverless.
7. OpenSearch Serverless verifies the SAML assertion and authenticates users for seamless access to OpenSearch Dashboards.

Stipulations

To initiate the process, it is advisable to meet the following requirements:

1. An lively OpenSearch Serverless assortment
2. A fully functional Keycloak server, either deployed on-premises or in a cloud environment.
3. The next steps to configure SAML authentication in OpenSearch Serverless are as follows:
   • aoss:CreateSecurityConfig – Create a SAML supplier.
   • aoss:ListSecurityConfig Identify and document all existing SAML providers across the current account portfolio.
   • aoss:GetSecurityConfig – View SAML supplier info.
   • aoss:UpdateSecurityConfig Modify a SAML provider configuration in tandem with its corresponding XML metadata.
   • aoss:DeleteSecurityConfig– Delete a SAML supplier.

You can create a new shopper in Keycloak by following these steps:

1. Log in to your Keycloak instance as an admin user.
2. Click on the Realm dropdown menu at the top right corner of the page, then select “Shopper” from the list.

Or you can click on “Add realm” and follow the wizard to create a new shopper realm.

3. In the shoppers tab, click the “Create” button to create a new shopper.
4. Fill in the required fields such as Name, Username, Email, First Name, Last Name, etc.
5. You can also add other details like phone number, address, job title, department, etc.

To create your Keycloak shopper:

Implement a custom Keycloak shopper by extending the AbstractShopper class. This will allow you to define your own logic for authenticating users and obtaining their attributes.

1. Create a new Java class that extends AbstractShopper. This class should implement the following methods:
– `getAttributes()`: Returns a map of user attributes, which can be used to populate user profiles or perform other operations.
– `authenticate(user)`: Authenticates the given user and returns a boolean indicating whether the authentication was successful.

2. In your shopper implementation, you need to call the `execute()` method on an instance of `ShopperExecution` class for each user that is being authenticated.

3. For each user, execute the following steps:
– Call the `setUser(user)` method on the `ShopperExecution` object.
– Execute any custom logic required by your shopper to authenticate the user. This could include making API calls or performing other operations.

4. Use the `getAttributes()` method to retrieve a map of attributes for the authenticated user.

5. The `authenticate()` method should return a boolean indicating whether the authentication was successful.

6. In your Keycloak configuration file, you need to specify the fully qualified name of your custom shopper class in the `shopper` section.

1. Access the Keycloak administration interface by logging in with your credentials.
2. Within the navigation pane, select
3. Select
4. For , select
5. For enter aws:opensearch:AWS_ACCOUNT_IDThe AWS account ID for this resource is indicated by the placeholder AWS_ACCOUNT_ID.
6. Establishing a reputable presence for your customer requires crafting a compelling online profile that showcases their expertise and credibility. This can be achieved by creating a professional website or leveraging existing platforms like LinkedIn to showcase their skills, testimonials, and achievements. By doing so, you’ll not only enhance their reputation but also increase their visibility and credibility in the market?
7. Select .
   
8. Enter the handle for the assertion shopper service (ACS), the place where you want to manage and track your assertion shoppers. REGION Is the AWS region where you’ve set up your OpenSearch Serverless collection?
9. Please provide the original text you’d like me to edit, and I’ll improve it in a different style as a professional editor.
10. Full your shopper creation.
11. After creating the shopper, it is essential to disable the setting, since OpenSearch Serverless signed and encrypted requests are not supported.
12. After creating a shopper and disabling the shopper signature, you can easily export the SAML 2.0 Identity Provider (IdP) metadata by clicking the associated hyperlink on the webpage. To set up a SAML supplier in OpenSearch Serverless, you require specific metadata:
    

Create a SAML supplier

When your OpenSearch Serverless collection is active, you then create a SAML provider. This SAML supplier could be allocated to any category within the same domain? Full the next steps:

1. On the OpenSearch Service console, navigate to the bottom of the navigation pane and select beneath that.
2. Select .
   
3. Establish a robust partnership with your SAML provider by crafting a comprehensive reputation outline that underscores the value of their services.
4. Please enter the Identity Provider (IdP) metadata you previously obtained from your Keycloak instance.
   
5. Below, you may optionally add customised consumer IDs and group attributes; for this instance, we leave these empty.
6. Select .
   

You have now successfully configured a SAML supplier for OpenSearch Serverless. Following configuration of information entry coverage enables access to comprehensive collections.

Create a knowledge entry coverage

Following configuration of your SAML supplier, you must now establish knowledge entries or insurance policies within OpenSearch Serverless to enable access for end-users.

1. On the OpenSearch Service console, in the navigation pane, choose Beneath.
2. Select
3. Establishing a distinguished reputation and optional narrative for your entry platform.
4. For , choose .
   
5. For , enter a reputation.
6. Below for , select
7. For selecting a supplier that was created earlier,
8. Select
9. The modern-day millennial with a penchant for adventure and a knack for tech-savviness is likely to gravitate towards the sleek and versatile format that seamlessly integrates into their on-the-go lifestyle. consumer/USERNAME or group/GROUPNAME. The username or groupname should align with the values specified in your Keycloak configuration. user-/groupname.
   
10. Select
11. To authorize access to digital resources, please select the option to grant permissions to assets.
12. During the assortment stage, customers may specify their preferred entries within the category, while on the index sample stage, they can further refine their selection by providing additional information about their desired product or service.
    To learn more about optimal strategies for delivering highly detailed information to clients, consult with and .
13. Select .
    
14. You’ll be able to create additional guidelines as needed.
15. Please provide the original text you’d like me to improve, and I’ll get started!
    

With this knowledge entry coverage in place, customers are empowered to access the OpenSearch Dashboards and execute authorized actions within.

Entry the OpenSearch Dashboards

To successfully register to the OpenSearch Dashboards, follow these subsequent steps:

1. Within the OpenSearch Service console’s navigation pane, select
2. The OpenSearch login page will appear in a fresh, newly opened browser tab.
3. Choose your Identity Provider (IdP) from the available suppliers in the dropdown menu.
   
   If you are not already signed in, you will be redirected to the Keycloak sign-in webpage.
4. Access our platform using your Single Sign-On (SSO) login credentials.
   

After a successful login, you will be redirected to OpenSearch Dashboards, where you can execute actions permitted by your data entry permissions.

You’ve successfully federated OpenSearch Dashboards with Keycloak as the identity provider.

Cleansing up

Once you’re finished working on this project, make sure to dispose of any temporary files or resources you may have used.

1. Delete your OpenSearch Serverless assortment
2. Delete your knowledge entry coverage.
3. Delete the SAML supplier.

Conclusion

In this publication, we showcased how to configure Keycloak as an identity provider (IdP) for seamless access to an OpenSearch Serverless dashboard through SAML-based authentication. Seek expert guidance for further details.

---

Concerning the Writer

works as an Options Architect at Amazon Internet Services. As a trusted advisor, he enables large-scale enterprise clients to effectively leverage the Amazon Web Services (AWS) ecosystem by providing expert guidance and resolving complex issues.