Usage SAML Identities for programmatic access to Amazon OpenSearch Service

Clients of Amazon OpenSearch Service can currently utilize Security Assertion Markup Language (SAML) to gain access to OpenSearch Dashboards.

This post details 2 approaches by which programmatic users can now access OpenSearch utilizing SAML identities. This uses to all identity service providers (IdPs) that support SAML 2.0, consisting of common ones like Active Directory site Federation Service (ADFS), Okta, AWS IAM Identity Center (Follower to AWS Single Sign-On), KeyCloak, and others. Although we describe the approaches as they refer to OpenSearch Service and AWS Identity and Gain Access To Management (IAM), programmatic access to each of these private service providers is outside the scope of this post. The majority of these service providers do offer such a center.

Single sign-on approaches

When you utilize single sign-on (SSO), there are 2 various authentication approaches:

• Identity service provider started— This is when a user or a user-agent very first verifies with an IdP and gets a SAML assertion that develops the identity of the user. This assertion is then passed to a provider (SP) that offers access to a safeguarded resource.
• Provider started— Although the IdP-initiated exchange is uncomplicated, a more normal sign-on experience is when the secured resource is accessed straight. The SP then reroutes the user to the IdP for authentication in addition to a SAML authentication demand. The IdP reacts with an authentication assertion inside a SAML reaction. After that, the SSO experience is the exact same as that of an IdP-initiated circulation.

For programmatic access to OpenSearch Service, an external IdP is the IdP, and OpenSearch Service and IAM both function as SPs. To configure your IdP of option as the SAML IdP for IAM, describe Producing IAM SAML identity service providers To set up OpenSearch Service, describe SAML authentication for OpenSearch Dashboards

In the following areas, we describe 2 approaches to gain access to OpenSearch Service API:

Technique 1: Usage AWS STS

The following figure reveals the series of calls to gain access to OpenSearch Service API utilizing AWS STS.

Let’s check out each action in more information.

Steps 1 and 2

Steps 1 and 2 differ relying on your selected IdP. In basic, they normally offer an authentication API or session API or another comparable API to validate and obtain the SAML authentication assertion reaction. We utilize this SAML assertion in the next action.

Steps 3 and 4

Call the AssumeRoleWithSAML AWS STS API to exchange the SAML assertion for short-lived qualifications related to your SAML identity. See the following code:

 curl-- place 'https://sts.amazonaws.com?
Variation= 2011-06-15&&
. Action= AssumeRoleWithSAML&&. RoleArn= < ARN of the function being presumed>&> &. PrincipalArn= < ARN of the IdP incorporated with IAM>&> &
. SAMLAssertion=<< Base-64 encoded SAML assertion>>'.

Step 5

Utilize the short-lived qualifications from the last action to indication all API demands to OpenSearch Service. Likewise guarantee the function that you presumed with the AssumeRoleWithSAML call has adequate approval to access the requisite information in OpenSearch Service. Describe Mapping functions to users for more details about mapping this function as a backend function. As an extra action to guarantee consistency, this AWS STS function and any SAML group the user belongs to can be mapped to the exact same function in OpenSearch Service. The following code reveals a design to make this call:

 curl-- place '<< OpenSearch Service domain URL>>/ _ search'.
-- header 'X-Amz-Security-Token: Fwo ...==( truncated)'.
-- header 'X-Amz-Date: 20230327T134710Z'.
-- header 'Permission: AWS4-HMAC-SHA256 Credential= ASI.( truncated)/ 20230327/us-east -1/ es/aws4 _ demand, SignedHeaders= host; x-amz-date; x-amz-security-token, Signature= 95eb ...( truncated)'.

Technique 2: Usage OpenSearch Dashboards’ console proxy

OpenSearch Dashboards has an element called a console proxy that can proxy demands to OpenSearch. This enables OpenSearch customers to make the exact same API contacts Domain Particular Language (DSL) to this console proxy rather of straight calling OpenSearch. The console proxy forwards these calls to OpenSearch and reacts back to the customers in the exact same format as OpenSearch.

The following figure reveals the series of calls you can make to the console proxy to acquire programmatic access to OpenSearch Service.

Steps 1 and 2

The very first 2 actions resemble approach 1, and they will differ depending upon what IdP is selected. Basically, you require to get a SAML authentication assertion reaction from the IdP.

Steps 3 and 4

Utilize the SAML assertion from the previous actions and POST it to the Assertion Customer Service (ACS) URL, _ opendistro/ _ security/saml/acs/ idpinitiated, to exchange the assertion for the security_authentication token. The following code reveals the command line for these actions:

 curl-- place '<< control panels URL>>/ _ opendistro/ _ security/saml/acs/ idpinitiated'.
-- header 'content-type: application/x-www-form- urlencoded'.
-- data-urlencode 'SAMLResponse= Base-64 encoded SAML assertion'.
-- data-urlencode 'RelayState='

If you’re utilizing the OpenSearch engine, the control panel URL is << domain URL>>/ _ control panels If you’re utilizing the Elasticsearch engine, the control panel URL is << domain URL>>/ _ plugin/kibana OpenSearch Dashboards processes this and reacts with a redirect reaction with code 302 and an empty body. The reaction headers now likewise consist of a cookie called security_authentication, which is the token you should utilize in all subsequent calls.

Steps 5– 8

Utilize the security_authentication cookie in the API contacts us to the console proxy to carry out programmatic API calls. The following code reveals a command line for these actions:

 curl-- place '<< dashboardsURL>>/ api/console/proxy? course= _ search&& approach= GET'.
-- header 'content-type: application/json'.
-- header 'cookie: security_authentication= Fe26.2 ** 1 ...( truncated)'.
-- header 'osd-xsrf: real'.
-- information' {
" inquiry": {
" match_all": {}
}
} '.

Make certain to consist of a header called osd-xsrf: real for programmatic access to control panels. The console proxy course is / api/console/proxy for Elasticsearch engines variation 6.x and 7.x and OpenSearch engine variation 1.x and 2.x.

Comparable to approach 1, make certain to map functions and groups related to a specific SAML identity as the appropriate backend function with requisite authorizations.

Comparing these approaches

You can utilize approach 1 in any domain no matter the engine as long as fine-grained gain access to control is made it possible for. Technique 2 just works for domains with Elasticsearch engine variations higher than 6.7 and all OpenSearch engine variations.

The OpenSearch Dashboards procedure is typically implied for human interactions, which has a lower API call rate and volume than those of programmatic calls. OpenSearch can deal with significantly greater API call rates and volume, so make sure not to send out high-volume API calls utilizing approach 2. As a finest practice for programmatic gain access to with SAML identities, we advise approach 1 any place possible to prevent efficiency traffic jams.

Conclusion

Both of the approaches laid out in this post offer a comparable circulation to gain access to OpenSearch Service programmatically utilizing SAML identities (exchanging a SAML assertion for an authentication token). AssumeRoleWithSAML is a crucial and relatively straightforward-to-use API that allows this gain access to and is our advised approach. Attempt among OpenSearch Service laboratories and introduce an OpenSearch Service domain to explore these approaches. All the best!

About the author

Muthu Pitchaimani is a Browse Professional with Amazon OpenSearch Service. He develops massive search applications and options. Muthu has an interest in the subjects of networking and security, and is based out of Austin, Texas.