Saturday, July 11, 2026

How to setup SSO

 


Yes, absolutely. You can integrate your company’s existing identity provider (IdP) with OpenSearch Dashboards to enable **Single Sign-On (SSO)** using federated login.


This is a standard enterprise practice that allows you to manage user authentication via your corporate directory (like Azure AD/Entra ID, Okta, Keycloak, or Ping Identity) while maintaining granular access control within OpenSearch.


### How it Works: The Two-Layer Security Model


To achieve this, you essentially set up two layers: **Authentication** (who the user is) and **Authorization** (what the user can do).


#### 1. Authentication: Federated SSO


OpenSearch Dashboards supports **SAML 2.0** and **OpenID Connect (OIDC)**, which are the industry standards for federated logins.


* **The Workflow:** When a user visits your OpenSearch Dashboards URL, they are redirected to your company’s login page. Once authenticated, the IdP sends a "token" or "assertion" back to OpenSearch confirming the user's identity and their group memberships.

* **Configuration:** You configure the IdP metadata in the OpenSearch Security plugin settings. This tells OpenSearch how to "trust" your company’s identity provider.


#### 2. Authorization: Backend Role Mapping


Once the user is logged in, you need to tell OpenSearch what that user is allowed to see or do. You do this through **Role Mapping**:


* **Groups as Roles:** Most IdPs allow you to pass "group" information in the SAML/OIDC assertion. For example, if your company has a group called `data-analysts` in Azure AD, that group name is sent to OpenSearch upon login.

* **Mapping:** Inside OpenSearch, you create a "Role" (e.g., `read-only-analyst`) and map it to the external `data-analysts` group. Now, any user who is part of the `data-analysts` group in your company directory automatically inherits the permissions you defined in OpenSearch.


### Implementation Steps at a Glance


1. **Prepare your IdP:** Configure an application in your company's identity portal (e.g., Okta or Azure AD) to act as an "App" for OpenSearch. You will get an XML metadata file or a configuration URL.

2. **Enable Security Plugin:** Ensure **Fine-Grained Access Control (FGAC)** is enabled on your cluster.

3. **Configure Authentication:**

* If you are using **AWS Managed OpenSearch Service**, this is usually handled in the "Security Configuration" tab of your domain in the AWS console.

* If you are running **self-managed OpenSearch**, you edit the `config.yml` within the security plugin's internal settings to point to your SAML/OIDC provider.



4. **Map Roles:** Use the OpenSearch Dashboards "Security" menu to create roles and map the "Backend Roles" (the groups from your company) to those OpenSearch roles.


### Why this is better than individual users:


* **Scalability:** You don't have to manually create accounts for every employee.

* **Security:** When an employee leaves the company and is removed from the central directory, they immediately lose access to OpenSearch.

* **Ease of Use:** Your users don't have to remember another set of credentials.


**A quick tip:** If you are using AWS OpenSearch Service, using **IAM Identity Center (formerly SSO)** or **Amazon Cognito** as an intermediary is often the path of least resistance, as it handles the "federated" part very gracefully.


Are you using a managed service (like AWS OpenSearch) or a self-hosted cluster? I can provide more specific configuration steps if you have one of those in mind!

No comments:

Post a Comment