Building SAML federation for Amazon OpenSearch Service with Okta

{"value":"[Amazon OpenSearch Service](https://aws.amazon.com/opensearch-service/) is a fully managed open search and analytics service powered by the Apache Lucene search library. Security Assertion Markup Language (SAML)-based federation for OpenSearch Dashboards lets you use your existing identity provider (IdP) like Okta to provide single sign-on (SSO) for OpenSearch Dashboards on OpenSearch Service domains.\n\nThis post shows step-by-step guidance to enable SP-initiated single sign-on (SSO) into OpenSearch Dashboards using Okta.\n\nTo use this feature, you must enable fine-grained access control. Rather than authenticating through [Amazon Cognito](https://aws.amazon.com/cognito/) or the internal user database, SAML authentication for OpenSearch Dashboards lets you use third-party identity providers to log in to OpenSearch Dashboards. SAML authentication for OpenSearch Dashboards is only for accessing OpenSearch Dashboards through a web browser.\n\n### **Overview of Okta SAML authenticated solution**\nFigure 1 depicts a sample architecture of a generic, integrated solution between Okta and OpenSearch Dashboards over SAML authentication.\n\n\n\nFigure 1. SAML transactions between Amazon OpenSearch Service and Okta\n\nThe initial sign-in flow is as follows:\n1. User opens browser window and navigates to OpenSearch Dashboards\n2. OpenSearch Service generates SAML authentication request\n3. OpenSearch Service redirects request back to browser\n4. Browser redirects to Okta URL\n5. Okta parses SAML request, authenticates user, and generates SAML response\n6. Okta returns encoded SAML response to browser\n7. Browser sends SAML response back to OpenSearch Service Assertion Consumer Services (ACS) URL\n8. ACS verifies SAML response\n9. User logs into OpenSearch Service domain\n### **Prerequisites**\nFor this walkthrough, you should have the following prerequisites:\n\n1. An [AWS account](https://signin.aws.amazon.com/signin?redirect_uri=https%3A%2F%2Fportal.aws.amazon.com%2Fbilling%2Fsignup%2Fresume&client_id=signup)\n2. A [virtual private cloud (VPC)](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/vpc.html)-based OpenSearch Service domain with fine-grained access control enabled\n3. Okta account with user and a group\n4. A browser with network connectivity to Okta, OpenSearch Service domain, and OpenSearch Dashboards.\n\nThe steps in this post are structured into the following sections:\n\n1. Identity provider (Okta) setup\n2. Prepare OpenSearch Service for SAML configuration\n3. Identity provider (Okta) SAML configuration\n4. Finish OpenSearch Service for SAML configuration\n5. Validation\n6. Cleanup\n \n### **Identity provider (Okta) setup**\n##### ***Step 1: Sign up for an Okta account***\n- Sign up for an [Okta account](https://developer.okta.com/signup/), then click on the **Sign up** button to complete your account setup.\n- If you already have an account with Okta, [login](https://developer.okta.com/login/) to your Okta account.\n##### ***Step 2: Create Groups in Okta***\n- Choose **Directory** in the left menu and click **Groups** to proceed.\n- Click on **Add Group** and enter name as opensearch. Then click on the **Save** button, see Figure 2.\n\n\n\nFigure 2. Creating a group in Okta\n\n##### ***Step 3: Create users in Okta***\n- Choose **People** in left menu under Directory section and click the **+Add** Person button.\n- Provide **First name, Last name, username** (email ID), and primary email. Then select set by admin from the **Password** dropdown, and choose first time password. Click on the **Save** button to create your user.\n- Add more users as needed.\n##### ***Step 4: Assign Groups to users*** \n- Choose **Groups** from the left menu, then click on the opensearch group created in Step 2. Click on the **Assign People** button to add **users** to the opensearch group. Next, either click on individual user under **Person & Username**, or use the **Add All** button to add all existing users to the opensearch group. Click on the **Save** button to complete adding users to your group.\n### **Prepare OpenSearch Service for SAML configuration**\nOnce OpenSearch Service domain is up and running, we can proceed with configuration.\n\n- Navigate to the [OpenSearch Service](https://console.aws.amazon.com/esv3/) console\n- Under Actions, choose** Edit security configuration **as shown in Figure 3\n\n\n\nFigure 3. Enabling Amazon OpenSearch Service security configuration for SAML\n\n- Under SAML authentication for OpenSearch Dashboards/Kibana, select the **Enable SAML authentication** check box, see Figure 4. When we enable SAML, it will create different URLs required for configuring SAML with your identity provider.\n\n\n\nFigure 4. Amazon OpenSearch Service URLs for SAML configuration\n\nWe will be using the **Service Provider entity ID** and **SP-initiated SSO URL** (highlighted in Figure 4) for Okta SAML configuration. The OpenSearch Dashboards login flow can take one of two forms:\n\n- Service provider (SP) initiated: You navigate to your OpenSearch Dashboard (for example, https://my-domain.us-east-1.es.amazonaws.com/_dashboards), which redirects you to the login screen. After you log in, the identity provider redirects you to OpenSearch Dashboards.\n- Identity provider (IdP) initiated: You navigate to your identity provider, log in, and choose OpenSearch Dashboards from an application directory.\nWe will complete the rest of the OpenSearch Service SAML configuration after the Okta SAML configuration.\n\n### **Okta SAML configuration**\n- Go back to Okta.com, and choose **Applications** from the left menu. Click on **Applications**, then click on **Create App Integration** and choose **SAML 2.0**. Click on the **Next** button to proceed, as shown in Figure 5.\n- For this example, we are creating an application called “*OpenSearch Dashboard*”.\n- Select Platform as **Web**, and select Sign on method as **SAML 2.0.** Click on the **Create** button to proceed.\n\n\n\nFigure 5. Creating a SAML app integration in Okta\n\n- Enter the **App name** as **OpenSearch**, use default options, and click on the **Next** button to proceed.\n- Enter the following under the **SAML Settings** section, as shown in Figure 6. Click on the **Next** button to proceed.\n\t **Single Sign on URL** = https://vpc-XXXXX-XXXXX.us-west-2.es.amazonaws.com/_dashboards/_opendistro/_security/saml/acs **(SP-initiated SSO URL)**\n\t **Audience URI(SP Entity ID)** = https://vpc-XXXXX-XXXXX.us-west-2.es.amazonaws.com **(Service Provider entity ID)**\n\t **Default RelayState** = leave it blank\n\t **Name ID format** = Select EmailAddress from drop down\n\t **Application username** = Select **Okta username** from dropdown\n\t **Update application username on** = leave it set to default\n- Enter the following under **Attribute Statements (optional)** section.\n\t **Name** = http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress\n\t **Name format** = Select URI Reference from dropdown\n\t **Value = user.email**\n- Enter the following under the **Group Attribute Statements** **(optional) **section.\n\t **Name** = http://schemas.xmlsoap.org/claims/Group\n\t **Name format** = Select URI Reference from dropdown\n\t **Filter** = Select **Matches regex** from dropdown and enter value as .***open.*** to match the group created in previous steps for OpenSearch Dashboards access.\n\n\n\nFigure 6. SAML configuration in Okta\n\n- Select **I’m a software vendor. I’d like to integrate my app with Okta** under the **Help Okta Support understand how you configured this application** section.\n- Click on the **Finish** button to complete the Okta SAML application configuration.\n- Choose **Sign on** menu. Right click on the Identity Provider metadata hyperlink to download the Okta identity provider metadata as okta.xml. You will use this for the SAML configuration in OpenSearch Service, see Figure 7.\n\n\n\nFigure 7. Downloading Okta identity provider metadata for SAML configuration\n\n- Choose the **Assignments** menu and click on Assign-> Assign to Groups\n- Select the **opensearch** group, click on **Assign**, and click on the **Done** button to complete the Group assignment, as shown in Figure 8.\n\n\n\nFigure 8. Assigning groups to the app in Okta\n\n- Switch back to the OpenSearch Service domain\n- Under the **Import IdP metadata** section:\n\t **Metadata from IdP:** Import the Okta identity provider metadata from the downloaded XML file\n\t **SAML master backend** role: opensearch (Okta group). Provide the SAML backend role/group SAML assertion key for group SSO into OpenSearch Dashboard.\n- Under **Optional SAML settings:**\n\t Leave **Subject Key** blank\n\t **Role key** should be ***http://schemas.xmlsoap.org/claims/Group.*** You can view a sample assertion during the configuration process with tools like [SAML-tracer](https://addons.mozilla.org/en-US/firefox/addon/saml-tracer/). This can help you examine and troubleshoot the contents of real assertions.\n\t **Session time to live (mins):** 60\n- Click on the **Save changes** button (Figure 9) to complete OpenSearch Service SAML configuration for OpenSearch Dashboards. We have successfully completed SAML configuration, and now we are ready for testing.\n\n\n\nFigure 9. Configuring Amazon OpenSearch Service SAML parameters\n\n### **Validating access with Okta users**\n- Access the OpenSearch Dashboards endpoint from the previously created OpenSearch Service cluster. The OpenSearch Dashboards URL can be found in General information within “My Domains” of the OpenSearch Service console, as shown in Figure 10. The first access to OpenSearch Dashboards URL redirects you to the Okta login screen.\n\n \n\nFigure 10. Validating Okta user access with Amazon OpenSearch Service\n\n- Now copy and paste the OpenSearch Dashboards URL in your browser, and enter the user credentials.\n- If your OpenSearch Service domain is hosted within a private VPC, you will not be able to access your OpenSearch Dashboard over public internet. But you can still use SAML as long as your browser can communicate with both your OpenSearch Service cluster and your identity provider.\n- You can create a Mac or Windows EC2 instance within the same VPC so that you can access Amazon OpenSearch Dashboard from EC2 instance’s web browser to validate your SAML configuration. Or you can access your OpenSearch Dashboard through Site-to-Site VPN from your on-premises environment.\n- After successful login, you will be redirected into the OpenSearch Dashboards home page. Here, you can explore our sample data and visualizations in OpenSearch Dashboards (Figure 11).\n\n- \n\nFigure 11. SAML authenticated OpenSearch Dashboards\n\n- Now, you have successfully federated OpenSearch Dashboards with Okta as an identity provider. You can connect OpenSearch Dashboards by using your Okta credentials.\n#### **Cleaning up**\nAfter you test out this solution, remember to delete all the resources you created, to avoid incurring future charges. Refer to these links:\n\n- [Deleting your OpenSearch Service domain](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/gsgdeleting.html)\n- [Deleting your Okta account](https://support.okta.com/help/s/question/0D50Z00008G7UohSAF/how-to-delete-my-okta-account?language=en_US) (if needed)\n#### **Conclusion**\nIn this blog post, we have demonstrated how to set up Okta as an identity provider over SAML authentication for OpenSearch Dashboards access. Get started by checking the [Amazon OpenSearch Service Developer Guide](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/what-is.html), which provides guidance on how to build applications using OpenSearch Service.\n##### **Raghavarao Sodabathina**\n\n\nRaghavarao Sodabathina is an Enterprise Solutions Architect at AWS, focusing on Data Analytics, AI/ML, and Serverless Platform. He engages with customers to create innovative solutions that address customer business problems and to accelerate the adoption of AWS services. In his spare time, Raghavarao enjoys spending time with his family, reading books, and watching movies.\n##### **Jana Gnanachandran**\n\n\nJana Gnanachandran is an Enterprise Solutions Architect at AWS, focusing on Data Analytics, AI/ML, and Serverless platforms. He helps AWS customers across numerous industries to design and build highly scalable, data-driven, analytical solutions to accelerate their cloud adoption. In his spare time, he enjoys playing tennis, 3D printing, and photography.\n##### **Rudy Collado**\n\n\nRudy is a Solutions Architect with Amazon Web Services based in the New York City area. He has more than 20 years of experience in the IT industry, specializing in network architecture for financial services. He enjoys using his experience to help customers build innovative, resilient, and secure AWS Cloud solutions. Outside of work, he enjoys spending time with his family and flying different types of airplanes as a private pilot.","render":"<p><a href=\"https://aws.amazon.com/opensearch-service/\" target=\"_blank\">Amazon OpenSearch Service</a> is a fully managed open search and analytics service powered by the Apache Lucene search library. Security Assertion Markup Language (SAML)-based federation for OpenSearch Dashboards lets you use your existing identity provider (IdP) like Okta to provide single sign-on (SSO) for OpenSearch Dashboards on OpenSearch Service domains.</p>\n<p>This post shows step-by-step guidance to enable SP-initiated single sign-on (SSO) into OpenSearch Dashboards using Okta.</p>\n<p>To use this feature, you must enable fine-grained access control. Rather than authenticating through <a href=\"https://aws.amazon.com/cognito/\" target=\"_blank\">Amazon Cognito</a> or the internal user database, SAML authentication for OpenSearch Dashboards lets you use third-party identity providers to log in to OpenSearch Dashboards. SAML authentication for OpenSearch Dashboards is only for accessing OpenSearch Dashboards through a web browser.</p>\n<h3><a id=\"Overview_of_Okta_SAML_authenticated_solution_6\"></a><strong>Overview of Okta SAML authenticated solution</strong></h3>\n<p>Figure 1 depicts a sample architecture of a generic, integrated solution between Okta and OpenSearch Dashboards over SAML authentication.</p>\n<p><img src=\"https://dev-media.amazoncloud.cn/80b818a74027457c82bc5de78f8941ff_image.png\" alt=\"image.png\" /></p>\n<p>Figure 1. SAML transactions between Amazon OpenSearch Service and Okta</p>\n<p>The initial sign-in flow is as follows:</p>\n<ol>\n<li>User opens browser window and navigates to OpenSearch Dashboards</li>\n<li>OpenSearch Service generates SAML authentication request</li>\n<li>OpenSearch Service redirects request back to browser</li>\n<li>Browser redirects to Okta URL</li>\n<li>Okta parses SAML request, authenticates user, and generates SAML response</li>\n<li>Okta returns encoded SAML response to browser</li>\n<li>Browser sends SAML response back to OpenSearch Service Assertion Consumer Services (ACS) URL</li>\n<li>ACS verifies SAML response</li>\n<li>User logs into OpenSearch Service domain</li>\n</ol>\n<h3><a id=\"Prerequisites_23\"></a><strong>Prerequisites</strong></h3>\n<p>For this walkthrough, you should have the following prerequisites:</p>\n<ol>\n<li>An <a href=\"https://signin.aws.amazon.com/signin?redirect_uri=https%3A%2F%2Fportal.aws.amazon.com%2Fbilling%2Fsignup%2Fresume&amp;client_id=signup\" target=\"_blank\">AWS account</a></li>\n<li>A <a href=\"https://docs.aws.amazon.com/opensearch-service/latest/developerguide/vpc.html\" target=\"_blank\">virtual private cloud (VPC)</a>-based OpenSearch Service domain with fine-grained access control enabled</li>\n<li>Okta account with user and a group</li>\n<li>A browser with network connectivity to Okta, OpenSearch Service domain, and OpenSearch Dashboards.</li>\n</ol>\n<p>The steps in this post are structured into the following sections:</p>\n<ol>\n<li>Identity provider (Okta) setup</li>\n<li>Prepare OpenSearch Service for SAML configuration</li>\n<li>Identity provider (Okta) SAML configuration</li>\n<li>Finish OpenSearch Service for SAML configuration</li>\n<li>Validation</li>\n<li>Cleanup</li>\n</ol>\n<h3><a id=\"Identity_provider_Okta_setup_40\"></a><strong>Identity provider (Okta) setup</strong></h3>\n<h5><a id=\"Step_1_Sign_up_for_an_Okta_account_41\"></a><em><strong>Step 1: Sign up for an Okta account</strong></em></h5>\n<ul>\n<li>Sign up for an <a href=\"https://developer.okta.com/signup/\" target=\"_blank\">Okta account</a>, then click on the <strong>Sign up</strong> button to complete your account setup.</li>\n<li>If you already have an account with Okta, <a href=\"https://developer.okta.com/login/\" target=\"_blank\">login</a> to your Okta account.</li>\n</ul>\n<h5><a id=\"Step_2_Create_Groups_in_Okta_44\"></a><em><strong>Step 2: Create Groups in Okta</strong></em></h5>\n<ul>\n<li>Choose <strong>Directory</strong> in the left menu and click <strong>Groups</strong> to proceed.</li>\n<li>Click on <strong>Add Group</strong> and enter name as opensearch. Then click on the <strong>Save</strong> button, see Figure 2.</li>\n</ul>\n<p><img src=\"https://dev-media.amazoncloud.cn/203c4d6da47446239d2544603644ef6b_image.png\" alt=\"image.png\" /></p>\n<p>Figure 2. Creating a group in Okta</p>\n<h5><a id=\"Step_3_Create_users_in_Okta_52\"></a><em><strong>Step 3: Create users in Okta</strong></em></h5>\n<ul>\n<li>Choose <strong>People</strong> in left menu under Directory section and click the <strong>+Add</strong> Person button.</li>\n<li>Provide <strong>First name, Last name, username</strong> (email ID), and primary email. Then select set by admin from the <strong>Password</strong> dropdown, and choose first time password. Click on the <strong>Save</strong> button to create your user.</li>\n<li>Add more users as needed.</li>\n</ul>\n<h5><a id=\"Step_4_Assign_Groups_to_users_56\"></a><em><strong>Step 4: Assign Groups to users</strong></em></h5>\n<ul>\n<li>Choose <strong>Groups</strong> from the left menu, then click on the opensearch group created in Step 2. Click on the <strong>Assign People</strong> button to add <strong>users</strong> to the opensearch group. Next, either click on individual user under <strong>Person &amp; Username</strong>, or use the <strong>Add All</strong> button to add all existing users to the opensearch group. Click on the <strong>Save</strong> button to complete adding users to your group.</li>\n</ul>\n<h3><a id=\"Prepare_OpenSearch_Service_for_SAML_configuration_58\"></a><strong>Prepare OpenSearch Service for SAML configuration</strong></h3>\n<p>Once OpenSearch Service domain is up and running, we can proceed with configuration.</p>\n<ul>\n<li>Navigate to the <a href=\"https://console.aws.amazon.com/esv3/\" target=\"_blank\">OpenSearch Service</a> console</li>\n<li>Under Actions, choose** Edit security configuration **as shown in Figure 3</li>\n</ul>\n<p><img src=\"https://dev-media.amazoncloud.cn/9e8a5110cbdd48cea39c6e57c25dc9d1_image.png\" alt=\"image.png\" /></p>\n<p>Figure 3. Enabling Amazon OpenSearch Service security configuration for SAML</p>\n<ul>\n<li>Under SAML authentication for OpenSearch Dashboards/Kibana, select the <strong>Enable SAML authentication</strong> check box, see Figure 4. When we enable SAML, it will create different URLs required for configuring SAML with your identity provider.</li>\n</ul>\n<p><img src=\"https://dev-media.amazoncloud.cn/e9b98b544ff541e993128173af2bf3d4_image.png\" alt=\"image.png\" /></p>\n<p>Figure 4. Amazon OpenSearch Service URLs for SAML configuration</p>\n<p>We will be using the <strong>Service Provider entity ID</strong> and <strong>SP-initiated SSO URL</strong> (highlighted in Figure 4) for Okta SAML configuration. The OpenSearch Dashboards login flow can take one of two forms:</p>\n<ul>\n<li>Service provider (SP) initiated: You navigate to your OpenSearch Dashboard (for example, https://my-domain.us-east-1.es.amazonaws.com/_dashboards), which redirects you to the login screen. After you log in, the identity provider redirects you to OpenSearch Dashboards.</li>\n<li>Identity provider (IdP) initiated: You navigate to your identity provider, log in, and choose OpenSearch Dashboards from an application directory.<br />\nWe will complete the rest of the OpenSearch Service SAML configuration after the Okta SAML configuration.</li>\n</ul>\n<h3><a id=\"Okta_SAML_configuration_80\"></a><strong>Okta SAML configuration</strong></h3>\n<ul>\n<li>Go back to Okta.com, and choose <strong>Applications</strong> from the left menu. Click on <strong>Applications</strong>, then click on <strong>Create App Integration</strong> and choose <strong>SAML 2.0</strong>. Click on the <strong>Next</strong> button to proceed, as shown in Figure 5.</li>\n<li>For this example, we are creating an application called “<em>OpenSearch Dashboard</em>”.</li>\n<li>Select Platform as <strong>Web</strong>, and select Sign on method as <strong>SAML 2.0.</strong> Click on the <strong>Create</strong> button to proceed.</li>\n</ul>\n<p><img src=\"https://dev-media.amazoncloud.cn/50fd74d3858e45ee9e2b0625a92c0ca4_image.png\" alt=\"image.png\" /></p>\n<p>Figure 5. Creating a SAML app integration in Okta</p>\n<ul>\n<li>Enter the <strong>App name</strong> as <strong>OpenSearch</strong>, use default options, and click on the <strong>Next</strong> button to proceed.</li>\n<li>Enter the following under the <strong>SAML Settings</strong> section, as shown in Figure 6. Click on the <strong>Next</strong> button to proceed.<br />\n<strong>Single Sign on URL</strong> = https://vpc-XXXXX-XXXXX.us-west-2.es.amazonaws.com/_dashboards/_opendistro/_security/saml/acs <strong>(SP-initiated SSO URL)</strong><br />\n<strong>Audience URI(SP Entity ID)</strong> = https://vpc-XXXXX-XXXXX.us-west-2.es.amazonaws.com <strong>(Service Provider entity ID)</strong><br />\n<strong>Default RelayState</strong> = leave it blank<br />\n<strong>Name ID format</strong> = Select EmailAddress from drop down<br />\n<strong>Application username</strong> = Select <strong>Okta username</strong> from dropdown<br />\n<strong>Update application username on</strong> = leave it set to default</li>\n<li>Enter the following under <strong>Attribute Statements (optional)</strong> section.<br />\n<strong>Name</strong> = http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress<br />\n<strong>Name format</strong> = Select URI Reference from dropdown<br />\n<strong>Value = user.email</strong></li>\n<li>Enter the following under the <strong>Group Attribute Statements</strong> **(optional) **section.<br />\n<strong>Name</strong> = http://schemas.xmlsoap.org/claims/Group<br />\n<strong>Name format</strong> = Select URI Reference from dropdown<br />\n<strong>Filter</strong> = Select <strong>Matches regex</strong> from dropdown and enter value as .<em><strong>open.</strong></em> to match the group created in previous steps for OpenSearch Dashboards access.</li>\n</ul>\n<p><img src=\"https://dev-media.amazoncloud.cn/634f7785697b4f2b9c370acfadc41b72_image.png\" alt=\"image.png\" /></p>\n<p>Figure 6. SAML configuration in Okta</p>\n<ul>\n<li>Select <strong>I’m a software vendor. I’d like to integrate my app with Okta</strong> under the <strong>Help Okta Support understand how you configured this application</strong> section.</li>\n<li>Click on the <strong>Finish</strong> button to complete the Okta SAML application configuration.</li>\n<li>Choose <strong>Sign on</strong> menu. Right click on the Identity Provider metadata hyperlink to download the Okta identity provider metadata as okta.xml. You will use this for the SAML configuration in OpenSearch Service, see Figure 7.</li>\n</ul>\n<p><img src=\"https://dev-media.amazoncloud.cn/90180254b3c643c3af06ca4a47e9513f_image.png\" alt=\"image.png\" /></p>\n<p>Figure 7. Downloading Okta identity provider metadata for SAML configuration</p>\n<ul>\n<li>Choose the <strong>Assignments</strong> menu and click on Assign-&gt; Assign to Groups</li>\n<li>Select the <strong>opensearch</strong> group, click on <strong>Assign</strong>, and click on the <strong>Done</strong> button to complete the Group assignment, as shown in Figure 8.</li>\n</ul>\n<p><img src=\"https://dev-media.amazoncloud.cn/d36dd22bbcbf4dceb17819345fa764f9_image.png\" alt=\"image.png\" /></p>\n<p>Figure 8. Assigning groups to the app in Okta</p>\n<ul>\n<li>Switch back to the OpenSearch Service domain</li>\n<li>Under the <strong>Import IdP metadata</strong> section:<br />\n<strong>Metadata from IdP:</strong> Import the Okta identity provider metadata from the downloaded XML file<br />\n<strong>SAML master backend</strong> role: opensearch (Okta group). Provide the SAML backend role/group SAML assertion key for group SSO into OpenSearch Dashboard.</li>\n<li>Under <strong>Optional SAML settings:</strong><br />\nLeave <strong>Subject Key</strong> blank<br />\n<strong>Role key</strong> should be <em><strong>http://schemas.xmlsoap.org/claims/Group.</strong></em> You can view a sample assertion during the configuration process with tools like <a href=\"https://addons.mozilla.org/en-US/firefox/addon/saml-tracer/\" target=\"_blank\">SAML-tracer</a>. This can help you examine and troubleshoot the contents of real assertions.<br />\n<strong>Session time to live (mins):</strong> 60</li>\n<li>Click on the <strong>Save changes</strong> button (Figure 9) to complete OpenSearch Service SAML configuration for OpenSearch Dashboards. We have successfully completed SAML configuration, and now we are ready for testing.</li>\n</ul>\n<p><img src=\"https://dev-media.amazoncloud.cn/02480e77d2424913b82bd27fac3f2828_image.png\" alt=\"image.png\" /></p>\n<p>Figure 9. Configuring Amazon OpenSearch Service SAML parameters</p>\n<h3><a id=\"Validating_access_with_Okta_users_139\"></a><strong>Validating access with Okta users</strong></h3>\n<ul>\n<li>Access the OpenSearch Dashboards endpoint from the previously created OpenSearch Service cluster. The OpenSearch Dashboards URL can be found in General information within “My Domains” of the OpenSearch Service console, as shown in Figure 10. The first access to OpenSearch Dashboards URL redirects you to the Okta login screen.</li>\n</ul>\n<p><img src=\"https://dev-media.amazoncloud.cn/52b19cb26cbf438e8dd4b2e342fcfbff_image.png\" alt=\"image.png\" /></p>\n<p>Figure 10. Validating Okta user access with Amazon OpenSearch Service</p>\n<ul>\n<li>Now copy and paste the OpenSearch Dashboards URL in your browser, and enter the user credentials.</li>\n<li>If your OpenSearch Service domain is hosted within a private VPC, you will not be able to access your OpenSearch Dashboard over public internet. But you can still use SAML as long as your browser can communicate with both your OpenSearch Service cluster and your identity provider.</li>\n<li>You can create a Mac or Windows EC2 instance within the same VPC so that you can access Amazon OpenSearch Dashboard from EC2 instance’s web browser to validate your SAML configuration. Or you can access your OpenSearch Dashboard through Site-to-Site VPN from your on-premises environment.</li>\n<li>After successful login, you will be redirected into the OpenSearch Dashboards home page. Here, you can explore our sample data and visualizations in OpenSearch Dashboards (Figure 11).</li>\n</ul>\n<p><img src=\"https://dev-media.amazoncloud.cn/74f5d97eb3584215a233316d4ebfe89a_image.png\" alt=\"image.png\" />-</p>\n<p>Figure 11. SAML authenticated OpenSearch Dashboards</p>\n<ul>\n<li>Now, you have successfully federated OpenSearch Dashboards with Okta as an identity provider. You can connect OpenSearch Dashboards by using your Okta credentials.</li>\n</ul>\n<h4><a id=\"Cleaning_up_156\"></a><strong>Cleaning up</strong></h4>\n<p>After you test out this solution, remember to delete all the resources you created, to avoid incurring future charges. Refer to these links:</p>\n<ul>\n<li><a href=\"https://docs.aws.amazon.com/opensearch-service/latest/developerguide/gsgdeleting.html\" target=\"_blank\">Deleting your OpenSearch Service domain</a></li>\n<li><a href=\"https://support.okta.com/help/s/question/0D50Z00008G7UohSAF/how-to-delete-my-okta-account?language=en_US\" target=\"_blank\">Deleting your Okta account</a> (if needed)</li>\n</ul>\n<h4><a id=\"Conclusion_161\"></a><strong>Conclusion</strong></h4>\n<p>In this blog post, we have demonstrated how to set up Okta as an identity provider over SAML authentication for OpenSearch Dashboards access. Get started by checking the <a href=\"https://docs.aws.amazon.com/opensearch-service/latest/developerguide/what-is.html\" target=\"_blank\">Amazon OpenSearch Service Developer Guide</a>, which provides guidance on how to build applications using OpenSearch Service.</p>\n<h5><a id=\"Raghavarao_Sodabathina_163\"></a><strong>Raghavarao Sodabathina</strong></h5>\n<p><img src=\"https://dev-media.amazoncloud.cn/68da2e2d87ad440b928722d4b9324e7b_image.png\" alt=\"image.png\" /></p>\n<p>Raghavarao Sodabathina is an Enterprise Solutions Architect at AWS, focusing on Data Analytics, AI/ML, and Serverless Platform. He engages with customers to create innovative solutions that address customer business problems and to accelerate the adoption of AWS services. In his spare time, Raghavarao enjoys spending time with his family, reading books, and watching movies.</p>\n<h5><a id=\"Jana_Gnanachandran_167\"></a><strong>Jana Gnanachandran</strong></h5>\n<p><img src=\"https://dev-media.amazoncloud.cn/09f01059abf5481ab798116602bbc315_image.png\" alt=\"image.png\" /></p>\n<p>Jana Gnanachandran is an Enterprise Solutions Architect at AWS, focusing on Data Analytics, AI/ML, and Serverless platforms. He helps AWS customers across numerous industries to design and build highly scalable, data-driven, analytical solutions to accelerate their cloud adoption. In his spare time, he enjoys playing tennis, 3D printing, and photography.</p>\n<h5><a id=\"Rudy_Collado_171\"></a><strong>Rudy Collado</strong></h5>\n<p><img src=\"https://dev-media.amazoncloud.cn/a279c557ee9645c183b666c924d53de5_image.png\" alt=\"image.png\" /></p>\n<p>Rudy is a Solutions Architect with Amazon Web Services based in the New York City area. He has more than 20 years of experience in the IT industry, specializing in network architecture for financial services. He enjoys using his experience to help customers build innovative, resilient, and secure AWS Cloud solutions. Outside of work, he enjoys spending time with his family and flying different types of airplanes as a private pilot.</p>\n"}