Building SAML federation for Amazon OpenSearch Service with Ping Identity

{"value":"[Amazon OpenSearch Service](https://aws.amazon.com/opensearch-service/) is an open search and log analytics service, powered by the Apache Lucene search library.\n\nIn this blog post, we provide step-by-step guidance for SP-initiated SSO by showing how to set up a trial Ping Identity account. We’ll show how to build users and groups within your organization’s directory and enable SSO in OpenSearch Dashboards.\n\nTo use this feature, you must enable fine-grained access control. Rather than authenticating through [Amazon Cognito](https://aws.amazon.com/cognito/) or the internal user database, SAML authentication for OpenSearch Dashboards lets you use third-party identity providers to log in.\n\n[Ping Identity](https://www.pingidentity.com/en.html) is an Amazon Web Services Competency Partner, and the provider of the PingOne Cloud Platform is a multi-tenant Identity-as-a-Service (IDaaS) platform. Ping Identity supports both service provider (SP)-initiated and identity provider (IdP)-initiated SSO.\n\n### **Overview of Ping Identity SAML authenticated solution**\nFigure 1 shows a sample architecture of a generic integrated solution between Ping Identity and OpenSearch Dashboards over SAML authentication.\n\n\n\nFigure 1. SAML transactions between [Amazon OpenSearch Service](https://aws.amazon.com/cn/opensearch-service/?trk=cndc-detail) and Ping Identity\n\nThe sign-in flow is as follows:\n1. User opens browser window and navigates to OpenSearch Dashboards\n2. OpenSearch Service generates SAML authentication request\n3. OpenSearch Service redirects request back to browser\n4. Browser redirects to Ping Identity URL\n5. Ping Identity parses SAML request, authenticates user, and generates SAML response\n6. Ping Identity returns encoded SAML response to browser\n7. Browser sends SAML response back to OpenSearch Service Assertion Consumer Service (ACS) URL\n8. ACS verifies SAML response\n9. User logs into OpenSearch Service domain\n#### **Prerequisites**\nFor this walkthrough, you should have the following prerequisites:\n\n1. An [Amazon Web Services account](https://signin.aws.amazon.com/signin?redirect_uri=https%3A%2F%2Fportal.aws.amazon.com%2Fbilling%2Fsignup%2Fresume&client_id=signup)\n2. A [virtual private cloud (VPC)](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/vpc.html)-based OpenSearch Service domain with fine-grained access control enabled\n3. Ping Identity account with user and a group\n4. A browser with network connectivity to Ping Identity, OpenSearch Service domain, and OpenSearch Dashboards.\nThe steps in this post are structured into the following sections:\n\n1. Identity provider (Ping Identity) setup\n2. Prepare OpenSearch Service for SAML configuration\n3. Identity provider (Ping Identity) SAML configuration\n4. Finish OpenSearch Service for SAML configuration\n5. Validation\n6. Cleanup\n#### **Identity provider (Ping Identity) setup**\n##### ***Step 1: Sign up for a Ping Identity account***\n- Sign up for a [Ping Identity account](https://www.pingidentity.com/en/try-ping.html), then click on the **Sign up** button to complete your account setup.\nIf you already have an account with Ping Identity, [login](https://www.pingidentity.com/en/account/sign-on.html) to your Ping Identity account.\n##### ***Step 2: Create [Population](http://c/Users/jangna/Downloads/%E2%88%9Ahttps:/docs.pingidentity.com/bundle/pingone/page/lku1564020489392.html) in Ping Identity***\n- Choose **Identities** in the left menu and click **Populations** to proceed.\n- Click on the blue **+** button next to **Populations**, enter the **Name** as **IT**, choose **Standard (default)** from the **Password Policy** dropdown, then click on the **Save** button (see Figure 2).\n\n\n\nFigure 2. Creating population in Ping Identity\n\n##### ***Step 3: Create a group in Ping Identity***\n- Choose Groups from the left menu and click on the blue **+** button next to **Groups.** For this example, we will create a group called opensearch for OpenSearch Dashboards access.\n- Enter **Group Name** = opensearch, then choose **IT** from **Population** dropdown (created in previous step).\n- Click on the **Save** button to complete the group creation.\n##### ***Step 4: Create users in Ping Identity***\n- Choose **Users** in left menu, then click the **+ Add User** button.\n- Provide **GIVEN NAME, FAMILY NAME, EMAIL ADDRESS,** and choose Population as **IT**, (created in Step 1). Choose your own **USERNAME**. Click on the **SAVE** button to create your user.\n- Add more users as needed.\n##### ***Step 5: Assign role and group to users***\n- Click on **Identities/users** in the left menu, and click on **Users**. Then click on the edit button for a particular user. You can also set up a one time password for a user by using Reset Password as shown in Figure 3.\n\n\n\nFigure 3. Assigning roles and groups to users in Ping Identity\n\n- Click on the **Edit** button, click on **+ Add Role** button, and click on the edit button to assign a role to the user.\n- For this example, choose Environment Admin, as shown in Figure 4. You can choose different roles depending on your use case.\n\n\n\nFigure 4. Assigning roles to users in Ping Identity\n\n- For this example, assign administrator responsibilities for our users. Click *on Show Environments*, and drag Administrators into the ADDED RESPONSIBILITES section. Then click on the **Add Role **button.\n- Add Group to users. Go to the **Groups** tab, search for the opensearch group created in Step 3. Click on the + button next to opensearch to add into group memberships.\n### **Prepare OpenSearch Service for SAML configuration**\nOnce the OpenSearch Service domain is up and running, we can proceed with configuration.\n\n- Under Actions, choose **Edit security configuration**, as shown in Figure 5.\n\n\n\nFigure 5. Enabling [Amazon OpenSearch Service](https://aws.amazon.com/cn/opensearch-service/?trk=cndc-detail) security configuration for SAML\n\n- Under SAML authentication for OpenSearch Dashboards/Kibana, select **Enable SAML authentication** check box (Figure 6). When we enable SAML, it will create different URLs required for configuring SAML with your identity provider.\n\n\n\nFigure 6. [Amazon OpenSearch Service](https://aws.amazon.com/cn/opensearch-service/?trk=cndc-detail) URLs for SAML configuration\n\nWe will be using the **Service Provider entity ID** and **SP-initiated SSO URL** as highlighted in Figure 6 for Ping Identity SAML configuration. We will complete the rest of the OpenSearch Service SAML configuration after the Ping Identity SAML configuration.\n\n### **Ping Identity SAML configuration**\nGo back to PingIdentity.com, and navigate to **Connections** on the left menu. Then select **Applications**, and click on **Application +**.\n\n- For this example, we are creating an application called “*opensearch*”\n- Select **WEB APP** as **APPLICATION TYPE** and **CHOOSE CONNECTION TYPE** as SAML, and click on **Configure** button to proceed as shown in Figure 7.\n\n\n\nFigure 7. Configuring a new SAML application in Ping Identity\n\n- Enter the following under the **Configure SAML Connection** section\n\tChoose the “Manually Enter” option for **Provide Application Metadata**\n\t**ACS URLs** https://vpc-XXXXX-XXXXX-west-2.es.amazonaws.com/_dashboards/_opendistro/_security/saml/acs **(SP-initiated SSO URL)**\n**ENTITY ID**: https://vpc-XXXXX-XXXXX.us-west-2.es.amazonaws.com **(Service provider entity ID)**\nThen click on the **Save** button as shown in Figure 8\n\n\n\nFigure 8. Configuring SAML connection in Ping Identity\n\n- Select the **Attribute Mappings** tab and enter the following by clicking on the edit icon on the right, followed by the **+Add** button. Then click on Save button.\n**saml_subject** = **user ID** (default option)\n**saml_group** = select **Group Names** from the dropdown\n**saml_username** = select **Username** from the drop down\n- Select the **Policies** tab and click on edit icon on the right and then, click on **+Add policies** button\nSelect **Single_Factor** policy to the application, then click on the **Add** button, followed by **Save** button.\n- Select the **Access** tab and click on edit icon on the right\nadd the opensearch group to the application by clicking on **+**, then click on **Save** to complete SAML configuration.\n- Finally, go to the **Configuration** tab, click on the **Download Metadata** button to download the Ping Identity metadata for the Amazon OpenSearch SAML configuration. Enable opensearch SAML application (Figure 9).\n\n\n\nFigure 9. Downloading metadata in Ping Identity\n\n### **OpenSearch Service SAML configuration**\n- Switch back to OpenSearch Service domain:\nNavigate to the OpenSearch Service console.\nClick on **Actions**, then click on **Modify Security configuration.**\nSelect the Enable SAML authentication check box.\n- Under **Import IdP metadata** section:\n**Metadata from IdP**: Import the Ping Identity identity provider metadata from the downloaded XML file, shown in Figure 10.\n**SAML master backend role: opensearch** (Ping Identity group). Provide SAML backend role/group SAML assertion key for group SSO into Kibana.\n\n\n\nFigure 10. Configuring [Amazon OpenSearch Service](https://aws.amazon.com/cn/opensearch-service/?trk=cndc-detail) SAML parameters\n\n- Under **Optional SAML settings:**\nLeave the **Subject Key** as saml_subject from Ping Identity SAML application attribute name.\n**Role key** should be saml_group. You can view a sample assertion during the configuration process by tools like SAML-tracer. This can help you examine and troubleshoot the contents of real assertions.\n**Session time to live (mins)**: 60\n- Click on the Submit button to complete OpenSearch Service SAML configuration for Kibana. We have successfully completed SAML configuration and are now ready for testing.\n### **Validating Access with Ping Identity Users**\n- The OpenSearch Dashboards URL can be found in the Overview tab within “General Information” in the OpenSearch Service console (Figure 11). The first access to the OpenSearch Dashboards URL redirects you to the Ping Identity login screen.\n\n\n\nFigure 11. Validating Ping Identity users access with [Amazon OpenSearch Service](https://aws.amazon.com/cn/opensearch-service/?trk=cndc-detail)\n\n- If your OpenSearch Service domain is hosted within a private VPC, you will not be able to access OpenSearch Dashboards over public internet. But you can still use SAML as long as your browser can communicate with both your OpenSearch Service cluster and your identity provider.\n- You can create a Mac or Windows EC2 instance within the same VPC and access OpenSearch Dashboards from an EC2 instance’s web browser to validate your SAML configuration. Or you can access your OpenSearch Dashboards through Site-to-Site VPN if you are trying to access it from your on-premises environment.\n- Now copy and paste the OpenSearch Dashboards URL in your browser, and enter user credentials.\n- After successful login, you will be redirected into the OpenSearch Dashboards home page. Explore our sample data and visualizations in OpenSearch Dashboards, as shown in Figure 12.\n\n\n\nFigure 12. SAML authenticated OpenSearch Dashboards\n\n- You have successfully federated OpenSearch Dashboards with Ping Identity as an identity provider. You can connect OpenSearch Dashboards by using your Ping Identity credentials.\n#### **Cleaning up**\nAfter you test out this solution, remember to delete all the resources you created to avoid incurring future charges. Refer to these links:\n\n- [Deleting your OpenSearch Service domain](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/gsgdeleting.html)\n- Reach out to Ping Identity to delete your account (If needed)\n#### **Conclusion**\nIn this blog post, we have demonstrated how to set up Ping Identity as an identity provider over SAML authentication for OpenSearch Dashboards access. With this solution, you now have an OpenSearch Dashboard that uses Ping Identity as the custom identity provider for your users. This reduces the customer login process to one set of credentials and improves employee productivity.\n\nGet started by checking the [Amazon OpenSearch Service Developer Guide](https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/what-is-amazon-elasticsearch-service.html), which provides guidance on how to build applications using OpenSearch Service for your operational analytics.\n\n##### **Raghavarao Sodabathina**\n\n\nRaghavarao Sodabathina is an Enterprise Solutions Architect at Amazon Web Services, focusing on Data Analytics, AI/ML, and Serverless Platform. He engages with customers to create innovative solutions that address customer business problems and to accelerate the adoption of Amazon Web Services services. In his spare time, Raghavarao enjoys spending time with his family, reading books, and watching movies.\n##### **Jana Gnanachandran**\n\n\nJana Gnanachandran is an Enterprise Solutions Architect at Amazon Web Services, focusing on Data Analytics, AI/ML, and Serverless platforms. He helps Amazon Web Services customers across numerous industries to design and build highly scalable, data-driven, analytical solutions to accelerate their cloud adoption. In his spare time, he enjoys playing tennis, 3D printing, and photography.","render":"<p><a href=\\"https://aws.amazon.com/opensearch-service/\\" target=\\"_blank\\">Amazon OpenSearch Service</a> is an open search and log analytics service, powered by the Apache Lucene search library.</p>\\n<p>In this blog post, we provide step-by-step guidance for SP-initiated SSO by showing how to set up a trial Ping Identity account. We’ll show how to build users and groups within your organization’s directory and enable SSO in OpenSearch Dashboards.</p>\n<p>To use this feature, you must enable fine-grained access control. Rather than authenticating through <a href=\\"https://aws.amazon.com/cognito/\\" target=\\"_blank\\">Amazon Cognito</a> or the internal user database, SAML authentication for OpenSearch Dashboards lets you use third-party identity providers to log in.</p>\\n<p><a href=\\"https://www.pingidentity.com/en.html\\" target=\\"_blank\\">Ping Identity</a> is an Amazon Web Services Competency Partner, and the provider of the PingOne Cloud Platform is a multi-tenant Identity-as-a-Service (IDaaS) platform. Ping Identity supports both service provider (SP)-initiated and identity provider (IdP)-initiated SSO.</p>\\n<h3><a id=\\"Overview_of_Ping_Identity_SAML_authenticated_solution_8\\"></a><strong>Overview of Ping Identity SAML authenticated solution</strong></h3>\\n<p>Figure 1 shows a sample architecture of a generic integrated solution between Ping Identity and OpenSearch Dashboards over SAML authentication.</p>\n<p><img src=\\"https://dev-media.amazoncloud.cn/5e66ee14b51442b6819676ac192fa5a7_image.png\\" alt=\\"image.png\\" /></p>\n<p>Figure 1. SAML transactions between Amazon OpenSearch Service and Ping Identity</p>\n<p>The sign-in flow is as follows:</p>\n<ol>\\n<li>User opens browser window and navigates to OpenSearch Dashboards</li>\n<li>OpenSearch Service generates SAML authentication request</li>\n<li>OpenSearch Service redirects request back to browser</li>\n<li>Browser redirects to Ping Identity URL</li>\n<li>Ping Identity parses SAML request, authenticates user, and generates SAML response</li>\n<li>Ping Identity returns encoded SAML response to browser</li>\n<li>Browser sends SAML response back to OpenSearch Service Assertion Consumer Service (ACS) URL</li>\n<li>ACS verifies SAML response</li>\n<li>User logs into OpenSearch Service domain</li>\n</ol>\\n<h4><a id=\\"Prerequisites_25\\"></a><strong>Prerequisites</strong></h4>\\n<p>For this walkthrough, you should have the following prerequisites:</p>\n<ol>\\n<li>\\n<p>An <a href=\\"https://signin.aws.amazon.com/signin?redirect_uri=https%3A%2F%2Fportal.aws.amazon.com%2Fbilling%2Fsignup%2Fresume&amp;client_id=signup\\" target=\\"_blank\\">Amazon Web Services account</a></p>\\n</li>\n<li>\\n<p>A <a href=\\"https://docs.aws.amazon.com/opensearch-service/latest/developerguide/vpc.html\\" target=\\"_blank\\">virtual private cloud (VPC)</a>-based OpenSearch Service domain with fine-grained access control enabled</p>\\n</li>\n<li>\\n<p>Ping Identity account with user and a group</p>\n</li>\\n<li>\\n<p>A browser with network connectivity to Ping Identity, OpenSearch Service domain, and OpenSearch Dashboards.<br />\\nThe steps in this post are structured into the following sections:</p>\n</li>\\n<li>\\n<p>Identity provider (Ping Identity) setup</p>\n</li>\\n<li>\\n<p>Prepare OpenSearch Service for SAML configuration</p>\n</li>\\n<li>\\n<p>Identity provider (Ping Identity) SAML configuration</p>\n</li>\\n<li>\\n<p>Finish OpenSearch Service for SAML configuration</p>\n</li>\\n<li>\\n<p>Validation</p>\n</li>\\n<li>\\n<p>Cleanup</p>\n</li>\\n</ol>\n<h4><a id=\\"Identity_provider_Ping_Identity_setup_40\\"></a><strong>Identity provider (Ping Identity) setup</strong></h4>\\n<h5><a id=\\"Step_1_Sign_up_for_a_Ping_Identity_account_41\\"></a><em><strong>Step 1: Sign up for a Ping Identity account</strong></em></h5>\n<ul>\\n<li>Sign up for a <a href=\\"https://www.pingidentity.com/en/try-ping.html\\" target=\\"_blank\\">Ping Identity account</a>, then click on the <strong>Sign up</strong> button to complete your account setup.<br />\\nIf you already have an account with Ping Identity, <a href=\\"https://www.pingidentity.com/en/account/sign-on.html\\" target=\\"_blank\\">login</a> to your Ping Identity account.</li>\\n</ul>\n<h5><a id=\\"Step_2_Create_PopulationhttpcUsersjangnaDownloadsE2889Ahttpsdocspingidentitycombundlepingonepagelku1564020489392html_in_Ping_Identity_44\\"></a><em><strong>Step 2: Create <a href=\\"http://c/Users/jangna/Downloads/%E2%88%9Ahttps:/docs.pingidentity.com/bundle/pingone/page/lku1564020489392.html\\" target=\\"_blank\\">Population</a> in Ping Identity</strong></em></h5>\\n<ul>\\n<li>Choose <strong>Identities</strong> in the left menu and click <strong>Populations</strong> to proceed.</li>\\n<li>Click on the blue <strong>+</strong> button next to <strong>Populations</strong>, enter the <strong>Name</strong> as <strong>IT</strong>, choose <strong>Standard (default)</strong> from the <strong>Password Policy</strong> dropdown, then click on the <strong>Save</strong> button (see Figure 2).</li>\\n</ul>\n<p><img src=\\"https://dev-media.amazoncloud.cn/1ea2f1babc664acabf40bc9c4e52656d_image.png\\" alt=\\"image.png\\" /></p>\n<p>Figure 2. Creating population in Ping Identity</p>\n<h5><a id=\\"Step_3_Create_a_group_in_Ping_Identity_52\\"></a><em><strong>Step 3: Create a group in Ping Identity</strong></em></h5>\n<ul>\\n<li>Choose Groups from the left menu and click on the blue <strong>+</strong> button next to <strong>Groups.</strong> For this example, we will create a group called opensearch for OpenSearch Dashboards access.</li>\\n<li>Enter <strong>Group Name</strong> = opensearch, then choose <strong>IT</strong> from <strong>Population</strong> dropdown (created in previous step).</li>\\n<li>Click on the <strong>Save</strong> button to complete the group creation.</li>\\n</ul>\n<h5><a id=\\"Step_4_Create_users_in_Ping_Identity_56\\"></a><em><strong>Step 4: Create users in Ping Identity</strong></em></h5>\n<ul>\\n<li>Choose <strong>Users</strong> in left menu, then click the <strong>+ Add User</strong> button.</li>\\n<li>Provide <strong>GIVEN NAME, FAMILY NAME, EMAIL ADDRESS,</strong> and choose Population as <strong>IT</strong>, (created in Step 1). Choose your own <strong>USERNAME</strong>. Click on the <strong>SAVE</strong> button to create your user.</li>\\n<li>Add more users as needed.</li>\n</ul>\\n<h5><a id=\\"Step_5_Assign_role_and_group_to_users_60\\"></a><em><strong>Step 5: Assign role and group to users</strong></em></h5>\n<ul>\\n<li>Click on <strong>Identities/users</strong> in the left menu, and click on <strong>Users</strong>. Then click on the edit button for a particular user. You can also set up a one time password for a user by using Reset Password as shown in Figure 3.</li>\\n</ul>\n<p><img src=\\"https://dev-media.amazoncloud.cn/c38ec273007c4411ac6e8175a57671b4_image.png\\" alt=\\"image.png\\" /></p>\n<p>Figure 3. Assigning roles and groups to users in Ping Identity</p>\n<ul>\\n<li>Click on the <strong>Edit</strong> button, click on <strong>+ Add Role</strong> button, and click on the edit button to assign a role to the user.</li>\\n<li>For this example, choose Environment Admin, as shown in Figure 4. You can choose different roles depending on your use case.</li>\n</ul>\\n<p><img src=\\"https://dev-media.amazoncloud.cn/93c5b6c69c414607ba9d3ca28bea2a71_image.png\\" alt=\\"image.png\\" /></p>\n<p>Figure 4. Assigning roles to users in Ping Identity</p>\n<ul>\\n<li>For this example, assign administrator responsibilities for our users. Click <em>on Show Environments</em>, and drag Administrators into the ADDED RESPONSIBILITES section. Then click on the **Add Role **button.</li>\\n<li>Add Group to users. Go to the <strong>Groups</strong> tab, search for the opensearch group created in Step 3. Click on the + button next to opensearch to add into group memberships.</li>\\n</ul>\n<h3><a id=\\"Prepare_OpenSearch_Service_for_SAML_configuration_76\\"></a><strong>Prepare OpenSearch Service for SAML configuration</strong></h3>\\n<p>Once the OpenSearch Service domain is up and running, we can proceed with configuration.</p>\n<ul>\\n<li>Under Actions, choose <strong>Edit security configuration</strong>, as shown in Figure 5.</li>\\n</ul>\n<p><img src=\\"https://dev-media.amazoncloud.cn/375d6536f94e46d9b413fdfee29526f2_image.png\\" alt=\\"image.png\\" /></p>\n<p>Figure 5. Enabling Amazon OpenSearch Service security configuration for SAML</p>\n<ul>\\n<li>Under SAML authentication for OpenSearch Dashboards/Kibana, select <strong>Enable SAML authentication</strong> check box (Figure 6). When we enable SAML, it will create different URLs required for configuring SAML with your identity provider.</li>\\n</ul>\n<p><img src=\\"https://dev-media.amazoncloud.cn/f9461c7cd18445cba0fcf18fd10008e9_image.png\\" alt=\\"image.png\\" /></p>\n<p>Figure 6. Amazon OpenSearch Service URLs for SAML configuration</p>\n<p>We will be using the <strong>Service Provider entity ID</strong> and <strong>SP-initiated SSO URL</strong> as highlighted in Figure 6 for Ping Identity SAML configuration. We will complete the rest of the OpenSearch Service SAML configuration after the Ping Identity SAML configuration.</p>\\n<h3><a id=\\"Ping_Identity_SAML_configuration_93\\"></a><strong>Ping Identity SAML configuration</strong></h3>\\n<p>Go back to PingIdentity.com, and navigate to <strong>Connections</strong> on the left menu. Then select <strong>Applications</strong>, and click on <strong>Application +</strong>.</p>\\n<ul>\\n<li>For this example, we are creating an application called “<em>opensearch</em>”</li>\\n<li>Select <strong>WEB APP</strong> as <strong>APPLICATION TYPE</strong> and <strong>CHOOSE CONNECTION TYPE</strong> as SAML, and click on <strong>Configure</strong> button to proceed as shown in Figure 7.</li>\\n</ul>\n<p><img src=\\"https://dev-media.amazoncloud.cn/5fe2368c8f274564bcf71944db9ff970_image.png\\" alt=\\"image.png\\" /></p>\n<p>Figure 7. Configuring a new SAML application in Ping Identity</p>\n<ul>\\n<li>Enter the following under the <strong>Configure SAML Connection</strong> section<br />\\nChoose the “Manually Enter” option for <strong>Provide Application Metadata</strong><br />\\n<strong>ACS URLs</strong> https://vpc-XXXXX-XXXXX-west-2.es.amazonaws.com/_dashboards/_opendistro/_security/saml/acs <strong>(SP-initiated SSO URL)</strong><br />\\n<strong>ENTITY ID</strong>: https://vpc-XXXXX-XXXXX.us-west-2.es.amazonaws.com <strong>(Service provider entity ID)</strong><br />\\nThen click on the <strong>Save</strong> button as shown in Figure 8</li>\\n</ul>\n<p><img src=\\"https://dev-media.amazoncloud.cn/07c768577b614e818401b1a1701f8c7c_image.png\\" alt=\\"image.png\\" /></p>\n<p>Figure 8. Configuring SAML connection in Ping Identity</p>\n<ul>\\n<li>Select the <strong>Attribute Mappings</strong> tab and enter the following by clicking on the edit icon on the right, followed by the <strong>+Add</strong> button. Then click on Save button.<br />\\n<strong>saml_subject</strong> = <strong>user ID</strong> (default option)<br />\\n<strong>saml_group</strong> = select <strong>Group Names</strong> from the dropdown<br />\\n<strong>saml_username</strong> = select <strong>Username</strong> from the drop down</li>\\n<li>Select the <strong>Policies</strong> tab and click on edit icon on the right and then, click on <strong>+Add policies</strong> button<br />\\nSelect <strong>Single_Factor</strong> policy to the application, then click on the <strong>Add</strong> button, followed by <strong>Save</strong> button.</li>\\n<li>Select the <strong>Access</strong> tab and click on edit icon on the right<br />\\nadd the opensearch group to the application by clicking on <strong>+</strong>, then click on <strong>Save</strong> to complete SAML configuration.</li>\\n<li>Finally, go to the <strong>Configuration</strong> tab, click on the <strong>Download Metadata</strong> button to download the Ping Identity metadata for the Amazon OpenSearch SAML configuration. Enable opensearch SAML application (Figure 9).</li>\\n</ul>\n<p><img src=\\"https://dev-media.amazoncloud.cn/65ae24c8a0a64da297266d37b02a20a2_image.png\\" alt=\\"image.png\\" /></p>\n<p>Figure 9. Downloading metadata in Ping Identity</p>\n<h3><a id=\\"OpenSearch_Service_SAML_configuration_127\\"></a><strong>OpenSearch Service SAML configuration</strong></h3>\\n<ul>\\n<li>Switch back to OpenSearch Service domain:<br />\\nNavigate to the OpenSearch Service console.<br />\\nClick on <strong>Actions</strong>, then click on <strong>Modify Security configuration.</strong><br />\\nSelect the Enable SAML authentication check box.</li>\n<li>Under <strong>Import IdP metadata</strong> section:<br />\\n<strong>Metadata from IdP</strong>: Import the Ping Identity identity provider metadata from the downloaded XML file, shown in Figure 10.<br />\\n<strong>SAML master backend role: opensearch</strong> (Ping Identity group). Provide SAML backend role/group SAML assertion key for group SSO into Kibana.</li>\\n</ul>\n<p><img src=\\"https://dev-media.amazoncloud.cn/ba0ad71d8ccc4460994951e782e82581_image.png\\" alt=\\"image.png\\" /></p>\n<p>Figure 10. Configuring Amazon OpenSearch Service SAML parameters</p>\n<ul>\\n<li>Under <strong>Optional SAML settings:</strong><br />\\nLeave the <strong>Subject Key</strong> as saml_subject from Ping Identity SAML application attribute name.<br />\\n<strong>Role key</strong> should be saml_group. You can view a sample assertion during the configuration process by tools like SAML-tracer. This can help you examine and troubleshoot the contents of real assertions.<br />\\n<strong>Session time to live (mins)</strong>: 60</li>\\n<li>Click on the Submit button to complete OpenSearch Service SAML configuration for Kibana. We have successfully completed SAML configuration and are now ready for testing.</li>\n</ul>\\n<h3><a id=\\"Validating_Access_with_Ping_Identity_Users_145\\"></a><strong>Validating Access with Ping Identity Users</strong></h3>\\n<ul>\\n<li>The OpenSearch Dashboards URL can be found in the Overview tab within “General Information” in the OpenSearch Service console (Figure 11). The first access to the OpenSearch Dashboards URL redirects you to the Ping Identity login screen.</li>\n</ul>\\n<p><img src=\\"https://dev-media.amazoncloud.cn/825013e49c7441f783ef33824bd2e65f_image.png\\" alt=\\"image.png\\" /></p>\n<p>Figure 11. Validating Ping Identity users access with Amazon OpenSearch Service</p>\n<ul>\\n<li>If your OpenSearch Service domain is hosted within a private VPC, you will not be able to access OpenSearch Dashboards over public internet. But you can still use SAML as long as your browser can communicate with both your OpenSearch Service cluster and your identity provider.</li>\n<li>You can create a Mac or Windows EC2 instance within the same VPC and access OpenSearch Dashboards from an EC2 instance’s web browser to validate your SAML configuration. Or you can access your OpenSearch Dashboards through Site-to-Site VPN if you are trying to access it from your on-premises environment.</li>\n<li>Now copy and paste the OpenSearch Dashboards URL in your browser, and enter user credentials.</li>\n<li>After successful login, you will be redirected into the OpenSearch Dashboards home page. Explore our sample data and visualizations in OpenSearch Dashboards, as shown in Figure 12.</li>\n</ul>\\n<p><img src=\\"https://dev-media.amazoncloud.cn/af669acca7404c35a046370a60cd2900_image.png\\" alt=\\"image.png\\" /></p>\n<p>Figure 12. SAML authenticated OpenSearch Dashboards</p>\n<ul>\\n<li>You have successfully federated OpenSearch Dashboards with Ping Identity as an identity provider. You can connect OpenSearch Dashboards by using your Ping Identity credentials.</li>\n</ul>\\n<h4><a id=\\"Cleaning_up_162\\"></a><strong>Cleaning up</strong></h4>\\n<p>After you test out this solution, remember to delete all the resources you created to avoid incurring future charges. Refer to these links:</p>\n<ul>\\n<li><a href=\\"https://docs.aws.amazon.com/opensearch-service/latest/developerguide/gsgdeleting.html\\" target=\\"_blank\\">Deleting your OpenSearch Service domain</a></li>\\n<li>Reach out to Ping Identity to delete your account (If needed)</li>\n</ul>\\n<h4><a id=\\"Conclusion_167\\"></a><strong>Conclusion</strong></h4>\\n<p>In this blog post, we have demonstrated how to set up Ping Identity as an identity provider over SAML authentication for OpenSearch Dashboards access. With this solution, you now have an OpenSearch Dashboard that uses Ping Identity as the custom identity provider for your users. This reduces the customer login process to one set of credentials and improves employee productivity.</p>\n<p>Get started by checking the <a href=\\"https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/what-is-amazon-elasticsearch-service.html\\" target=\\"_blank\\">Amazon OpenSearch Service Developer Guide</a>, which provides guidance on how to build applications using OpenSearch Service for your operational analytics.</p>\\n<h5><a id=\\"Raghavarao_Sodabathina_172\\"></a><strong>Raghavarao Sodabathina</strong></h5>\\n<p><img src=\\"https://dev-media.amazoncloud.cn/6158e2c9983a4853a5ae308d7e534a64_image.png\\" alt=\\"image.png\\" /></p>\n<p>Raghavarao Sodabathina is an Enterprise Solutions Architect at Amazon Web Services, focusing on Data Analytics, AI/ML, and Serverless Platform. He engages with customers to create innovative solutions that address customer business problems and to accelerate the adoption of Amazon Web Services services. In his spare time, Raghavarao enjoys spending time with his family, reading books, and watching movies.</p>\n<h5><a id=\\"Jana_Gnanachandran_176\\"></a><strong>Jana Gnanachandran</strong></h5>\\n<p><img src=\\"https://dev-media.amazoncloud.cn/df7f8d2a1e324bba97e16ece5a322453_image.png\\" alt=\\"image.png\\" /></p>\n<p>Jana Gnanachandran is an Enterprise Solutions Architect at Amazon Web Services, focusing on Data Analytics, AI/ML, and Serverless platforms. He helps Amazon Web Services customers across numerous industries to design and build highly scalable, data-driven, analytical solutions to accelerate their cloud adoption. In his spare time, he enjoys playing tennis, 3D printing, and photography.</p>\n"}