07 Dec '23

Implementing SAML federation for Amazon OpenSearch Service with KeyCloak

Written by Alexey Vidanov

Welcome back to our series on implementing SAML Federation for Amazon OpenSearch Service. In our previous post, we explored setting up SAML Federation using OneLogin. Today, we’ll focus on another popular identity provider - Keycloak.

Keycloak is an open-source Identity and Access Management solution, ideal for modern applications and services. We’ll guide you through integrating Keycloak with Amazon OpenSearch Service to implement SAML Federation.

If you’re new to SAML Federation or Amazon OpenSearch Service, consider reading our previous post on Implementing SAML Federation with OneLogin first. It covers the basics and provides a step-by-step setup guide.

Prerequisites

Before we begin, there are a few prerequisites you need to have in place to follow along with this guide:

  1. Amazon OpenSearch Service Cluster: You should have an Amazon OpenSearch Service cluster set up and running with Fine Grained Access Control enabled. If you’re not sure how to do this, Amazon provides a comprehensive guide to get you started.
  2. Keycloak Instance: You’ll need a running instance of Keycloak. This could be a local development setup or a production instance, depending on your needs. If you don’t have Keycloak set up yet, you can follow the official Keycloak getting started guide.
  3. Familiarity with SAML: This guide assumes you have a basic understanding of SAML (Security Assertion Markup Language) and its role in authentication and authorization. If you’re new to SAML, you might find our previous post helpful.
  4. Access to AWS Management Console: You’ll need access to the AWS Management Console with the necessary permissions to manage Amazon OpenSearch Service.

Once you have these prerequisites in place, you’re ready to start implementing SAML Federation for Amazon OpenSearch Service with Keycloak!

Keycloak-Specific Instructions

Let’s start setting up SAML Federation with Keycloak

  1. Set Up a Keycloak Realm: Create a new realm in Keycloak for your application. image-20231129190516970

  2. Create a Keycloak Client: In your realm, create a new client for Amazon OpenSearch Service. Choose “SAML” as the client protocol. image-20231129190628712

    Make sure to select “SAML” as the client protocol. Use the endpoint URL for the Client ID.

    A Keycloak client configuration screen for managing SAML settings.

    Set the “Sign Documents” options to “On” on the same screen in the “Signature and Encryption”: image-20231129191523291

  3. Configure the Keycloak Client: Adjust General Settings, turn on “Include AuthnStatement” and set “Sign Documents” to “On”. image-20231129192029491

  4. Configure client scopes. This will be used for the roles mapping from KeyCloak to Opensearch. By configuring the new mapper select there Role List

    keycloak2

  5. Export Keycloak Metadata: This will be used to configure SAML options in Amazon OpenSearch Service.

    image-20231129192546988

  6. Configure Amazon OpenSearch Service: Log into the AWS Management Console and navigate to your OpenSearch Service domain.

    Amazon OpenSearch Service In the “Security” configuration, select “SAML” as the authentication type and upload the Keycloak metadata file you exported in the previous step.

    aws_console1

  7. Set up roles and mapping users

    In the OpenSearch Dashboard, you can utilize existing roles or create new ones by navigating to the ‘Security’ section in the Management area.

    2023-12-07_14-32-13

    For learning purposes, we will add a user with the ‘all_access’ role in Keycloak. First, however, we need to map this role in the OpenSearch Dashboards. Go to ‘Roles’ and click on ‘all_access’.

    image-20231207143413070

    Next, add the ‘all_access’ role to the backend roles mapping.

    image-20231207143702408

    Now, return to the Keycloak Realm and create a Realm Role named ‘all_access’. Finally, create an user for the OpenSearch Dashboards and assign the role.

    image-20231207165342853

  8. Test the Integration: Log into OpenSearch Dashboards with Keycloak credentials to ensure proper setup.

Remember, these are high-level instructions and you may need to adjust them based on your specific Keycloak and AWS configurations. Always refer to the official Keycloak and AWS documentation for the most accurate and detailed information.

Conclusion

Congratulations on successfully integrating Keycloak with Amazon OpenSearch Service for enhanced security and streamlined user management. This Single Sign-On (SSO) setup is extendable across AWS services.

For practical implementations, leverage Infrastructure as Code (IaC) tools like Terraform and AWS CloudFormation for efficient OpenSearch Service management. It’s crucial to focus on security, availability, and cost efficiency.

Our tecRacer team offers expertise in deploying and managing OpenSearch Service infrastructure, ensuring robust security and scalability. We also provide integration support with various identity providers.

Contact us for a consultation to optimize your Amazon OpenSearch Service deployment, ensuring a secure and efficient user experience.

References

For more information on the topics covered in this post, you may find the following resources helpful:

Alexey

Similar Posts You Might Enjoy

04 Dec '23

Enhancing German Search in Amazon OpenSearch Service

Amazon OpenSearch Service, utilizing the robust OpenSearch framework, excels in search and analytics due to its remarkable speed and efficiency. Despite its strengths, the service’s default configurations might not be fully tailored to address the distinct linguistic challenges encountered in specific languages. Take German, for example, known for its compound words like “Lebensversicherungsgesellschaft” (life insurance company). Standard tokenization in search technologies treats these compounds as single units, leading to less optimal search results. For improved accuracy, it’s important to index the components of these compounds separately – “Leben” (life), “Versicherung” (insurance), and “Gesellschaft” (company). This approach ensures more precise and effective search outcomes, particularly in languages like German with many compound words. - by Alexey Vidanov

08 Mar '24

Find It Fast: Streamline Phone Number Searches with OpenSearch.

This guide empowers you to optimize OpenSearch for lightning-fast and accurate phone number searches. Frustration-free experiences are key for your customers, and by leveraging edge ngrams and custom analyzers, you can empower OpenSearch to efficiently handle even large datasets. - by Alexey Vidanov

08 Dec '23

🇩🇪 Verbesserung der deutschen Suche im Amazon OpenSearch Service

Der Amazon OpenSearch Service, der auf dem robusten OpenSearch-Framework basiert, zeichnet sich durch seine bemerkenswerte Geschwindigkeit und Effizienz in Such- und Analysefunktionen aus. Trotz seiner Stärken sind die Standardkonfigurationen des Dienstes möglicherweise nicht vollständig darauf ausgelegt, die spezifischen sprachlichen Herausforderungen bestimmter Sprachen zu bewältigen. - by Alexey Vidanov