Yandex Cloud
Search
Contact UsGet started
  • Blog
  • Pricing
  • Documentation
  • All Services
  • System Status
    • Featured
    • Infrastructure & Network
    • Data Platform
    • Containers
    • Developer tools
    • Serverless
    • Security
    • Monitoring & Resources
    • ML & AI
    • Business tools
  • All Solutions
    • By industry
    • By use case
    • Economics and Pricing
    • Security
    • Technical Support
    • Customer Stories
    • Gateway to Russia
    • Cloud for Startups
    • Education and Science
  • Blog
  • Pricing
  • Documentation
Yandex project
© 2025 Yandex.Cloud LLC
Tutorials
    • All tutorials
    • Deploying the Apache Kafka® web interface
    • Migrating a database from a third-party Apache Kafka® cluster to Managed Service for Apache Kafka®
    • Moving data between Managed Service for Apache Kafka® clusters using Data Transfer
    • Delivering data from Managed Service for MySQL® to Managed Service for Apache Kafka® using Data Transfer
    • Delivering data from Managed Service for MySQL® to Managed Service for Apache Kafka® using Debezium
    • Delivering data from Managed Service for PostgreSQL to Managed Service for Apache Kafka® using Data Transfer
    • Delivering data from Managed Service for PostgreSQL to Managed Service for Apache Kafka® using Debezium
    • Delivering data from Managed Service for YDB to Managed Service for Apache Kafka® using Data Transfer
    • Delivering data from Managed Service for Apache Kafka® to Managed Service for ClickHouse® using Data Transfer
    • Delivering data from Managed Service for Apache Kafka® to Managed Service for Greenplum® using Data Transfer
    • Delivering data from Managed Service for Apache Kafka® to Managed Service for MongoDB using Data Transfer
    • Delivering data from Managed Service for Apache Kafka® to Managed Service for MySQL® using Data Transfer
    • Delivering data from Managed Service for Apache Kafka® to Managed Service for OpenSearch using Data Transfer
    • Delivering data from Managed Service for Apache Kafka® to Managed Service for PostgreSQL using Data Transfer
    • Delivering data from Managed Service for Apache Kafka® to Managed Service for YDB using Data Transfer
    • Delivering data from Managed Service for Apache Kafka® to Data Streams using Data Transfer
    • Delivering data from Data Streams to Managed Service for YDB using Data Transfer
    • Delivering data from Data Streams to Managed Service for Apache Kafka® using Data Transfer
    • YDB change data capture and delivery to YDS
    • Configuring Kafka Connect to work with a Managed Service for Apache Kafka® cluster
    • Automating Query tasks with Managed Service for Apache Airflow™
    • Sending requests to the Yandex Cloud API via the Yandex Cloud Python SDK
    • Configuring an SMTP server to send e-mail notifications
    • Adding data to a ClickHouse® DB
    • Migrating data to Managed Service for ClickHouse® using Data Transfer
    • Delivering data from Managed Service for MySQL® to Managed Service for ClickHouse® using Data Transfer
    • Asynchronously replicating data from PostgreSQL to ClickHouse®
    • Exchanging data between Managed Service for ClickHouse® and Yandex Data Processing
    • Configuring Managed Service for ClickHouse® for Graphite
    • Fetching data from Managed Service for Apache Kafka® to Managed Service for ClickHouse®
    • Fetching data from Managed Service for Apache Kafka® to ksqlDB
    • Fetching data from RabbitMQ to Managed Service for ClickHouse®
    • Saving a Data Streams data stream in Managed Service for ClickHouse®
    • Asynchronous replication of data from Yandex Metrica to ClickHouse® using Data Transfer
    • Using hybrid storage in Managed Service for ClickHouse®
    • Sharding Managed Service for ClickHouse® tables
    • Data resharding in a Managed Service for ClickHouse® cluster
    • Loading data from Yandex Direct to a data mart enabled by Managed Service for ClickHouse® using Cloud Functions, Object Storage, and Data Transfer
    • Loading data from Object Storage to Managed Service for ClickHouse® using Data Transfer
    • Migrating data with change of storage from Managed Service for OpenSearch to Managed Service for ClickHouse® using Data Transfer
    • Loading data from Managed Service for YDB to Managed Service for ClickHouse® using Data Transfer
    • Migrating databases from Google BigQuery to Managed Service for ClickHouse®
    • Configuring Cloud DNS to access a Managed Service for ClickHouse® cluster from other cloud networks
    • Migrating a Yandex Data Processing HDFS cluster to a different availability zone
    • Importing data from Managed Service for MySQL® to Yandex Data Processing using Sqoop
    • Importing data from Managed Service for PostgreSQL to Yandex Data Processing using Sqoop
    • Mounting Object Storage buckets to the file system of Yandex Data Processing hosts
    • Working with Apache Kafka® topics using Yandex Data Processing
    • Automating operations with Yandex Data Processing using Managed Service for Apache Airflow™
    • Shared use of Yandex Data Processing tables through Metastore
    • Transferring metadata between Yandex Data Processing clusters using Metastore
    • Importing data from Object Storage, processing and exporting to Managed Service for ClickHouse®
    • Migrating to Managed Service for Elasticsearch using snapshots
    • Migrating collections from a third-party MongoDB cluster to Managed Service for MongoDB
    • Migrating data to Managed Service for MongoDB
    • Migrating Managed Service for MongoDB cluster from 4.4 to 6.0
    • Sharding MongoDB collections
    • MongoDB performance analysis and tuning
    • Migrating a database from a third-party MySQL® cluster to a Managed Service for MySQL® cluster
    • Managed Service for MySQL® performance analysis and tuning
    • Syncing data from a third-party MySQL® cluster to Managed Service for MySQL® using Data Transfer
    • Migrating a database from Managed Service for MySQL® to a third-party MySQL® cluster
    • Migrating a database from Managed Service for MySQL® to Object Storage using Data Transfer
    • Migrating data from Object Storage to Managed Service for MySQL® using Data Transfer
    • Delivering data from Managed Service for MySQL® to Managed Service for Apache Kafka® using Data Transfer
    • Delivering data from Managed Service for MySQL® to Managed Service for Apache Kafka® using Debezium
    • Migrating a database from Managed Service for MySQL® to Managed Service for YDB using Data Transfer
    • MySQL® change data capture and delivery to YDS
    • Migrating data from Managed Service for MySQL® to Managed Service for PostgreSQL using Data Transfer
    • Migrating data from AWS RDS for PostgreSQL to Managed Service for PostgreSQL using Data Transfer
    • Migrating data from Managed Service for MySQL® to Managed Service for Greenplum® using Data Transfer
    • Configuring an index policy in Managed Service for OpenSearch
    • Migrating data from Elasticsearch to Managed Service for OpenSearch
    • Migrating data from a third-party OpenSearch cluster to Managed Service for OpenSearch using Data Transfer
    • Loading data from Managed Service for OpenSearch to Object Storage using Data Transfer
    • Migrating data from Managed Service for OpenSearch to Managed Service for YDB using Data Transfer
    • Copying data from Managed Service for OpenSearch to Managed Service for Greenplum® using Yandex Data Transfer
    • Migrating data from Managed Service for PostgreSQL to Managed Service for OpenSearch using Data Transfer
    • Authenticating a Managed Service for OpenSearch cluster in OpenSearch Dashboards using Keycloak
    • Using the yandex-lemmer plugin in Managed Service for OpenSearch
    • Creating a PostgreSQL cluster for 1C:Enterprise
    • Searching for the Managed Service for PostgreSQL cluster performance issues
    • Managed Service for PostgreSQL performance analysis and tuning
    • Logical replication PostgreSQL
    • Migrating a database from a third-party PostgreSQL cluster to Managed Service for PostgreSQL
    • Migrating a database from Managed Service for PostgreSQL
    • Delivering data from Managed Service for PostgreSQL to Managed Service for Apache Kafka® using Data Transfer
    • Delivering data from Managed Service for PostgreSQL to Managed Service for Apache Kafka® using Debezium
    • Delivering data from Managed Service for PostgreSQL to Managed Service for YDB using Data Transfer
    • Migrating a database from Managed Service for PostgreSQL to Object Storage
    • Migrating data from Object Storage to Managed Service for PostgreSQL using Data Transfer
    • PostgreSQL change data capture and delivery to YDS
    • Migrating data from Managed Service for PostgreSQL to Managed Service for MySQL® using Data Transfer
    • Migrating data from Managed Service for PostgreSQL to Managed Service for OpenSearch using Data Transfer
    • Troubleshooting string sorting issues in PostgreSQL after upgrading glibc
    • Migrating a database from Greenplum® to ClickHouse®
    • Migrating a database from Greenplum® to PostgreSQL
    • Exporting Greenplum® data to a cold storage in Object Storage
    • Loading data from Object Storage to Managed Service for Greenplum® using Data Transfer
    • Copying data from Managed Service for OpenSearch to Managed Service for Greenplum® using Yandex Data Transfer
    • Creating an external table from a Object Storage bucket table using a configuration file
    • Migrating a database from a third-party Valkey™ cluster to Yandex Managed Service for Valkey™
    • Using a Yandex Managed Service for Valkey™ cluster as a PHP session storage
    • Loading data from Object Storage to Managed Service for YDB using Data Transfer
    • Loading data from Managed Service for YDB to Object Storage using Data Transfer
    • Processing Audit Trails events
    • Processing Cloud Logging logs
    • Processing CDC Debezium streams
    • Analyzing data with Jupyter
    • Processing files with usage details in Yandex Cloud Billing
    • Entering data into storage systems
    • Smart log processing
    • Transferring data within microservice architectures
    • Migrating data to Object Storage using Data Transfer
    • Migrating data from a third-party Greenplum® or PostgreSQL cluster to Managed Service for Greenplum® using Data Transfer
    • Migrating Managed Service for MongoDB clusters
    • Migrating MySQL® clusters
    • Migrating to a third-party MySQL® cluster
    • Migrating PostgreSQL clusters
    • Creating a schema registry to deliver data in Debezium CDC format from Apache Kafka®

In this article:

  • Getting started
  • Configure an identity provider
  • Set up SSO for the cluster
  • Configure roles for SSO
  • Test SSO
  1. Building a data platform
  2. Authenticating a Managed Service for OpenSearch cluster in OpenSearch Dashboards using Keycloak

Authenticating a Yandex Managed Service for OpenSearch cluster in OpenSearch Dashboards using Keycloak

Written by
Yandex Cloud
Updated at November 26, 2024
  • Getting started
  • Configure an identity provider
  • Set up SSO for the cluster
  • Configure roles for SSO
  • Test SSO

You can use Keycloak to authenticate users working with OpenSearch Dashboards in a Managed Service for OpenSearch cluster.

To set up authentication:

  1. Configure an identity provider.
  2. Set up SSO for the cluster.
  3. Configure roles for SSO.
  4. Test SSO.

Note

This tutorial was tested for OpenSearch 2.8 and Keycloak 24.0 clusters.

Getting startedGetting started

  1. Make sure you can access OpenSearch Dashboards using the admin user credentials.

    In this tutorial, we will use the following URL to access the OpenSearch Dashboards web interface:

    https://c-cat0adul1fj0********.rw.mdb.yandexcloud.net/
    
  2. Make sure you can use Keycloak:

    • Check that you can access Keycloak.

    • Check that you can access the realm you need.

    • Check that you have the required permissions within this realm to manage:

      • Roles.
      • Users and groups.
      • Clients (in Keycloak, these are applications used for authentication).

    This tutorial assumes that:

    • To manage Keycloak, you need a super administrator account enabling any operation in any realm.

    • All operations are performed in the master realm.

    • Keycloak is accessible at:

      http://keycloak.example.com:8080
      
    • The Keycloak admin console is accessible at:

      http://keycloak.example.com:8080/admin/
      

Configure an identity providerConfigure an identity provider

  1. Connect to the Keycloak management console and select the master realm.

  2. Create a client:

    1. In the left-hand panel, select Clients. Click Create client.

    2. In the Client type field, select SAML.

    3. In the Client ID field, specify the client ID.

      This ID must match the URL used to connect to OpenSearch Dashboards:

      https://c-cat0adul1fj0********.rw.mdb.yandexcloud.net/
      
    4. Click Next.

    5. Specify the ACS URL in these fields:

      • Home URL
      • Valid redirect URIs
      • IDP Initiated SSO Relay State

      The ACS URL must be in the following format:

      https://c-cat0adul1fj0********.rw.mdb.yandexcloud.net/_opendistro/_security/saml/acs
      
    6. Click Save.

  3. Make sure you can use the client: the relevant option in the top-right corner must be set to Enabled.

  4. On the Settings tab, configure the client parameters as follows:

    • SAML Capabilities:

      • Name ID format: email.
      • Force name ID format: Make sure to enable this option.
      • Force POST binding: Make sure to enable this option.
      • Include AuthnStatement: Make sure to enable this option.
    • Signature and Encryption:

      • Sign documents: Make sure to enable this option.
      • Sign assertions: Make sure to enable this option.
      • Signature algorithm: RSA_SHA256.
      • SAML signature key name: CERT_SUBJECT.
      • Canonicalization method: EXCLUSIVE.
  5. Click Save.

  6. On the Keys tab, disable the requirement for client message signing.

    To do this, disable Client signature required.

  7. On the Client scopes tab, configure role mapping for the client:

    1. Click URL to connect to OpenSearch Dashboards with the -dedicated suffix.

    2. On the Mappers tab, click Configure a new mapper. Select the Role list mapper from the list.

    3. Specify the following mapper settings:

      • Name: Any mapper name, e.g., OpenSearch Mapper.
      • Role attribute name: roles.
      • SAML Attribute NameFormat: Basic.
      • Single Role Attribute: Make sure to enable this option.
    4. Click Save.

Set up SSO for the clusterSet up SSO for the cluster

  1. Get the metadata for the previously created client:

    1. Connect to the Keycloak management console and select the master realm.

    2. In the left-hand panel, select Clients.

    3. Click URL to connect to OpenSearch Dashboards.

    4. In the top-right corner, expand the Action menu and select Download adapter config.

    5. Select the Mod Auth Mellon Files format and click Download.

      This will download an archive.

    6. Extract the idp-metadata.xml file from the archive. This file contains all required metadata.

  2. Set up SSO for the cluster.

    Tip

    Below are the steps for the management console; however you may use other available Yandex Cloud interfaces.

    To set up a Keycloak authentication source:

    1. In the management console, go to the folder page and select Managed Service for OpenSearch.

    2. Click the cluster name and open the Authentication sources tab.

    3. Click Settings.

    4. Specify the required values for these settings:

      • idp_entity_id: Provider ID.

        For Keycloak, this ID matches the URL referring to the master realm:

        http://keycloak.example.com:8080/realms/master
        
      • idp_metadata_file: Select and upload the metadata file extracted from the archive.

      • sp_entity_id: Service provider ID.

        Use the same ID you specified when configuring the Keycloak client in the Client ID field:

        https://c-cat0adul1fj0********.rw.mdb.yandexcloud.net/
        
      • kibana_url: URL to connect to OpenSearch Dashboards.

      • roles_key: Attribute that stores a list of roles.

        Specify the same attribute you configured for the Keycloak mapper: roles.

      • subject_key: Leave the field empty.

      • Session timeout: Leave the 0 value.

      • Enable: Make sure to enable this option.

    5. Click Save.

  3. Wait for the cluster status to change to Running. It may take a few minutes to apply settings.

Configure roles for SSOConfigure roles for SSO

  1. Configure Keycloak so that its users get the appropriate roles:

    1. Connect to the Keycloak management console and select the master realm.

    2. Create a role:

      1. In the left-hand panel, select Realm roles. Click Create role.

      2. In the Role name field, enter a role name.

        In the steps below, we will use kc_demo_role as the role name.

      3. Click Save.

    3. Create and configure a user:

      1. In the left-hand panel, select Users. Click Add user.

      2. Specify user credentials:

        • Username: Account name.

          In the steps below, we will use kc_demo_user as the account name.

        • Email: Email address.

          In the steps below, we will use kc_demo_user@example.com as the email address.

        • Email verified: Make sure to enable this setting.

          Note

          For the sake of simplicity, this tutorial assumes that this setting is enabled to skip email verification at first login.

      3. Click Create.

      4. In the Credentials tab, click Set password and enter a password.

        Also, disable Temporary.

        Note

        For the sake of simplicity, this tutorial assumes that this setting is disabled to avoid password change at first login.

    4. Create and configure a group:

      1. In the left-hand panel, select Groups and click Create group.

      2. Enter a group name and click Create.

        In the steps below, we will use kc_demo_group as the group name.

      3. Click the group name to open its properties.

      4. In the Members tab, click Add member, select kc_demo_user, and click Add.

      5. In the Role mapping tab, click Assign role, enable Filter by realm roles, select kc_demo_role from the role list, and click Assign.

  2. Map OpenSearch cluster roles with those in Keycloak. This will enable you to access a cluster using SSO.

    To map roles:

    1. Connect to OpenSearch Dashboards as the admin user.

    2. In the left-hand menu, select OpenSearch Plugins → Security.

    3. In the left-hand panel, select Roles.

    4. Configure role mapping:

      1. Click the role name.

        The next steps assume that you select the kibana_user role.

      2. Go to the Mapped users tab.

      3. Click Manage mapping.

      4. Under Backend roles, enter the name of the Keycloak role to map with the OpenSearch role and click Map.

        The next steps assume that you select the kc_demo_role role.

Keycloak users added to kc_demo_group will now get the kc_demo_role role.

Upon successful authentication with OpenSearch Dashboards, the user with the kc_demo_role role will get the kibana_user role in OpenSearch.

Test SSOTest SSO

  1. Open your browser in guest or private browsing mode.

    For this, you must use a computer with access to Keycloak.

  2. Connect to OpenSearch Dashboards.

    On the login page, click Log in with single sign-on rather than entering your username and password.

    If you have set up everything correctly, the browser will redirect you to the authentication page in Keycloak.

  3. Enter the kc_demo_user credentials and click Sign in.

    After successful authentication, Keycloak will redirect you to the ACS URL, and from there you will be redirected to the OpenSearch Dashboards home page.

  4. Make sure the user has the kibana_user role in OpenSearch.

    To do this, click the user avatar in the top-right corner and select View roles and identities. This will show you the roles assigned to the user.

  5. Make sure you can perform all actions the kibana_user role permits.

Was the article helpful?

Previous
Migrating data from Managed Service for PostgreSQL to Managed Service for OpenSearch using Data Transfer
Next
Using the yandex-lemmer plugin in Managed Service for OpenSearch
Yandex project
© 2025 Yandex.Cloud LLC