Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Creating a SAML app in Yandex Identity Hub for integration with Managed Service for OpenSearch

Written by
Updated at November 12, 2025

Note

This feature is at the Preview stage.

OpenSearch is a highly scalable open-source system of search and analysis tools. OpenSearch comes with the OpenSearch Dashboards data visualization UI. Yandex Managed Service for OpenSearch is an OpenSearch cluster management service for the Yandex Cloud infrastructure. Managed Service for OpenSearch supports SAML authentication for secure single sign-on for users across your organization.

To authenticate your organization's users to Managed Service for OpenSearch via SAML SSO, create a SAML app in Identity Hub and configure it appropriately both in Identity Hub and OpenSearch.

SAML apps can be managed by users with the organization-manager.samlApplications.admin role or higher.

Getting started

Make sure you can access OpenSearch Dashboards using the admin user credentials. For information on how to create and configure an OpenSearch cluster, see Creating an OpenSearch cluster.

In this tutorial, we will use the following URL to access the OpenSearch Dashboards web interface:

https://c-cat0adul1fj0********.rw.mdb.yandexcloud.net/

For the users of your organization to be able to access Managed Service for OpenSearch:

  1. Create an app.
  2. Set up the integration.
  3. Make sure the application works correctly.

Create an app

  1. Log in to Yandex Identity Hub.
  2. In the left-hand panel, select Apps.
  3. In the top-right corner, click Create application and in the window that opens:
    1. Select the SAML (Security Assertion Markup Language) single sign-on method.
    2. In the Name field, specify a name for your new app: opensearch-app.
    3. Optionally, in the Description field, enter a description for the new app.
    4. Optionally, add labels:
      1. Click Add label.
      2. Enter a label in key: value format.
      3. Press Enter.
    5. Click Create application.

Set up the integration

To configure Managed Service for OpenSearch integration with the SAML app you created in Identity Hub, complete the configuration both on the OpenSearch cluster side and in Identity Hub.

  1. Get the metadata for the new app:

    1. Log in to Yandex Identity Hub.
    2. In the left-hand panel, select Apps and select the new SAML app.
    3. On the Overview tab, under Identity provider (IdP) configuration, copy the Issuer / IdP EntityID value you have to set on the OpenSearch cluster side.
    4. On the Overview tab, under Identity provider (IdP) configuration, click Download metadata file.

    The downloaded XML file contains the required metadata and a certificate used for SAML response signature verification.

  2. Set up SSO for the OpenSearch cluster.

    Tip

    Below are the steps for the management console; however you may use other available Yandex Cloud interfaces.

    To set up a Identity Hub authentication source:

    1. In the management console, go to the folder dashboard and select Managed Service for OpenSearch.

    2. Click the cluster name and select the Authentication sources tab.

    3. Click Settings.

    4. Specify the required values for these settings:

      • idp_entity_id: Provider ID. Enter the previously saved Issuer / IdP EntityID value.

      • idp_metadata_file: Select and upload the previously downloaded metadata file.

      • sp_entity_id: Service provider ID.

        This ID must match the URL used to connect to OpenSearch Dashboards:

        https://c-cat0adul1fj0********.rw.mdb.yandexcloud.net/

      • kibana_url: URL to connect to OpenSearch Dashboards.

      • roles_key: Attribute that stores a list of roles. Set it to groups.

      • subject_key: Leave the field empty.

      • Session timeout: Leave the 0 value.

      • Enable: Make sure to enable this option.

    5. Click Save. Wait for the cluster status to change to Running. It may take a few minutes to apply settings.

  3. Configure role mapping in OpenSearch.

    To ensure that Identity Hub user groups are mapped to OpenSearch roles during authentication:

    1. Connect to OpenSearch Dashboards as the admin user.
    2. In the left-hand menu, select OpenSearch PluginsSecurity.
    3. In the left-hand panel, select Roles.
    4. Configure role mapping:
      1. Click the role name. In this guide, it is kibana_user.
      2. Go to the Mapped users tab.
      3. Click Manage mapping.
      4. Under Backend roles, enter the name of the Identity Hub user group a role will be mapped to in OpenSearch, e.g., opensearch-users.
      5. Click Map.

    Now your organization's users added to the opensearch-users group will be getting the kibana_user role upon successful authentication in OpenSearch Dashboards.

Set up the SAML application in Yandex Identity Hub

Set up service provider endpoints

  1. Log in to Yandex Identity Hub.

  2. In the left-hand panel, select Apps and then, the SAML app.

  3. At the top right, click Edit and in the window that opens:

    1. In the **SP EntityID ** field, enter the URL for connection to OpenSearch Dashboards.
    2. In the ACS URL field, specify the ACS URL.

    The ACS URL must be in the following format:

    https://c-cat0adul1fj0********.rw.mdb.yandexcloud.net/_opendistro/_security/saml/acs
    1. Click Save.

Add a user groups attribute

OpenSearch users have to get one of the basic roles upon login. For this to work, the Identity Hub authentication source must provide in its SAML response a list of user groups that will have roles mapped in OpenSearch. Proceed as follows:

  1. In the top-right corner, click Add group attribute and in the window that opens.
  2. In the Attribute name field, leave groups.
  3. In the Transmitted groups field, select Assigned groups only.
  4. Click Add.

For more information about configuring attributes, see Configure user and group attributes.

Add users

For your organization's users to be able to authenticate in OpenSearch Dashboards with the Identity Hub SAML app, you need to explicitly add these users and user groups to the SAML app.

Note

Users and groups added to a SAML application can be managed by a user with the organization-manager.samlApplications.userAdmin role or higher.

  1. If you have configured role mapping in Managed Service for OpenSearch, create the groups as needed:

    1. Log in to Yandex Identity Hub.
    2. In the left-hand panel, select Groups.
    3. In the top-right corner of the page, click Create group.
    4. Enter a name, e.g., opensearch-users. The group name must exactly match the user group name specified when mapping to the OpenSearch role.
    5. Click Create group.
    6. Add users to the group:
      1. Navigate to the Members tab.
      2. Click Add member.
      3. In the window that opens, select the required users.
      4. Click Save.

  2. Add users to the application:

    1. Log in to Yandex Identity Hub.
    2. In the left-hand panel, select Apps and select the required app.
    3. Navigate to the Users and groups tab.
    4. Click Add users.
    5. In the window that opens, select the required user or user group.
    6. Click Add.

Make sure your application works correctly

To make sure both your SAML app and Managed Service for OpenSearch integration work correctly, authenticate to OpenSearch Dashboards as one of the users you added to the app. Proceed as follows:

  1. In your browser, navigate to the address of your OpenSearch Dashboards instance.
  2. If logged in to OpenSearch Dashboards, log out.
  3. On the OpenSearch Dashboards authentication page, click Log in with single sign-on.
  4. On the Yandex Cloud authentication page, enter your email address and user password. The user must be a member of a group added to the app.
  5. Make sure you are logged in to OpenSearch Dashboards.
  6. If you have configured role mapping:
    1. Click the user icon in OpenSearch Dashboards.
    2. Go to View roles and identities.
    3. Make sure the Roles section displays the kibana_user role and the Backend roles section displays the opensearch-users role.
Previous
Yandex 360
Next
Managed Service for GitLab