Creating a SAML app in Yandex Identity Hub for integration with OpenSearch
Note
This feature is at the Preview stage.
OpenSearch is a highly scalable open-source system of search and analysis tools. OpenSearch comes with the OpenSearch Dashboards data visualization UI.
To authenticate your organization's users to OpenSearch via SAML SSO, create a SAML app in Identity Hub and configure it appropriately both in Identity Hub and in OpenSearch.
SAML apps can be managed by users with the organization-manager.samlApplications.admin role or higher.
For the users of your organization to be able to access OpenSearch:
Create an app
- Log in to Yandex Identity Hub.
- In the left-hand panel, select Apps.
- In the top-right corner, click Create application and in the window that opens:
-
Select the SAML (Security Assertion Markup Language) single sign-on method.
-
In the Name field, specify a name for your new app:
opensearch-app. -
Optionally, in the Description field, enter a description for the new app.
-
Optionally, add labels:
- Click Add label.
- Enter a label in
key: valueformat. - Press Enter.
-
Click Create application.
-
Set up the integration
To configure OpenSearch integration with the SAML app you created in Identity Hub, complete the configuration both on the OpenSearch cluster side and in Identity Hub.
-
Get the metadata for the new app:
- Log in to Yandex Identity Hub.
- In the left-hand panel, select Apps and select the new SAML app.
- On the Overview tab, under Identity provider (IdP) configuration, copy the
Issuer / IdP EntityIDvalue you have to set on the OpenSearch cluster side. - On the Overview tab, under Identity provider (IdP) configuration, click Download metadata file.
The downloaded XML file contains the required metadata and a certificate used for SAML response signature verification.
-
Set up SAML authentication for your OpenSearch cluster.
To do this, edit the
config.ymlandroles_mapping.ymlconfiguration files for OpenSearch Security Plugin in the default/etc/opensearch/opensearch-security/directory, and theopensearch_dashboards.ymlfile for OpenSearch Dashboards in the default/etc/opensearch-dashboards/directory.-
Place the previously downloaded
idp-metadata.xmlfile in the OpenSearch Security Plugin directory, e.g.,/etc/opensearch/opensearch-security/saml/. -
Make sure the OpenSearch user, usually
opensearch, has read access to this file.sudo chown opensearch:opensearch /etc/opensearch/opensearch-security/saml/idp-metadata.xml sudo chmod 644 /etc/opensearch/opensearch-security/saml/idp-metadata.xml -
Generate an
exchange_keyto sign JSON web tokens (JWTs).Tip
The JWT key must be a string generated with the HMAC256 algorithm. You can use online generators or command-line tools that produce cryptographically secure strings with support for this algorithm.
-
Add a new SAML authentication domain named
yandex_saml_auth_domainto theauthcsection of theconfig.ymlfile and configure it as shown below.authc: # ... (keep the current basic_internal_auth for the service user) ... # SAML authentication domain for Yandex Identity Hub yandex_saml_auth_domain: order: 1 # What we recommend: 1 or 2 http_enabled: true transport_enabled: false http_authenticator: type: saml challenge: true config: # --- IdP settings (Yandex Identity Hub) --- idp: # Path to the uploaded XML metadata file metadata_file: "/etc/opensearch/opensearch-security/saml/idp-metadata.xml" # --- SP settings (OpenSearch) --- sp: # This parameter must match the SP EntityID specified in Yandex Identity Hub entity_id: "opensearch-saml-sso" # Your Dashboards URL kibana_url: "https://<your-dashboards-url>/" # Key to sign JWTs exchange_key: "5efe29a39306bed6bd4f67af06d54d813ff8b05692ef480204c917602ffdd9a9" # --- Configuring access groups --- # Name of the SAML response attribute containing groups roles_key: "groups" # ...Tip
In the latest OpenSearch Security Plugin versions, you can use the
metadata_urlparameter to load the metadata file directly from Yandex Identity Hub. If your version supports it, you do not need to upload the metadata file to the server. To set it up, simply replacemetadata_filewithmetadata_urlinconfig.yml.# ... # --- IdP settings (Yandex Identity Hub) --- idp: # XML metadata file URL metadata_url: "https://auth.yandex.cloud/saml/metadata/ek0vbjom..." # ... -
To map Yandex Identity Hub user groups to internal OpenSearch roles during SAML authentication, edit the
roles_mapping.ymlfile for OpenSearch Security Plugin. Add the required groups from Identity Hub to thebackend_rolessection of the relevant OpenSearch roles, as shown below.# ... # The opensearch-users group from Yandex Identity Hub # maps to the all_access role in OpenSearch all_access: reserved: false backend_roles: - "admin" - "opensearch-users" # group created in Identity Hub description: "Allow full access for opensearch-users group from Identity Hub" # ...Tip
You can alternatively map roles through the OpenSearch Dashboards web UI.
Mapping roles through the OpenSearch Dashboards web UI
- Log in to OpenSearch Dashboards using the
admincredentials. - In the left-hand menu, navigate to Management → Security.
- In the left-hand panel, select Roles.
- Configure role mapping:
- Click the name of the role you need, e.g.,
all_access. - Go to the Mapped users tab.
- Click Manage mapping.
- In the Backend roles field, specify the Identity Hub user group to map with the OpenSearch role, e.g.,
opensearch-users. - Click Map.
- Click the name of the role you need, e.g.,
- Log in to OpenSearch Dashboards using the
-
After making changes to the
config.ymlandroles_mapping.ymlfiles, apply the new configuration to your OpenSearch cluster by running thesecurityadmin.shscript.# Make sure to provide the correct paths to the certificates and keys # and run securityadmin.sh with administrator privileges. sudo "/usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh" \ -cd "/etc/opensearch/opensearch-security" \ -icl \ -key "<path_to_your_key>" \ -cert "<path_to_your_certificate>" \ -cacert "<path_to_root_CA_certificate>" \ -nhnv -
Edit the
opensearch_dashboards.ymlconfiguration file for OpenSearchDashboards as follows:# ... # Enable multi-factor authentication opensearch_security.auth.multiple_auth_enabled: true # Provide the available authentication types # (keep basic authentication for the service user) opensearch_security.auth.type: [basicauth, saml] # ... -
Restart the OpenSearch services.
sudo systemctl restart opensearch sudo systemctl restart opensearch-dashboards
-
Set up the SAML application in Yandex Identity Hub
Set up service provider endpoints
- Log in to Yandex Identity Hub.
- In the left-hand panel, click Apps and select your SAML app.
- At the top right, click Edit and in the window that opens:
- In the **SP EntityID ** field, specify
opensearch-saml-sso. - In the ACS URL field, enter this address:
https://<your-dashboards-url>/_opendistro/_security/saml/acs. - Click Save.
- In the **SP EntityID ** field, specify
Add a user groups attribute
To set up automatic user-to-role mapping upon OpenSearch login, add the user group attribute. Proceed as follows:
- In the top-right corner, click Add group attribute and in the window that opens.
- In the Attribute name field, leave
groups. - In the Transmitted groups field, select
Assigned groups only. - Click Add.
For more information about configuring attributes, see Configure user and group attributes.
Add users
For your organization's users to be able to authenticate in OpenSearch Dashboards with the Identity Hub SAML app, you need to explicitly add these users and groups to that app.
Note
Users and groups added to a SAML application can be managed by a user with the organization-manager.samlApplications.userAdmin role or higher.
-
Once you set up role mapping in OpenSearch, create the relevant groups:
Cloud Center UI- Log in to Yandex Identity Hub.
- In the left-hand panel, select Groups.
- In the top-right corner of the page, click Create group.
- Enter the group name, e.g.,
opensearch-users. Make sure it matches the group name mapped to the role in OpenSearch. - Click Create group.
- Add users to the group:
- Navigate to the Members tab.
- Click Add member.
- In the window that opens, select the users.
- Click Save.
-
Add users to the application:
Cloud Center UI- Log in to Yandex Identity Hub.
- In the left-hand panel, click Apps and select your app.
- Navigate to the Users and groups tab.
- Click Add users.
- In the window that opens, select the user or user group.
- Click Add.
Make sure your application works correctly
To make sure both your SAML app and its integration with OpenSearch work correctly, authenticate to OpenSearch Dashboards as one of the users you added to the app. Proceed as follows:
- In your browser, navigate to the address of your OpenSearch Dashboards instance.
- If logged in to OpenSearch Dashboards, log out.
- On the OpenSearch Dashboards authentication page, click Log in with single sign-on.
- On the Yandex Cloud authentication page, enter your email address and user password. The user must be a member of a group added to the app.
- Make sure you are logged in to OpenSearch Dashboards.
- If you have configured role mapping:
- Click the user icon in OpenSearch Dashboards.
- Go to View roles and identities.
- Make sure the Roles section displays the
all_accessrole and the Backend roles section displays theopensearch-usersrole.