1

I would like to configure single sign on for Kibana with Azure Active Directory as the identity provider and embedded SAML authentication method that OpenSearch provides.

However, OpenSearch cluster is running in private subnets and not available publicly. It seems to be not possible, because cluster's endpoint resolves private ips:

$ dig +short vpc-<cluster-id>.<region>.es.amazonaws.com
10.0.52.81
10.0.52.13
10.0.52.41

While experimenting, I noticed that private cluster in VPC also has dns available with "search-" prefix and resolves public ips:

$ dig +short search-<cluster-id>.<region>.es.amazonaws.com
54.a.b.227
13.c.d.158
13.e.f.17

The documentation is not saying explicitly that SAML authentication method is not available when a cluster resides in private subnet.

Has anyone faced with such challenge?

Patrick
  • 2,885
  • 1
  • 14
  • 20
antonbormotov
  • 1,821
  • 2
  • 20
  • 32

1 Answers1

1

SAML doesn't require direct communication between the identity provider and the service provider, which is an excellent benefit of using it for SSO. That means that even with your ElasticSearch/OpenSearch application hosted within a private VPC you can still use SAML as long as your browser can communicate with both your ElasticSearch cluster and your IdentityProvider. Essentially, your browser acts as the go-between between your identity provider and your service provider.

Okta has a nice description of how this works here: https://developer.okta.com/docs/concepts/saml/#planning-for-saml

The upshot of this is that, again, your identity provider and service provider require no connectivity between each other, so there are no special considerations for using SAML within a private subnet as opposed to a public one.

Patrick
  • 2,885
  • 1
  • 14
  • 20
  • I am not familiar with Okta, we use Azure Enterprise Application where the Reply URL (Assertion Consumer Service URL) needs to be set. OpenSearch cluster needs to receive SAML assertion from Identity provider. It makes sense and written in the [documentation](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/saml.html#saml-overview) as well: `Regardless of which authentication type you use, the goal is to log in through your identity provider and receive a SAML assertion that contains your username (required) and any backend roles (optional, but recommended)` – antonbormotov Nov 11 '21 at 03:03
  • Okta and AzureAD both use the SAML standard, and that SAML "dance" of the browser acting as a go-between between the application and the identity provider. I used Okta's diagram because it was handy, but here is the same documentatation from Azure: https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/auth-saml . That "Assertion Consumer Service URL" is provided to the browser as where it should redirect to once it's received the authenticated payload. – Patrick Nov 11 '21 at 03:41
  • 1
    Thanks a lot @patrik, I misunderstood how the SAML standard works. I managed to configure it and access Kibana/Dashboards (in VPC) using my Azure AD account. – antonbormotov Nov 18 '21 at 17:09