Configuring SAML authentication
Security Assertion Markup Language (SAML) is used for exchanging authentication and authorization data between two parties. With SAML, you can implement a single sign-on system (SSO) to switch between applications without re-authentication.
When using SAML and SSO, a Managed Service for OpenSearch cluster gets information from an identity provider (IdP).
For more information about SAML and SSO, see the OASIS documentation
Managed Service for OpenSearch works with any SAML 2.0 compatible identity provider.
To set up SAML authentication:
- Configure an identity provider.
- Set up a Managed Service for OpenSearch cluster to use this IdP for SSO.
- Configure cluster roles for SSO users on the IdP side.
Configure an identity provider
-
Create an application on the IdP side.
-
Specify the Assertion Consumer Service (ACS) URL.
Use the URL with a special cluster FQDN:
https://c-<OpenSearch cluster ID>.rw.mdb.nemax.nebius.cloud/api/security/saml/callback
The cluster ID can be requested with a list of clusters in the folder.
Example:
https://c-e4ut2....rw.mdb.nemax.nebius.cloud/api/security/saml/callback
-
Specify the SP Entity ID (Audience URI).
Use the URL with a special cluster FQDN:
https://c-<cluster ID>rw.mdb.nemax.nebius.cloud
Example:
https://c-e4ut2....rw.mdb.nemax.nebius.cloud
-
Specify the Name ID Format:
Persistent
. -
Using the data provided by the IdP:
- Copy the information about the Identity Provider Issuer.
- Save the provider's metadata file in XML format.
You will need it to set up SSO for your cluster.
Set up SSO for the cluster
Warning
Incorrect settings may cause the cluster to fail.
-
In the management console
, go to the folder page and select Managed Service for OpenSearch. -
Click the name of the desired cluster and open the Authorization sources tab.
-
Click Settings.
-
Specify the parameters of external authorization source:
-
idp_entity_id: Information about the Identity Provider Issuer obtained when configuring the IdP.
-
idp_metadata_file: The provider's metadata file in XML format obtained when configuring the IdP.
-
sp_entity_id: The application-defined SP Entity ID (Audience URI). Make sure it is the same as the ID specified when configuring the IdP.
-
kibana_url: The URL with a special cluster FQDN. Same as the sp_entity_id.
-
roles_key: The SAML response parameter that stores the roles. If omitted, no roles are used.
-
subject_key: The SAML response parameter that stores the subject. If omitted, the
NameID
parameter is used. -
Enable: Shows whether to activate an authorization source after creating it.
-
-
Click Save.
Note
For more information about SAML attributes, see the OpenSearch documentation
Configure roles for SSO
To access the cluster via SSO, associate the cluster roles with the SSO users on the IdP side. To do this:
- Map the roles
of the OpenSearch users on the IdP side to the roles in the cluster. Perform this operation as anadmin
user in one of the following ways:- Using OpenSearch Dashboards
. - Using the OpenSearch API
.
- Using OpenSearch Dashboards
- On the IdP side, create a user that meets the role mappings defined in OpenSearch.
- Grant this user access to the previously created application.
To log in to OpenSearch using the new user's credentials, go to the OpenSearch Dashboards page.