Integrating Amazon OpenSearch with AWS SSO for Secure Authentication

Amazon OpenSearch is a powerful search and analytics engine used across organizations for log analytics, monitoring, and full text search use cases. While internal users and static credentials are sufficient for test environments, enterprise grade security requires centralized identity and access management.

Managing access securely is crucial for any enterprise grade search setup. With AWS SSO integration using SAML, teams can log in to OpenSearch Dashboards using their existing AWS credentials without managing extra passwords. Here’s a clean, step-by-step way to make that happen.

This guide explains, integrating AWS IAM Identity Center (formerly AWS SSO) with OpenSearch using SAML 2.0 authentication. This enables users to log in to OpenSearch Dashboards using corporate credentials managed through a centralized directory.

Prerequisites

• An active Amazon OpenSearch domain with Dashboards enabled
• A custom domain name (Ex: search.example.com) is configured for Dashboards access (recommended)
• Access to AWS IAM Identity Center (SSO) with permission to create and manage applications
• Admin level access to the OpenSearch domain and AWS SSO

Step 1: Enable Fine Grained Access Contro

1. Go to the Amazon OpenSearch Service console
2. Select your OpenSearch domain
3. In the Security configuration section, click Edit
4. Enable:
   • Fine grained access control
   • Set a master user (Ex: admin) for internal access
   • Or we can use the IAM user ARN to set the master user
5. Save changes and wait for the configuration to apply (this can take several minutes)

Step 2: Enable SAML Authentication in OpenSearch

Once the fine grained access control is enabled, we can follow the steps below to set up SAML authentication.

1. In the domain’s Security configuration section, scroll to SAML authentication
2. Enable the SAML authentication checkbox
3. Note the following:
   • SP initiated SSO URL
   • Service Provider Entity ID

These values will be used while configuring the IAM Identity Center application.

Step 3: Create a SAML Application in IAM Identity Center

1. Go to the IAM Identity Center console
2. Navigate to Applications and click Add application
3. Choose the option: I have an application, then select SAML 2.0
4. Fill in the following fields:
   • Display name: Ex: OpenSearch Dashboards
   • Provide description
   • Download the XML file from “IAM Identity Center SAML metadata file”
   • Set the session durations: Ex: 1 hour
   • Application start URL: your custom Dashboards URL (Ex: https://search.example.com/_dashboards)
     1. This provides the option to go to the dashboard directly from the AWS SSO access portal’s application tab.
   • ACS URL: Fill in the value “SP-initiated SSO URL” which is copied from Step 2
   • SAML Audience: Fill in the value “Service Provider Entity ID” which is copied from Step 2
5. Save the application

Step 4: Configure Attribute Mappings

1. Inside the created SAML application, click Actions → Edit attribute mappings
2. Add the following mappings:
   • Subject → ${user:email} → unspecified
   • groups → ${user:groups} → unspecified
3. Save the configuration

Step 5: Assign Users or Groups

1. In the SAML application, go to Assigned users and groups
2. Choose Assign users or groups
3. Search username or email or the group name
4. Select the identities you want to add to OpenSearch
5. Save

Step 6: Import SAML Metadata into OpenSearch

1. In IAM Identity Center, download the SAML metadata XML file for the application

2. Go to your OpenSearch domain’s Security configuration section

3. In the SAML authentication section, click Import from XML

4. Set the following fields:

   • Roles key: groups (second attribute name from sso app attribute mapping Step 4)
   • Subject key: Keep it blank
   • Session timeout: Ex: 60 minutes

5. Save changes and wait for the domain to update

   By default, Subject Key uses the NameId element from SAML assertion for username (email), If SAML assertion is passing email in the different name other than NameID then we have to set the Subject Key accordingly

   Roles Key will get mapped to backend roles in opensearch roles and permissions, which is typically a groupID or a group name from AWS IAM users

Step 7: Test Login via SSO

1. Navigate to your OpenSearch Dashboards using the custom domain
   Example: https://search.example.com/_dashboards
2. You should be redirected to the AWS SSO login page
3. After authenticating, you’ll be redirected back to Dashboards
4. You should see OpenSearch Dashboards with the assigned permissions

Alternatively, users can also log in through the AWS SSO portal and launch OpenSearch from the Applications tab.

Common Troubleshooting Tip

Issue: You are redirected to a blank screen or login fails.
Possible Cause: You used the OpenSearch VPC endpoint URL instead of a custom domain when using the browser based access.

Resolution: Always use the custom domain URL when using SAML, as VPC endpoints do not support browser based SAML authentication redirects.

If we are accessing programmatically from the lambda or any other compute service both VPC and custom domain will work.

Conclusion

By integrating Amazon OpenSearch with AWS SSO using SAML, organizations can have centralized identity management and fine grained access control without managing internal users and passwords. This setup is essential for production environments that require compliance, auditability, and ease of user access across teams.