The recently added SAML support for AWS Elastic Search solution:
https://aws.amazon.com/about-aws/whats-new/2020/10/amazon-elasticsearch-service-adds-native-saml-authentication-kibana/
Lists in its documentation that backend roles are supported:
https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/saml.html
In Okta, for example, you might have a user, jdoe, who belongs to the group admins. If you add jdoe to the SAML master username field, only that user receives full permissions. If you add admins to the SAML master backend role field, any user who belongs to the admins group receives full permissions.
If you want to use backend roles (recommended), specify an attribute from the assertion in the Role key field, such as role or group. This is another situation in which tools like SAML-tracer can help.
But some users have problems finalizing the configuration once they are done with the AWS Console.
The answer lies beyond the AWS Console and must be completed within the Elastic Search cluster with the Master User that you created either within the cluster as an Internal User, via an IAM role or by using the Master User field in the SAML configuration section of the Modify Authentication Wizard in the AWS console for Elastic Search.
You must:
Create a Backend role that matches your SAML attribute value
Create a Mapping between the new backend role and an actual Elastic Search Role
After you're done configuring your IdP by creating a custom Attribute/Claim like roles or groups and after you've configure SAML authentication integration in the Elastic search cluster.
1.-Log into Kibana using your master user
2.-Go to OpenDistro -> Security -> Roles -> The Role you want to grant access to, i.e. readall
3.-Go to the Mapped Users tab under the role screen
4.-On the Backend Roles field type the VALUE of the Azure Claim you created by following these steps: https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-enterprise-app-role-management
For reference the claim value is: user.assignedroles.
The claim key is whatever you configure your Azure Enterprise application as.
You'll have a key value pair of "Your chosen Claim Name": user.assignedroles
5.-Save the Mapping in Kibana
Using the Azure IdP log into Kibana using users with different Azure Claim assigned to them. The Open Distro Security plugin will parse the SAML token attribute find the field for user.assignedroles and map that as a Kibana Backend Role to the actual Elastic Search roles.
Related
Requirement
I am working on a client project where we need to setup our AWS managed OpenSearch dashboard (Kibana). As per the requirement, we should use keycloak for SAML configurations. Also need to use LDAP as user federation.
Current Setup
AWS OpenSearch setup is completed and able to login with the master user credentials.
Integration of Keycloak with OpenSearch dashboard is done. I am able to login to the OpenSearch dashboard using keycloak local user by adding it in the all_access group in Dashboard (kibana).
LDAP integration with Keycloak is also completed. I can sync all LDAP users within Keycloak and able to login with individual LDAP users when adding them in the all_access group in Dashboard (Kibana).
Issue/Open tasks
How can I add the entire keycloak group to the OpenSearch Dashboard so I do not have to add individual users. I tried adding the group name in the dashboard under backend role section but it does not work. Also tried a few mappings (not sure if they were correct) but got no luck. Every time it gives "missing role-contact your administrator"
Same issue with LDAP groups as well, I can sync all LDAP groups within my Keycloak but not sure how to map them with OpenSearch Dashboard to login.
Ultimate Goal
Create two groups, one as admin and other as limitedaccess so that users who are part of admin group can login with the assigned permissions and users in limitedaccess group can login with their permissions.
I do not want to add individual users in the Dashboard rather they should be able to login directly based on role/group mapping.
The issue is resolved.
Following are the things I did, which may be useful for others looking for similar setup.
Created two groups in my Keycloak. "admin" and "limited".
Created two roles "admin_role" and "limited_role".
Made the limited group as default group and the limited_role as default role so the new users will directly get the limited permissions.
Next, which i was missing all the time (and thanks to other stack overflow answers) was to enable the Single Role mapping. For this, Go to Client scope role_list --> mappers --> role list --> enable "Single Role attribute"
Added the "Role" keyword in OpenSearch in the role key section (under additional settings in AWS OpenSearch SAML configs.). Also mentioned a generic user in the SAML master user section (generic user which I created in Keycloak) so that I can gain admin privileges to add backend roles in OpenSearch Dashboard.
Finally, logged in to my OpenSearch with this generic user. Go to the security --> Roles --> Manage mapping --> backend roles --> added my admin_role to the all_access and limited_role to the read roles.
Now I am able to login with all the users who are part of the respective groups in Keycloak.
I've encountered following error message when I'm trying to integrate AWS Cognito and AWS ElasticSearch with AD. I've setup AD and cognito integration but after login with AD-User in AD Console, I've encountered following message. But when I've created user in AWS Cognito and login with its authentication, it was working. Please let me what I've missed to configure it. Thanks.
• Check whether the user pool id and app client id from user pool configurations are correctly configured in federated identities page. Also, check whether correct template is selected for authentication to Active Directory purposes, i.e., ‘Allow access for one or more AWS accounts or IAM users’ is selected.
• Please ensure that the Amazon Elasticsearch domain has sufficient access to the authorized AD users and groups through the access control policy. Also, check the IAM roles with the exact same name as AD groups are authorized or permitted for authentication with Active Directory or not.
• If using ADFS for federated identities with Microsoft Active Directory, check the replying party SAML 2.0 SSO service URL in ADFS configuration. Also, check the claim rules in ADFS and the issuance policy in ADFS. On the AWS side in elastic search console, check the roles key configuration under optional SAML settings.
Please find the below links for more information: -
https://aws.amazon.com/blogs/security/configure-saml-single-sign-on-for-kibana-with-ad-fs-on-amazon-elasticsearch-service/
Sorry! Something went wrong during authentication between Kibana and Amazon Cognito
I created an Elastic Search cluster on AWS and I need to configure access control. I have an Amplify app that has a custom Lambda which will verify the incoming request based on user and cross check in Cognito if that user exists. Then only fetch documents from ES cluster that match a specific field name for this specific user. I saw there is configuration available when launching ES cluster in management console like Amazon Cognito authentication. Is that what I need, or do I need Custom access policy or JSON defined access policy? I dont want public access to ES.
I am setting up our telephony system in AWS and we're utilizing AWS Single Sign On for our primary SAML authentication. This has worked fine for normal cli and console access but has kind of been a struggle for implementing Amazon Connect through the SSO Cloud Applications configuration.
Background
I have done a proof of concept with a single Amazon Connect instance and was able to federate login with a number of different permissions sets to simulate admin, developer, and user access for the single instance. This worked fine until I started adding additional instances and each time any user permission set tries to login to Amazon Connect they get Session Expired on the Connect screen.
Our setup is as follows:
Root account contains AWS SSO Directory
Dev Account has 1 Connect instance in the east
QA Account has 2 Connect instances total in east and west
Prod account has 2 Connect instances total in east and west
A lot of the documentation I've been reading seems it assumes the Amazon Connect instances are in the same account as the Amazon SSO service. Additionally the documentation mentions creating additional IAM Identity Providers for each Amazon Connect instance's SAML Metadata file, and a role associated that allows the SSO user to access that instance. I see where this would work in a single account, but I don't understand how to adopt the access role and implement it as a permissions policy in AWS SSO for the user group thats logging into the instance.
I've configured everything as close as possible to the Amazon Connect SAML Setup Guide, and I'm working on troubleshooting the permissions policy stuff to configure access, I'm just at a loss.
If anyone has previous Amazon SSO experience, or has done something similar with Amazon Connect that would be greatly appreciated. I just want to be able to validate whether this is feasible in the current iteration of Amazon SSO (granted its a newer service), or we need to architect and integrate a 3rd party SSO for Amazon Connect.
Thanks!
We recently have this kind of setup and requirements and still in the testing phase but so far, it is working as expected.
In the Amazon Connect SAML Guide that you linked, there's a lacking piece of information in there with regards to the Attributes Mapping (Step 10)
Change From:
Field: https://aws.amazon.com/SAML/Attributes/Role
Value:
arn:aws:iam::<12-digit-account_id>:saml-provider/,arn:aws:iam::<12-digit-account_id>:role/
To This:
Field: https://aws.amazon.com/SAML/Attributes/Role
Value:
arn:aws:iam::ACCOUNT-ID:saml-provider/IDP_PROVIDER_NAME,arn:aws:iam::ACCOUNT-ID:role/ROLE_NAME
Sample Value:
arn:aws:iam::123456301789:saml-provider/AWSSSO_DevelopmentConnect,arn:aws:iam::123456301789:role/AmazonConnect_Development_Role
The Setup:
Root AWS
Configured with AWS SSO
In AWS SSO page, you can have 1 or more Amazon Connect Applications here
AmazonConnect-Development
AmazonConnect-QAEast
AmazonConnect-QAWest
Dev AWS:
You have setup Amazon Connect
AmazonConnect-Development as the Instance Name (Record the ARN)
Create a new Identity Provider (for ex: AWSSSO_DevelopmentConnect)
Create a Policy (to be attached in the Role)
Create a Role (for ex: AmazonConnect_Development_Role)
See more here for the content of Policy
In Root AWS, configure your AmazonConnect-Development application to have the Attribute Mapping pattern same with my above example value.
You also specify the Relay State URL for you want the users to be redirected to a specific Amazon Connecct application.
xxx AWS:
Same steps will be applied as the above
Key Points:
For each AWS Account:
You will need to Create Identity Provider, name it with a pattern
Create a Policy to be attached in the Role
Create a Role and Choose SAML 2.0 Federation
Checked: Allow programmatic and AWS Management Console access
Link the Identity Provider with the Role
For the Applications that you configure in the AWS SSO page, make sure the additional Attribute Mappings have the correct value
I am setting up an AWS Account, the account will be used by an organization of employees for EC2 use/experimentation. Obviously, I do not want to distribute the root login info or set up one single IAM user for everyone to use. Unfortunately, I do not have the time to manage creating individual IAM users for everyone on a regular basis.
So, is there a way to auto-create IAM users based on a given email's domain on their first login attempt? The users should have read-only roles to begin, then an Administrator could give more roles as needed to each user. I am open to suggestions, perhaps lambda functions or linking to an identity provider?
Keep in mind that these new IAM users need to have access to the AWS Management Console, this is not necessarily intended for login to applications hosted on AWS.
Update:
Moving forward using this AWS Management Console Federation Proxy Sample found in Amazon's code reference, using with Microsoft Exchange hosted email.
If your existing identity provider supports SAML2 Federation, you can set it up to login to the AWS Management Console.
For more details refer Enabling SAML 2.0 Federated Users to Access the AWS Management Console.
Else you can implement a custom Federation Broker to return an URL to the user, after they authenticate with their corporate credentials.
For more details refer Creating a URL that Enables Federated Users to Access the AWS Management Console (Custom Federation Broker).