I would like to configure single sign on for Kibana with Azure Active Directory as the identity provider and embedded SAML authentication method that OpenSearch provides.
However, OpenSearch cluster is running in private subnets and not available publicly. It seems to be not possible, because cluster's endpoint resolves private ips:
$ dig +short vpc-<cluster-id>.<region>.es.amazonaws.com
10.0.52.81
10.0.52.13
10.0.52.41
While experimenting, I noticed that private cluster in VPC also has dns available with "search-" prefix and resolves public ips:
$ dig +short search-<cluster-id>.<region>.es.amazonaws.com
54.a.b.227
13.c.d.158
13.e.f.17
The documentation is not saying explicitly that SAML authentication method is not available when a cluster resides in private subnet.
Has anyone faced with such challenge?
SAML doesn't require direct communication between the identity provider and the service provider, which is an excellent benefit of using it for SSO. That means that even with your ElasticSearch/OpenSearch application hosted within a private VPC you can still use SAML as long as your browser can communicate with both your ElasticSearch cluster and your IdentityProvider. Essentially, your browser acts as the go-between between your identity provider and your service provider.
Okta has a nice description of how this works here: https://developer.okta.com/docs/concepts/saml/#planning-for-saml
The upshot of this is that, again, your identity provider and service provider require no connectivity between each other, so there are no special considerations for using SAML within a private subnet as opposed to a public one.