AWS SSO/AWS Opensearch SAML integration
I have an implementation of AWS OpenSearch that I can access using a master password/user combination.
Our AWS implementation uses AWS SSO to access accounts via the console. I have configured a custom SAML 2.0 application in AWS SSO and enabled SAML in OpenSearch.
- Service provider entity ID (OS) copied and mapped to Application ACS URL (AWS SSO)
- IdP-initiated SSO URL (OS) copied and mapped to Application SAML audience (SSO)
- AWS SSO SAML metadata file downloaded (SSO) and imported as IdP metadata (OS).
Attribute mapping is as below
I have assigned myself as a user (SSO) and used the same email as SAML master username (OS).
I am getting the following error when I click on the custom web application icon in AWS
{"statusCode":500,"error":"Internal Server Error","message":"Internal Error"}
What is incorrectly configured in this set up?
The correct configuration would be:
Application ACS URL: either the IdP-initiated SSO URL[1] or SP-initiated SSO URL[2]
Application SAML audience: the Service provider entity ID
Using [1] you would need to access the user portal of the SSO and the OpenSearch application will be there. Using [2] you can access the dashboard URL directly.
Also, you might find useful to map an SSO Group to an OpenSearch role (as opposed to a single user). To do that, add a new attribute mapping on the SSO Application.
"User attribute in the application" -> Groups
"Maps to this string value or user attribute in AWS SSO" -> "${user:groups}"
Then you will need to edit your OpenSearch SAML configuration and add: In "Roles key - optional" Specify the attribute of SAML to "Groups"
After that, copy the ID of the Group, log in to your opensearch dashboard (with a master user) and map this ID to a Role as a "backend role".
- How to pass multi value query string parameter to lambda on api gateway?
- AWS Cognito - User pool xxxx does not exist
- AWS: Problem accessing metadata tags from within EC2
- How to restrict AWS Cognito users from taking certain actions?
- Is the object URL in s3 only for public access?
- Allocate configuration for the cluster in ECS, where each instance receives a unique value
- Lambda authorizer response using async/await in Node.js
- What is the difference between using a load balancer and a NAT Gateway on AWS?
- How to properly replace resource in Terraform
- AWS InvalidSignatureException, Signature expired when running from docker container
- Signature expired: is now earlier than error : InvalidSignatureException
- SQL Error [1114] [HY000]: The table '/rdsdbdata/tmp/#sql161_17a011_a' is full
- How to Automate Redshift Cluster Start/Stop for night time?
- ActiveRecord::StatementInvalid: PG::InsufficientPrivilege: ERROR: permission denied for relation schema_migrations
- Moving RedShift Query to Sub Query Causes Problem
- AWS S3 filter by tags. search by tags
- How do I set the name of the default profile in AWS CLI?
- AWS CodeCommit with git-remote-codecommit
- What languages are Amazon's AWS Management Console written?
- How can I use multible terraform tf files in one jenkins script?
- I can't delete my VPC
- 1 subdomain doesn't support HSTS
- Missing NVMe SSD in AWS Kubernetes
- How to resolve the 'Application Error: A Server-Side Exception Has Occurred' while deploying a Next.js website on Amplify?
- How do I run the config command on aws elasticache (redis)
- AWS Elastic Beanstalk + Laravel, Nginx Configuration
- rsyslogd using 100% CPU Utilization on all RHEL EC2 Instances
- How to upload local files to S3 quickly?
- How to update lambda@edge ARN in cloudfront distribution using CLI
- How to pass API Gateway authorizer context to a HTTP integration