Izek Chen
2 min readOct 22, 2021

OKTA integration with VPC-based Amazon Opensearch through Nginx

Amazon Opensearch setup

Enable SAML authentication

  • fill in IdP metadata
  • fill in IdP entity ID : you can find it from the okta metadata
  • SAML master username: izekchen@gmail.com < ensure the username also exist in the okta application user assignment
  • SAML master backend role: create a policy with ES permission and attach to a role, policy example as below
"Version": "2012-10-17",
"Statement": [
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "es:*",
"Resource": "*"

Nginx Setup

You can choose any distribution of linux and have nginx installed
And the nginx need to be able to access your opensearch or within the same VPC. You will need the nginx in between to communicate and get the auth done

Generate self-signed certificate

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/cert.key -out /etc/nginx/cert.crt


server {
listen 443 ssl;
server_name $HOST;
rewrite ^/$ https://$HOST/_plugin/kibana redirect;

ssl_certificate /etc/nginx/cert.crt;
ssl_certificate_key /etc/nginx/cert.key;

ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;

location ^~ /_plugin/kibana {
# Forward requests to Kibana
proxy_pass https://vpc-test-domain-xxxxxxxxxxx.us-east-1.es.amazonaws.com/_plugin/kibana;

# Handle redirects to Amazon ES
proxy_redirect https://vpc-test-domain-xxxxxxxxxx.us-east-1.es.amazonaws.com https://$HOST;

# Update cookie domain and path
proxy_cookie_domain https://vpc-test-domain-xxxxxxxx.us-east-1.es.amazonaws.com $HOST;
proxy_cookie_path / /_plugin/kibana/;

proxy_set_header Accept-Encoding "";
sub_filter_types *;
sub_filter https://vpc-test-domain-xxxxxxxxxx.us-east-1.es.amazonaws.com $HOST;
sub_filter_once off;

proxy_buffering off;
# Response buffer settings
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;

location ~ \/(log|sign|error|fav|forgot|change|confirm) {

# Forward requests to ES
proxy_pass https://vpc-test-domain-xxxxxxxxxx.us-east-1.es.amazonaws.com;

# Handle redirects to Kibana
proxy_redirect https://vpc-test-domain-xxxxxxxxx.us-east-1.es.amazonaws.com https://$HOST;

# Handle redirects to Amazon ES
proxy_redirect https://vpc-test-domain-xxxxxxxxxx.us-east-1.es.amazonaws.com https://$HOST;

# Update cookie domain
proxy_cookie_domain vpc-test-domain-xxxxxxxxx.us-east-1.es.amazonaws.com $HOST;

After the steps above, you can start the nginx service

systemctl start nginx

Setup Route53 Record

Create a DNS record and point to the EC2

Setup OKTA IDP configuration

Single Sign On URL: using the URL that point to your EC2
Recipient and Destination URL: using the Kibana URL that start with vpc
Audience Restriction: using the ES url with be careful that you cannot have a slash(“/”) at the end

  • Single Sign On URL - https://<PROXY_HOST>/_plugin/kibana/_opendistro/_security/saml/acs
  • Recipient URL - https://<ES_ENDPOINT>/_plugin/kibana/_opendistro/_security/saml/acs
  • Destination URL - https://<ES_ENDPOINT>/_plugin/kibana/_opendistro/_security/saml/acs
  • Audience Restriction - https://<ES_ENDPOINT>
Single Sign On URL
Recipient URL
Destination URL
Audience Restriction
https://vpc-test-domain-xxxxxxxxxxx.us-east-1.es.amazonaws.com <-----------注意最後不能有slash("/")