OKTA integration with VPC-based Amazon Opensearch through Nginx
Amazon Opensearch setup
Enable SAML authentication
- fill in IdP metadata
- fill in IdP entity ID : you can find it from the okta metadata
- SAML master username: izekchen@gmail.com < ensure the username also exist in the okta application user assignment
- SAML master backend role: create a policy with ES permission and attach to a role, policy example as below
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "es:*",
"Resource": "*"
}
]
}
Nginx Setup
You can choose any distribution of linux and have nginx installed
And the nginx need to be able to access your opensearch or within the same VPC. You will need the nginx in between to communicate and get the auth done
Generate self-signed certificate
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/cert.key -out /etc/nginx/cert.crt
Nginx.conf
server {
listen 443 ssl;
server_name $HOST;
rewrite ^/$ https://$HOST/_plugin/kibana redirect;
ssl_certificate /etc/nginx/cert.crt;
ssl_certificate_key /etc/nginx/cert.key;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;
location ^~ /_plugin/kibana {
# Forward requests to Kibana
proxy_pass https://vpc-test-domain-xxxxxxxxxxx.us-east-1.es.amazonaws.com/_plugin/kibana;
# Handle redirects to Amazon ES
proxy_redirect https://vpc-test-domain-xxxxxxxxxx.us-east-1.es.amazonaws.com https://$HOST;
# Update cookie domain and path
proxy_cookie_domain https://vpc-test-domain-xxxxxxxx.us-east-1.es.amazonaws.com $HOST;
proxy_cookie_path / /_plugin/kibana/;
proxy_set_header Accept-Encoding "";
sub_filter_types *;
sub_filter https://vpc-test-domain-xxxxxxxxxx.us-east-1.es.amazonaws.com $HOST;
sub_filter_once off;
proxy_buffering off;
# Response buffer settings
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
}
location ~ \/(log|sign|error|fav|forgot|change|confirm) {
# Forward requests to ES
proxy_pass https://vpc-test-domain-xxxxxxxxxx.us-east-1.es.amazonaws.com;
# Handle redirects to Kibana
proxy_redirect https://vpc-test-domain-xxxxxxxxx.us-east-1.es.amazonaws.com https://$HOST;
# Handle redirects to Amazon ES
proxy_redirect https://vpc-test-domain-xxxxxxxxxx.us-east-1.es.amazonaws.com https://$HOST;
# Update cookie domain
proxy_cookie_domain vpc-test-domain-xxxxxxxxx.us-east-1.es.amazonaws.com $HOST;
}
}
After the steps above, you can start the nginx service
systemctl start nginx
Setup Route53 Record
Create a DNS record and point to the EC2
Setup OKTA IDP configuration
Single Sign On URL: using the URL that point to your EC2
Recipient and Destination URL: using the Kibana URL that start with vpc
Audience Restriction: using the ES url with be careful that you cannot have a slash(“/”) at the end
Single Sign On URL
- https://<PROXY_HOST>/_plugin/kibana/_opendistro/_security/saml/acsRecipient URL
- https://<ES_ENDPOINT>/_plugin/kibana/_opendistro/_security/saml/acsDestination URL
- https://<ES_ENDPOINT>/_plugin/kibana/_opendistro/_security/saml/acsAudience Restriction
- https://<ES_ENDPOINT>
Single Sign On URL
https://kibana..mydoamin.com/_plugin/kibana/_opendistro/_security/saml/acs
Recipient URL
https://vpc-test-domain-xxxxxxxxxxxx.us-east-1.es.amazonaws.com/_plugin/kibana/_opendistro/_security/saml/acs
Destination URL
https://vpc-test-domain-xxxxxxxxxxx.us-east-1.es.amazonaws.com/_plugin/kibana/_opendistro/_security/saml/acs
Audience Restriction
https://vpc-test-domain-xxxxxxxxxxx.us-east-1.es.amazonaws.com <-----------注意最後不能有slash("/")