Reputation: 307
Authenticate AWS Opensearch dashboard using LDAP via keycloak
Requirement
I am working on a client project where we need to setup our AWS managed OpenSearch dashboard (Kibana). As per the requirement, we should use keycloak for SAML configurations. Also need to use LDAP as user federation.
Current Setup
- AWS OpenSearch setup is completed and able to login with the master user credentials.
- Integration of Keycloak with OpenSearch dashboard is done. I am able to login to the OpenSearch dashboard using keycloak local user by adding it in the all_access group in Dashboard (kibana).
- LDAP integration with Keycloak is also completed. I can sync all LDAP users within Keycloak and able to login with individual LDAP users when adding them in the all_access group in Dashboard (Kibana).
Issue/Open tasks
How can I add the entire keycloak group to the OpenSearch Dashboard so I do not have to add individual users. I tried adding the group name in the dashboard under backend role section but it does not work. Also tried a few mappings (not sure if they were correct) but got no luck. Every time it gives "missing role-contact your administrator"
Same issue with LDAP groups as well, I can sync all LDAP groups within my Keycloak but not sure how to map them with OpenSearch Dashboard to login.
Ultimate Goal
- Create two groups, one as admin and other as limitedaccess so that users who are part of admin group can login with the assigned permissions and users in limitedaccess group can login with their permissions.
- I do not want to add individual users in the Dashboard rather they should be able to login directly based on role/group mapping.
Upvotes: 1
Views: 2623
Answers (1)
Reputation: 307
The issue is resolved.
Following are the things I did, which may be useful for others looking for similar setup.
- Created two groups in my Keycloak. "admin" and "limited".
- Created two roles "admin_role" and "limited_role".
- Made the limited group as default group and the limited_role as default role so the new users will directly get the limited permissions.
- Next, which i was missing all the time (and thanks to other stack overflow answers) was to enable the Single Role mapping. For this, Go to Client scope role_list --> mappers --> role list --> enable "Single Role attribute"
- Added the "Role" keyword in OpenSearch in the role key section (under additional settings in AWS OpenSearch SAML configs.). Also mentioned a generic user in the SAML master user section (generic user which I created in Keycloak) so that I can gain admin privileges to add backend roles in OpenSearch Dashboard.
- Finally, logged in to my OpenSearch with this generic user. Go to the security --> Roles --> Manage mapping --> backend roles --> added my admin_role to the all_access and limited_role to the read roles.
Now I am able to login with all the users who are part of the respective groups in Keycloak.
Upvotes: 1
Related Questions
- AWS OpenSearch give user read only access dashboard
- License error when connecting Kibana to Keycloak
- Enable SAML authentication for Dashboards of private AWS OpenSearch cluster running in VPC
- Keycloak error: client_not_found reason: cannot_match_source_hash
- How to integrate OpenLDAP to Keycloak correctly?
- How to setup kibana Single sign on with keycloak
- How to connect to AWS simple AD using ldapsearch?
- How to secure Kibana dashboard using keycloak-gatekeeper?
- SonarQube on Kubernetes with LDAP authentication
- setting up nginx ldap authentication for Kibana 4