AWS SSO/AWS Opensearch SAML integration

Question

I have an implementation of AWS OpenSearch that I can access using a master password/user combination.

Our AWS implementation uses AWS SSO to access accounts via the console. I have configured a custom SAML 2.0 application in AWS SSO and enabled SAML in OpenSearch.

• Service provider entity ID (OS) copied and mapped to Application ACS URL (AWS SSO)
• IdP-initiated SSO URL (OS) copied and mapped to Application SAML audience (SSO)
• AWS SSO SAML metadata file downloaded (SSO) and imported as IdP metadata (OS).

Attribute mapping is as below

I have assigned myself as a user (SSO) and used the same email as SAML master username (OS).

I am getting the following error when I click on the custom web application icon in AWS

{"statusCode":500,"error":"Internal Server Error","message":"Internal Error"}

What is incorrectly configured in this set up?

Answer 1

The correct configuration would be:

Application ACS URL: either the IdP-initiated SSO URL[1] or SP-initiated SSO URL[2]

Application SAML audience: the Service provider entity ID

Using [1] you would need to access the user portal of the SSO and the OpenSearch application will be there. Using [2] you can access the dashboard URL directly.

Also, you might find useful to map an SSO Group to an OpenSearch role (as opposed to a single user). To do that, add a new attribute mapping on the SSO Application.

"User attribute in the application" -> Groups
"Maps to this string value or user attribute in AWS SSO" -> "${user:groups}"

Then you will need to edit your OpenSearch SAML configuration and add: In "Roles key - optional" Specify the attribute of SAML to "Groups"

After that, copy the ID of the Group, log in to your opensearch dashboard (with a master user) and map this ID to a Role as a "backend role".

Answer 2

I had the same problem, i figured out that my AD metadata was wrong. Verify that you used the good metadata xml file