OpenSearch UI supports multiple authentication methods. The right choice depends on your team size, existing identity setup, and how users will access the application.
Choose Your Auth Method
Comparison table
| Criteria | IAM Authentication | IAM Identity Center (IDC) | SAML Federation (via IAM) |
|---|---|---|---|
| Best for | Programmatic access, CLI users, single-account setups | SSO for teams, multi-user orgs, existing identity providers | Orgs already using SAML IdPs (Okta, Azure AD) without IDC |
| Login experience | SigV4 presigned URL or federated console | SSO portal with username/password | Federated console login via IdP |
| Setup complexity | Low — IAM policy only | Medium — IDC instance + IAM role + trust policy | Medium-High — IdP config + IAM role + trust policy |
| Prerequisites | IAM role with permissions | IDC instance + IAM role with permission and trust policies | SAML IdP configured + IAM role with SAML trust |
| Multi-user support | Manual — each user needs IAM credentials or role assumption | Built-in — users managed in IDC or synced from IdP | Via IdP — users managed in your SAML provider |
| MFA support | Via IAM MFA settings | Built-in via IDC or upstream IdP | Via your SAML IdP |
When to use each method
IAM authentication
Choose IAM auth when:
- You're a solo developer or small team
- You need programmatic or CLI access to the application
- You want the simplest possible setup
- You're building automation that generates presigned URLs
Prerequisites:
- AWS account with base IAM permissions
- At least one OpenSearch domain or serverless collection in your region
- AWS CLI configured with credentials
IAM Identity Center (IDC)
Choose IDC when:
- Your organization uses SSO (Okta, Azure AD, etc.)
- You have multiple users who need access
- You want a browser-based login experience without presigned URLs
- You're already using IDC for other AWS services
Prerequisites:
- AWS account with base + IDC IAM permissions
- IAM Identity Center enabled in your account or organization
- IAM role with the required permission policy AND trust policy for
sso.amazonaws.com - At least one OpenSearch domain or serverless collection in your region
SAML federation (via IAM or IDC)
Choose SAML when:
- You use a SAML identity provider like Okta or Azure AD
- You want users to log in through your existing IdP portal
There are two paths for SAML integration:
- Okta → IDC → OpenSearch UI (recommended) — Your IdP syncs users into IDC, which handles the OpenSearch UI integration
- Okta → SAML IAM Federation → OpenSearch UI (alternative) — Your IdP federates directly into an IAM role
OpenSearch UI is a standalone AWS resource, not a feature inside an OpenSearch domain. Direct SAML integration (like OpenSearch Dashboards SAML) is not supported. You must go through IAM or IDC.
Decision flowchart
Ask yourself these questions:
-
Do you need SSO with an identity provider?
- No → Use IAM auth
- Yes → Continue to question 2
-
Is IAM Identity Center enabled in your account?
- Yes → Use IDC auth
- No, but you can enable it → Enable IDC, then use IDC auth
- No, and you can't enable it → Use SAML via IAM federation
Next steps
- Review the IAM policies reference for the full list of permissions
- Follow the setup guide for your chosen method
- After setup, each guide includes verification steps to confirm everything works