SAML with Other IdPs

This guide covers how to set up SAML federation with identity providers other than Okta — including Microsoft Entra ID (Azure AD), Ping Identity, OneLogin, and any SAML 2.0-compliant IdP. The core concepts are the same regardless of your IdP; only the IdP-side configuration steps differ.

If you're using Okta, see the dedicated SAML with Okta guide instead.

How SAML works with OpenSearch UI

OpenSearch UI doesn't support direct SAML integration the way OpenSearch Dashboards does. Instead, SAML federation goes through one of two AWS intermediaries:

Path	Flow	Best for
IdP → IDC → OpenSearch UI	Your IdP authenticates users, IDC manages the AWS integration	Teams that can enable IAM Identity Center
IdP → SAML IAM Federation → OpenSearch UI	Your IdP authenticates users, STS issues temporary credentials	Teams that can't use IDC

Recommendation: Use the IDC path whenever possible. It provides a better SSO experience, supports SCIM user provisioning, and enables per-user access control.

Path 1: IdP → IDC → OpenSearch UI (recommended)

This path uses your IdP as an external identity source for IAM Identity Center. IDC handles the OpenSearch UI integration.

Generic setup steps

These steps apply to any SAML IdP. The IdP-specific configuration is noted where it differs.

Step 1: Configure your IdP as an external identity source in IDC

Open the IAM Identity Center console
Go to Settings → Identity source → Actions → Change identity source
Choose External identity provider
Download the IDC SAML metadata (you'll upload this to your IdP)
Note the ACS URL and Entity ID from the metadata — you'll need these in your IdP

Step 2: Create the SAML application in your IdP

Create a new SAML 2.0 application in your IdP with these settings:

Setting	Value
Single sign-on URL (ACS URL)	From the IDC metadata downloaded in Step 1
Audience URI / Entity ID	From the IDC metadata downloaded in Step 1
Name ID format	`EmailAddress` (recommended)

Step 3: Upload IdP metadata to IDC

Download the SAML metadata XML from your IdP
In the IDC console, upload the metadata file to complete the identity source change

Step 4: Enable SCIM provisioning (recommended)

SCIM automatically syncs users and groups from your IdP to IDC:

In IDC Settings → Provisioning, enable automatic provisioning
Copy the SCIM endpoint URL and access token
Configure SCIM in your IdP using the endpoint and token

Step 5: Set up the OpenSearch UI application

Follow the IDC Auth Setup guide starting from Step B (creating the IAM role).

Step 6: Assign users in IDC

In IDC, go to Applications → your OpenSearch UI application
Assign the synced users or groups

Microsoft Entra ID (Azure AD) specifics

Creating the SAML app in Entra ID

In the Azure portal , go to Microsoft Entra ID → Enterprise applications → New application
Choose Create your own application
Select Integrate any other application you don't find in the gallery (Non-gallery)
Name it (e.g., "OpenSearch UI SSO") and choose Create
Go to Single sign-on → SAML
In Basic SAML Configuration:
- Identifier (Entity ID): Paste the Entity ID from IDC metadata
- Reply URL (ACS URL): Paste the ACS URL from IDC metadata
Download the Federation Metadata XML — upload this to IDC

SCIM provisioning with Entra ID

In the enterprise application, go to Provisioning → Get started
Set Provisioning Mode to Automatic
Under Admin Credentials:
- Tenant URL: Paste the SCIM endpoint from IDC
- Secret Token: Paste the SCIM access token from IDC
Choose Test Connection to verify, then Save
Under Mappings, configure attribute mappings for users and groups
Set Provisioning Status to On

Entra ID attribute mapping

Entra ID attribute	Maps to	Purpose
`user.userprincipalname`	Name ID	User identifier
`user.givenname`	First Name	Display name
`user.surname`	Last Name	Display name
`user.mail`	Email	Contact

Ping Identity specifics

Creating the SAML app in PingOne

In the PingOne admin console , go to Connections → Applications → Add Application
Choose SAML Application
Enter a name (e.g., "OpenSearch UI SSO")
Under SAML Configuration, choose Import Metadata and upload the IDC metadata file
Alternatively, manually configure:
- ACS URL: From IDC metadata
- Entity ID: From IDC metadata
- Name ID Format: EmailAddress
Save and download the PingOne metadata XML — upload this to IDC

SCIM provisioning with PingOne

In the application settings, go to Provisioning
Enable outbound provisioning
Configure the SCIM connection:
- SCIM URL: Paste the SCIM endpoint from IDC
- Authentication: Bearer token — paste the SCIM access token
Map user attributes and enable provisioning

OneLogin specifics

Creating the SAML app in OneLogin

In the OneLogin admin portal , go to Applications → Add App
Search for "SAML Custom Connector (Advanced)" and select it
Name it (e.g., "OpenSearch UI SSO") and Save
Go to the Configuration tab:
- ACS (Consumer) URL: From IDC metadata
- Audience (Entity ID): From IDC metadata
- SAML nameID format: Email
Go to the SSO tab and download the Issuer URL metadata — upload this to IDC

SCIM provisioning with OneLogin

In the application, go to Provisioning
Enable provisioning
Configure the SCIM connection with the IDC endpoint and token
Map attributes and save

Path 2: IdP → SAML IAM Federation → OpenSearch UI

Use this path if you can't enable IAM Identity Center. Your IdP federates directly into an IAM role via AWS STS.

Step 1: Create the SAML application in your IdP

Configure a SAML 2.0 application with these AWS-specific settings:

Setting	Value
Single sign-on URL	`https://signin.aws.amazon.com/saml`
Audience URI / Entity ID	`urn:amazon:webservices`
Name ID format	`EmailAddress`

Step 2: Configure SAML attribute statements

Add these attribute statements in your IdP's SAML configuration:

Attribute name	Value	Purpose
`https://aws.amazon.com/SAML/Attributes/RoleSessionName`	User's email or username	Identifies the user in AWS CloudTrail logs
`https://aws.amazon.com/SAML/Attributes/Role`	`<IAM_ROLE_ARN>,<SAML_PROVIDER_ARN>` (comma-separated)	Specifies which IAM role to assume

Example Role attribute value:

arn:aws:iam::123456789012:role/OpenSearchUIRole,arn:aws:iam::123456789012:saml-provider/MyIdP

Step 3: Create the SAML identity provider in IAM

Download the metadata XML from your IdP, then create the provider:

aws iam create-saml-provider \
  --saml-metadata-document file://idp-metadata.xml \
  --name MyIdPSAMLProvider

Step 4: Create the IAM role with SAML trust

aws iam create-role \
  --role-name OpenSearchUI-SAML-Role \
  --assume-role-policy-document '{
    "Version": "2012-10-17",
    "Statement": [{
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::<ACCOUNT_ID>:saml-provider/MyIdPSAMLProvider"
      },
      "Action": "sts:AssumeRoleWithSAML",
      "Condition": {
        "StringEquals": {
          "SAML:aud": "https://signin.aws.amazon.com/saml"
        }
      }
    }]
  }'

Step 5: Attach the OpenSearch UI permission policy

aws iam put-role-policy \
  --role-name OpenSearchUI-SAML-Role \
  --policy-name OpenSearchAppAccess \
  --policy-document '{
    "Version": "2012-10-17",
    "Statement": [{
      "Effect": "Allow",
      "Action": "opensearch:ApplicationAccessAll",
      "Resource": "arn:aws:opensearch:<REGION>:<ACCOUNT_ID>:application/*"
    }]
  }'

Step 6: Access OpenSearch UI

Users access OpenSearch UI through the AWS federated console:

User clicks the app tile in the IdP portal
IdP sends a SAML assertion to AWS
User lands in the AWS Console with the federated role
User navigates to OpenSearch Service → OpenSearch UI → their application

Fine-grained access control with SAML

You can implement per-group access control by mapping IdP groups to different IAM roles. This works with both Path 1 (IDC) and Path 2 (SAML IAM federation).

Approach: Multiple IAM roles

Create separate IAM roles with different permissions for different groups:

IdP group	IAM role	Permissions
`opensearch-admins`	`OpenSearchUI-Admin-Role`	Full access to all applications and data sources
`opensearch-analysts`	`OpenSearchUI-Analyst-Role`	Read-only access to specific applications
`opensearch-viewers`	`OpenSearchUI-Viewer-Role`	Access to specific applications, no admin features

In your IdP, configure the SAML Role attribute to map each group to its corresponding IAM role.

Domain-level fine-grained access control

For more granular control at the index level, configure SAML-based fine-grained access control on your OpenSearch domains:

In your IdP, add custom SAML attributes:
- A subject key attribute (e.g., UserName → user's email) for authentication
- A roles key attribute (e.g., groups → user's group memberships) for authorization
On the OpenSearch domain, enable IAM Federation and configure the subject key and roles key:

aws opensearch update-domain-config \
  --domain-name <DOMAIN_NAME> \
  --advanced-security-options '{
    "Enabled": true,
    "IAMFederationOptions": {
      "Enabled": true,
      "SubjectKey": "UserName",
      "RolesKey": "groups"
    }
  }'

Map IdP groups to OpenSearch security roles using backend roles mapping.

Common issues across all IdPs

Issue	Cause	Resolution
SAML assertion errors after IdP login	Attribute mapping mismatch	Verify that `RoleSessionName` and `Role` attributes match the expected format exactly
"Access denied" after successful federation	IAM role missing `opensearch:ApplicationAccessAll`	Add the permission policy to the federated role
Users land on AWS Console instead of OpenSearch UI	Default Relay State not configured	Set the Relay State in your IdP to the OpenSearch UI redirect URL
SCIM sync not working	Wrong endpoint or expired token	Verify the SCIM endpoint URL and regenerate the access token in IDC
Users synced but can't access the app	Users not assigned to the IDC application	Assign users/groups in IDC → Applications → your app
Multiple IdP groups but all users get same permissions	All groups mapped to the same IAM role	Create separate IAM roles for each group and update the SAML Role attribute mapping
IdP metadata expired	SAML certificates have a limited validity period	Download fresh metadata from your IdP and update the IAM SAML provider or IDC identity source

IdP-specific documentation links

Identity provider	SAML setup docs	SCIM provisioning docs
Microsoft Entra ID (Azure AD)	Azure AD SAML SSO	Azure AD SCIM provisioning
Ping Identity	PingOne SAML	PingOne SCIM
OneLogin	OneLogin SAML	OneLogin SCIM

SAML with Okta — Dedicated Okta integration guide
IDC Auth Setup — Full IDC setup walkthrough
IAM Auth Setup — IAM-only authentication
IAM Policies Reference — Complete permissions reference
AWS docs: SAML federation with OpenSearch UI
AWS docs: Connect to an external identity provider (IDC)