Malay Hazarika
Jun 5, 2025
|5 minutes Read
OpenSearch includes a robust security plugin that provides encryption, authentication and authorization. This article guides you how to connect OpenSearch with an OIDC provider like Keycloak. By the end, you'll have a secure authentication system that centralizes user management.
We have been building an full stack observability platform, as a truly open source and efficient alternative to the ELK stack, using OpenSearch at the core. Having and SSO integrated with the system will make it more cohesive and easier for teams to use and manage.
Integrating OpenSearch with OIDC brings several key benefits:
Before we start, ensure you have:
opensearch
With the following configuration:
https://opensearch.apps.yourcompany.com/
https://opensearch.apps.yourcompany.com/
https://opensearch.apps.yourcompany.com/*
Note these these are the URLs for your OpenSearch Dashboards instance.opensearch_roles
opensearch
true
roles
String
true
true
true
opensearch
client, "Client Scopes" tab, and add the opensearch_roles
scope to the client.roles
scope if it exists, as it will conflict with our custom scope. roleopensearch
client, "Credentials" tab, and create a new client secret.<opensearch-install-dir>/config/opensearch-security/config.yaml
file would be:
_meta:
type: "config"
config_version: 2
config:
dynamic:
http:
anonymous_auth_enabled: false
authc:
basic_internal_auth_domain:
description: "Authenticate via HTTP Basic against internal users database"
http_enabled: true
transport_enabled: true
order: 4
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: intern
clientcert_auth_domain:
description: "Authenticate via SSL client certificates"
http_enabled: false
transport_enabled: false
order: 2
http_authenticator:
type: clientcert
config:
username_attribute: cn
challenge: false
authentication_backend:
type: noop
openid_auth_domain:
description: "Authenticate via OpenID Connect"
http_enabled: true
transport_enabled: true
order: 3
http_authenticator:
type: openid
challenge: false
config:
subject_key: preferred_username
roles_key: roles
openid_connect_url: https://keycloak.apps.yourcompany.com/realms/yourcompany/.well-known/openid-configuration
authentication_backend:
type: noop
authz: {}
Note: The openid_connect_url
should point to your OIDC provider's discovery document. In Keycloak this found in realm settings under "OpenID Endpoint Configuration".
Once changed are made apply the changes by running your security admin tool. If you are using the OpenSearch operator in k8s, you don't need to do this as the operator will take care of it. (Which we strongly recommanded)
opensearch.ssl.verificationMode: none
opensearch_security.auth.type: openid
opensearch_security.openid.base_redirect_url: https://opensearch.apps.yourcompany.com/
opensearch_security.openid.client_id: opensearch
opensearch_security.openid.client_secret: sjwVyYqeaEXVaaZlssBIwNeNDdgGsoqy
opensearch_security.openid.connect_url: https://keycloak.apps.yourcompany.com/realms/yourcompany/.well-known/openid-configuration
opensearch_security.openid.scope: basic email opensearch_roles
server.name: opensearch-dashboards
Note:
opensearch_security.openid.client_secret
with the secret you created in Keycloak.opensearch_security.openid.scope
which includes the custom scope we created earlier (opensearch_roles
).Once the previous steps are done, you no longer can access OpenSearch dashboards with the default admin
user. You need to map the role admin
to a user in Keycloak. For that:
opensearch
client, "Roles" tab.admin
admin
) and assign it to the user.Once these configurations are applied, you can test the integrations as follows:
https://opensearch.apps.yourcompany.com/
).You now have a working OIDC integration with OpenSearch. You can create more roles in Opensearch security in Opensearch dashboard and map them to users in Keycloak, similar to how we did for the admin
role.
If you encounter issues:
Integrating OpenSearch with OIDC enhances security and simplifies user management. This setup demonstrates how open source solutions can provide enterprise-grade security without enterprise-grade price tags. Good luck you your journey!
Cheers!