How can I use AD saml for auth into kibana from terraform

HI All

We have a logging stack that makes use of Amazon Opensearch in AWS. We have recently been tasked with moving the Opensearch service to a new vpc which requires a whole new cluster being setup. We are moving away from using Amazon cognito as a means of authenticating users into opensearch kibana. We are moving towards using azure AD saml.

We have to this point replaced the cognito config we have in terraform with the AD saml config we required on a parallel cluster . The domain gets created successfully but we have no idea how to use azure AD saml to auth into kibana from terraform to setup various roles and policies for our users, we previously used cognito to assume a role that had admin access in kibana.

we have setup the domain saml options as below and that works:

Any advice to achieving this would be highly appreciated.

Hi @zubair.bhamjee ,

I want to make sure I am breaking down your question correctly. Is the problem you are having about how to make Terraform authenticate using SAML using Azure AD/EntraID?

Are you able to authenticate with Kibana using SAML without Terraform (e.g. login as a regular user)?

HI Jonathan

Yes, your understanding is correct.
We spun up the new cluster in AWS.
We created the enterprise application in azure portal, added the saml config and meta data file to the cluster security settings.
We can login to Kibana without using terraform using the admin users we setup on the cluster.


Thanks for the response and helping me understand what’s happening. Apologies for asking a lot of questions but I obviously lack context to your set up.

When you were using Cognito, did Terraform connect to Kibana using a Cognito user? A static user? Or API key? Looking over the provider info, it seems like static users and API keys are the supported ways to authenticate (but it has been several years since I used ELK):

The link you provided in the original message appears to be HOW to configure SAML, which sounds like it worked since you can log into Kibana using your EntraID users.

Apologies if I am not connecting all the pieces properly.

it used a cognito user that assumed a admin backend role that was used to setup the required policies and roles within kibana. It was easy enough to integrate this way as cognito was already an AWS service.

Thanks for the info on the providers, ill have a look into that to try and get my timeout issues on terraform resloved