aws-cdk-lib 2.91.0__py3-none-any.whl → 2.92.0__py3-none-any.whl

aws_cdk/aws_mwaa/__init__.py

@@ -160,7 +160,7 @@ class CfnEnvironment(
         :param id: Construct identifier for this resource (unique in its scope).
         :param name: The name of your Amazon MWAA environment.
         :param airflow_configuration_options: A list of key-value pairs containing the Airflow configuration options for your environment. For example, ``core.default_timezone: utc`` . To learn more, see `Apache Airflow configuration options <https://docs.aws.amazon.com/mwaa/latest/userguide/configuring-env-variables.html>`_ .
-        :param airflow_version: The version of Apache Airflow to use for the environment. If no value is specified, defaults to the latest version. *Allowed Values* : ``2.0.2`` | ``1.10.12`` | ``2.2.2`` | ``2.4.3`` | ``2.5.1`` (latest)
+        :param airflow_version: The version of Apache Airflow to use for the environment. If no value is specified, defaults to the latest version. If you specify a newer version number for an existing environment, the version update requires some service interruption before taking effect. *Allowed Values* : ``2.0.2`` | ``1.10.12`` | ``2.2.2`` | ``2.4.3`` | ``2.5.1`` | ``2.6.3`` (latest)
         :param dag_s3_path: The relative path to the DAGs folder on your Amazon S3 bucket. For example, ``dags`` . To learn more, see `Adding or updating DAGs <https://docs.aws.amazon.com/mwaa/latest/userguide/configuring-dag-folder.html>`_ .
         :param environment_class: The environment class type. Valid values: ``mw1.small`` , ``mw1.medium`` , ``mw1.large`` . To learn more, see `Amazon MWAA environment class <https://docs.aws.amazon.com/mwaa/latest/userguide/environment-class.html>`_ .
         :param execution_role_arn: The Amazon Resource Name (ARN) of the execution role in IAM that allows MWAA to access AWS resources in your environment. For example, ``arn:aws:iam::123456789:role/my-execution-role`` . To learn more, see `Amazon MWAA Execution role <https://docs.aws.amazon.com/mwaa/latest/userguide/mwaa-create-role.html>`_ .
@@ -177,7 +177,7 @@ class CfnEnvironment(
         :param source_bucket_arn: The Amazon Resource Name (ARN) of the Amazon S3 bucket where your DAG code and supporting files are stored. For example, ``arn:aws:s3:::my-airflow-bucket-unique-name`` . To learn more, see `Create an Amazon S3 bucket for Amazon MWAA <https://docs.aws.amazon.com/mwaa/latest/userguide/mwaa-s3-bucket.html>`_ .
         :param startup_script_s3_object_version: The version of the startup shell script in your Amazon S3 bucket. You must specify the `version ID <https://docs.aws.amazon.com/AmazonS3/latest/userguide/versioning-workflows.html>`_ that Amazon S3 assigns to the file every time you update the script. Version IDs are Unicode, UTF-8 encoded, URL-ready, opaque strings that are no more than 1,024 bytes long. The following is an example: ``3sL4kqtJlcpXroDTDmJ+rmSpXd3dIbrHY+MTRCxf3vjVBH40Nr8X8gdRQBpUMLUo`` For more information, see `Using a startup script <https://docs.aws.amazon.com/mwaa/latest/userguide/using-startup-script.html>`_ .
         :param startup_script_s3_path: The relative path to the startup shell script in your Amazon S3 bucket. For example, ``s3://mwaa-environment/startup.sh`` . Amazon MWAA runs the script as your environment starts, and before running the Apache Airflow process. You can use this script to install dependencies, modify Apache Airflow configuration options, and set environment variables. For more information, see `Using a startup script <https://docs.aws.amazon.com/mwaa/latest/userguide/using-startup-script.html>`_ .
-        :param tags: The key-value tag pairs associated to your environment. For example, ``"Environment": "Staging"`` . To learn more, see `Tagging <https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html>`_ .
+        :param tags: The key-value tag pairs associated to your environment. For example, ``"Environment": "Staging"`` . To learn more, see `Tagging <https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html>`_ . If you specify new tags for an existing environment, the update requires service interruption before taking effect.
         :param webserver_access_mode: The Apache Airflow *Web server* access mode. To learn more, see `Apache Airflow access modes <https://docs.aws.amazon.com/mwaa/latest/userguide/configuring-networking.html>`_ . Valid values: ``PRIVATE_ONLY`` or ``PUBLIC_ONLY`` .
         :param weekly_maintenance_window_start: The day and time of the week to start weekly maintenance updates of your environment in the following format: ``DAY:HH:MM`` . For example: ``TUE:03:30`` . You can specify a start time in 30 minute increments only. Supported input includes the following: - MON|TUE|WED|THU|FRI|SAT|SUN:([01]\\d|2[0-3]):(00|30)
         '''
@@ -598,7 +598,10 @@ class CfnEnvironment(
     @builtins.property
     @jsii.member(jsii_name="tagsRaw")
     def tags_raw(self) -> typing.Any:
-        '''The key-value tag pairs associated to your environment.'''
+        '''The key-value tag pairs associated to your environment.
+
+        For example, ``"Environment": "Staging"`` . To learn more, see `Tagging <https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html>`_ .
+        '''
         return typing.cast(typing.Any, jsii.get(self, "tagsRaw"))
 
     @tags_raw.setter
@@ -1022,7 +1025,7 @@ class CfnEnvironmentProps:
 
         :param name: The name of your Amazon MWAA environment.
         :param airflow_configuration_options: A list of key-value pairs containing the Airflow configuration options for your environment. For example, ``core.default_timezone: utc`` . To learn more, see `Apache Airflow configuration options <https://docs.aws.amazon.com/mwaa/latest/userguide/configuring-env-variables.html>`_ .
-        :param airflow_version: The version of Apache Airflow to use for the environment. If no value is specified, defaults to the latest version. *Allowed Values* : ``2.0.2`` | ``1.10.12`` | ``2.2.2`` | ``2.4.3`` | ``2.5.1`` (latest)
+        :param airflow_version: The version of Apache Airflow to use for the environment. If no value is specified, defaults to the latest version. If you specify a newer version number for an existing environment, the version update requires some service interruption before taking effect. *Allowed Values* : ``2.0.2`` | ``1.10.12`` | ``2.2.2`` | ``2.4.3`` | ``2.5.1`` | ``2.6.3`` (latest)
         :param dag_s3_path: The relative path to the DAGs folder on your Amazon S3 bucket. For example, ``dags`` . To learn more, see `Adding or updating DAGs <https://docs.aws.amazon.com/mwaa/latest/userguide/configuring-dag-folder.html>`_ .
         :param environment_class: The environment class type. Valid values: ``mw1.small`` , ``mw1.medium`` , ``mw1.large`` . To learn more, see `Amazon MWAA environment class <https://docs.aws.amazon.com/mwaa/latest/userguide/environment-class.html>`_ .
         :param execution_role_arn: The Amazon Resource Name (ARN) of the execution role in IAM that allows MWAA to access AWS resources in your environment. For example, ``arn:aws:iam::123456789:role/my-execution-role`` . To learn more, see `Amazon MWAA Execution role <https://docs.aws.amazon.com/mwaa/latest/userguide/mwaa-create-role.html>`_ .
@@ -1039,7 +1042,7 @@ class CfnEnvironmentProps:
         :param source_bucket_arn: The Amazon Resource Name (ARN) of the Amazon S3 bucket where your DAG code and supporting files are stored. For example, ``arn:aws:s3:::my-airflow-bucket-unique-name`` . To learn more, see `Create an Amazon S3 bucket for Amazon MWAA <https://docs.aws.amazon.com/mwaa/latest/userguide/mwaa-s3-bucket.html>`_ .
         :param startup_script_s3_object_version: The version of the startup shell script in your Amazon S3 bucket. You must specify the `version ID <https://docs.aws.amazon.com/AmazonS3/latest/userguide/versioning-workflows.html>`_ that Amazon S3 assigns to the file every time you update the script. Version IDs are Unicode, UTF-8 encoded, URL-ready, opaque strings that are no more than 1,024 bytes long. The following is an example: ``3sL4kqtJlcpXroDTDmJ+rmSpXd3dIbrHY+MTRCxf3vjVBH40Nr8X8gdRQBpUMLUo`` For more information, see `Using a startup script <https://docs.aws.amazon.com/mwaa/latest/userguide/using-startup-script.html>`_ .
         :param startup_script_s3_path: The relative path to the startup shell script in your Amazon S3 bucket. For example, ``s3://mwaa-environment/startup.sh`` . Amazon MWAA runs the script as your environment starts, and before running the Apache Airflow process. You can use this script to install dependencies, modify Apache Airflow configuration options, and set environment variables. For more information, see `Using a startup script <https://docs.aws.amazon.com/mwaa/latest/userguide/using-startup-script.html>`_ .
-        :param tags: The key-value tag pairs associated to your environment. For example, ``"Environment": "Staging"`` . To learn more, see `Tagging <https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html>`_ .
+        :param tags: The key-value tag pairs associated to your environment. For example, ``"Environment": "Staging"`` . To learn more, see `Tagging <https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html>`_ . If you specify new tags for an existing environment, the update requires service interruption before taking effect.
         :param webserver_access_mode: The Apache Airflow *Web server* access mode. To learn more, see `Apache Airflow access modes <https://docs.aws.amazon.com/mwaa/latest/userguide/configuring-networking.html>`_ . Valid values: ``PRIVATE_ONLY`` or ``PUBLIC_ONLY`` .
         :param weekly_maintenance_window_start: The day and time of the week to start weekly maintenance updates of your environment in the following format: ``DAY:HH:MM`` . For example: ``TUE:03:30`` . You can specify a start time in 30 minute increments only. Supported input includes the following: - MON|TUE|WED|THU|FRI|SAT|SUN:([01]\\d|2[0-3]):(00|30)
 
@@ -1208,7 +1211,9 @@ class CfnEnvironmentProps:
 
         If no value is specified, defaults to the latest version.
 
-        *Allowed Values* : ``2.0.2`` | ``1.10.12`` | ``2.2.2`` | ``2.4.3`` | ``2.5.1`` (latest)
+        If you specify a newer version number for an existing environment, the version update requires some service interruption before taking effect.
+
+        *Allowed Values* : ``2.0.2`` | ``1.10.12`` | ``2.2.2`` | ``2.4.3`` | ``2.5.1`` | ``2.6.3`` (latest)
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-mwaa-environment.html#cfn-mwaa-environment-airflowversion
         '''
@@ -1394,9 +1399,9 @@ class CfnEnvironmentProps:
 
     @builtins.property
     def tags(self) -> typing.Any:
-        '''The key-value tag pairs associated to your environment.
+        '''The key-value tag pairs associated to your environment. For example, ``"Environment": "Staging"`` . To learn more, see `Tagging <https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html>`_ .
 
-        For example, ``"Environment": "Staging"`` . To learn more, see `Tagging <https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html>`_ .
+        If you specify new tags for an existing environment, the update requires service interruption before taking effect.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-mwaa-environment.html#cfn-mwaa-environment-tags
         '''

aws_cdk/aws_neptune/__init__.py

@@ -270,9 +270,12 @@ class CfnDBCluster(
     @builtins.property
     @jsii.member(jsii_name="attrPort")
     def attr_port(self) -> builtins.str:
-        '''The port number on which the DB cluster accepts connections.
+        '''The port number on which the DB instances in the DB cluster accept connections.
 
-        For example: ``8182`` .
+        If not specified, the default port used is ``8182`` .
+        .. epigraph::
+
+           This property will soon be deprecated. Please update existing templates to use the new ``DBPort`` property that has the same functionality.
 
         :cloudformationAttribute: Port
         '''

aws_cdk/aws_omics/__init__.py

@@ -1249,7 +1249,7 @@ class CfnRunGroup(
         :param id: Construct identifier for this resource (unique in its scope).
         :param max_cpus: The group's maximum CPU count setting.
         :param max_duration: The group's maximum duration setting in minutes.
-        :param max_gpus: 
+        :param max_gpus: The maximum GPUs that can be used by a run group.
         :param max_runs: The group's maximum concurrent run setting.
         :param name: The group's name.
         :param tags: Tags for the group.
@@ -1366,6 +1366,7 @@ class CfnRunGroup(
     @builtins.property
     @jsii.member(jsii_name="maxGpus")
     def max_gpus(self) -> typing.Optional[jsii.Number]:
+        '''The maximum GPUs that can be used by a run group.'''
         return typing.cast(typing.Optional[jsii.Number], jsii.get(self, "maxGpus"))
 
     @max_gpus.setter
@@ -1445,7 +1446,7 @@ class CfnRunGroupProps:
 
         :param max_cpus: The group's maximum CPU count setting.
         :param max_duration: The group's maximum duration setting in minutes.
-        :param max_gpus: 
+        :param max_gpus: The maximum GPUs that can be used by a run group.
         :param max_runs: The group's maximum concurrent run setting.
         :param name: The group's name.
         :param tags: Tags for the group.
@@ -1512,7 +1513,8 @@ class CfnRunGroupProps:
 
     @builtins.property
     def max_gpus(self) -> typing.Optional[jsii.Number]:
-        '''
+        '''The maximum GPUs that can be used by a run group.
+
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-omics-rungroup.html#cfn-omics-rungroup-maxgpus
         '''
         result = self._values.get("max_gpus")

aws_cdk/aws_opensearchservice/__init__.py

@@ -199,6 +199,32 @@ domain = Domain(self, "Domain",
 master_user_password = domain.master_user_password
 ```
 
+## SAML authentication
+
+You can enable SAML authentication to use your existing identity provider
+to offer single sign-on (SSO) for dashboards on Amazon OpenSearch Service domains
+running OpenSearch or Elasticsearch 6.7 or later.
+To use SAML authentication, fine-grained access control must be enabled.
+
+```python
+domain = Domain(self, "Domain",
+    version=EngineVersion.OPENSEARCH_1_0,
+    enforce_https=True,
+    node_to_node_encryption=True,
+    encryption_at_rest=EncryptionAtRestOptions(
+        enabled=True
+    ),
+    fine_grained_access_control=AdvancedSecurityOptions(
+        master_user_name="master-user",
+        saml_authentication_enabled=True,
+        saml_authentication_options=SAMLOptionsProperty(
+            idp_entity_id="entity-id",
+            idp_metadata_content="metadata-content-with-quotes-escaped"
+        )
+    )
+)
+```
+
 ## Using unsigned basic auth
 
 For convenience, the domain can be configured to allow unsigned HTTP requests
@@ -486,6 +512,8 @@ from ..aws_route53 import IHostedZone as _IHostedZone_9a6907ad
         "master_user_arn": "masterUserArn",
         "master_user_name": "masterUserName",
         "master_user_password": "masterUserPassword",
+        "saml_authentication_enabled": "samlAuthenticationEnabled",
+        "saml_authentication_options": "samlAuthenticationOptions",
     },
 )
 class AdvancedSecurityOptions:
@@ -495,12 +523,16 @@ class AdvancedSecurityOptions:
         master_user_arn: typing.Optional[builtins.str] = None,
         master_user_name: typing.Optional[builtins.str] = None,
         master_user_password: typing.Optional[_SecretValue_3dd0ddae] = None,
+        saml_authentication_enabled: typing.Optional[builtins.bool] = None,
+        saml_authentication_options: typing.Optional[typing.Union["SAMLOptionsProperty", typing.Dict[builtins.str, typing.Any]]] = None,
     ) -> None:
         '''Specifies options for fine-grained access control.
 
         :param master_user_arn: ARN for the master user. Only specify this or masterUserName, but not both. Default: - fine-grained access control is disabled
         :param master_user_name: Username for the master user. Only specify this or masterUserArn, but not both. Default: - fine-grained access control is disabled
         :param master_user_password: Password for the master user. You can use ``SecretValue.unsafePlainText`` to specify a password in plain text or use ``secretsmanager.Secret.fromSecretAttributes`` to reference a secret in Secrets Manager. Default: - A Secrets Manager generated password
+        :param saml_authentication_enabled: True to enable SAML authentication for a domain. Default: - SAML authentication is disabled. Enabled if ``samlAuthenticationOptions`` is set.
+        :param saml_authentication_options: Container for information about the SAML configuration for OpenSearch Dashboards. If set, ``samlAuthenticationEnabled`` will be enabled. Default: - no SAML authentication options
 
         :exampleMetadata: infused
 
@@ -514,21 +546,24 @@ class AdvancedSecurityOptions:
                     enabled=True
                 ),
                 fine_grained_access_control=AdvancedSecurityOptions(
-                    master_user_name="master-user"
-                ),
-                logging=LoggingOptions(
-                    audit_log_enabled=True,
-                    slow_search_log_enabled=True,
-                    app_log_enabled=True,
-                    slow_index_log_enabled=True
+                    master_user_name="master-user",
+                    saml_authentication_enabled=True,
+                    saml_authentication_options=SAMLOptionsProperty(
+                        idp_entity_id="entity-id",
+                        idp_metadata_content="metadata-content-with-quotes-escaped"
+                    )
                 )
             )
         '''
+        if isinstance(saml_authentication_options, dict):
+            saml_authentication_options = SAMLOptionsProperty(**saml_authentication_options)
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__c1e95392d4761126042f2d6d6160889a80c269d2f13c21476fe92febdb7f04e3)
             check_type(argname="argument master_user_arn", value=master_user_arn, expected_type=type_hints["master_user_arn"])
             check_type(argname="argument master_user_name", value=master_user_name, expected_type=type_hints["master_user_name"])
             check_type(argname="argument master_user_password", value=master_user_password, expected_type=type_hints["master_user_password"])
+            check_type(argname="argument saml_authentication_enabled", value=saml_authentication_enabled, expected_type=type_hints["saml_authentication_enabled"])
+            check_type(argname="argument saml_authentication_options", value=saml_authentication_options, expected_type=type_hints["saml_authentication_options"])
         self._values: typing.Dict[builtins.str, typing.Any] = {}
         if master_user_arn is not None:
             self._values["master_user_arn"] = master_user_arn
@@ -536,6 +571,10 @@ class AdvancedSecurityOptions:
             self._values["master_user_name"] = master_user_name
         if master_user_password is not None:
             self._values["master_user_password"] = master_user_password
+        if saml_authentication_enabled is not None:
+            self._values["saml_authentication_enabled"] = saml_authentication_enabled
+        if saml_authentication_options is not None:
+            self._values["saml_authentication_options"] = saml_authentication_options
 
     @builtins.property
     def master_user_arn(self) -> typing.Optional[builtins.str]:
@@ -572,6 +611,28 @@ class AdvancedSecurityOptions:
         result = self._values.get("master_user_password")
         return typing.cast(typing.Optional[_SecretValue_3dd0ddae], result)
 
+    @builtins.property
+    def saml_authentication_enabled(self) -> typing.Optional[builtins.bool]:
+        '''True to enable SAML authentication for a domain.
+
+        :default: - SAML authentication is disabled. Enabled if ``samlAuthenticationOptions`` is set.
+
+        :see: https://docs.aws.amazon.com/opensearch-service/latest/developerguide/saml.html
+        '''
+        result = self._values.get("saml_authentication_enabled")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
+    @builtins.property
+    def saml_authentication_options(self) -> typing.Optional["SAMLOptionsProperty"]:
+        '''Container for information about the SAML configuration for OpenSearch Dashboards.
+
+        If set, ``samlAuthenticationEnabled`` will be enabled.
+
+        :default: - no SAML authentication options
+        '''
+        result = self._values.get("saml_authentication_options")
+        return typing.cast(typing.Optional["SAMLOptionsProperty"], result)
+
     def __eq__(self, rhs: typing.Any) -> builtins.bool:
         return isinstance(rhs, self.__class__) and rhs._values == self._values
 
@@ -4772,13 +4833,12 @@ class EncryptionAtRestOptions:
                     enabled=True
                 ),
                 fine_grained_access_control=AdvancedSecurityOptions(
-                    master_user_name="master-user"
-                ),
-                logging=LoggingOptions(
-                    audit_log_enabled=True,
-                    slow_search_log_enabled=True,
-                    app_log_enabled=True,
-                    slow_index_log_enabled=True
+                    master_user_name="master-user",
+                    saml_authentication_enabled=True,
+                    saml_authentication_options=SAMLOptionsProperty(
+                        idp_entity_id="entity-id",
+                        idp_metadata_content="metadata-content-with-quotes-escaped"
+                    )
                 )
             )
         '''
@@ -6619,6 +6679,163 @@ class LoggingOptions:
         )
 
 
+@jsii.data_type(
+    jsii_type="aws-cdk-lib.aws_opensearchservice.SAMLOptionsProperty",
+    jsii_struct_bases=[],
+    name_mapping={
+        "idp_entity_id": "idpEntityId",
+        "idp_metadata_content": "idpMetadataContent",
+        "master_backend_role": "masterBackendRole",
+        "master_user_name": "masterUserName",
+        "roles_key": "rolesKey",
+        "session_timeout_minutes": "sessionTimeoutMinutes",
+        "subject_key": "subjectKey",
+    },
+)
+class SAMLOptionsProperty:
+    def __init__(
+        self,
+        *,
+        idp_entity_id: builtins.str,
+        idp_metadata_content: builtins.str,
+        master_backend_role: typing.Optional[builtins.str] = None,
+        master_user_name: typing.Optional[builtins.str] = None,
+        roles_key: typing.Optional[builtins.str] = None,
+        session_timeout_minutes: typing.Optional[jsii.Number] = None,
+        subject_key: typing.Optional[builtins.str] = None,
+    ) -> None:
+        '''Container for information about the SAML configuration for OpenSearch Dashboards.
+
+        :param idp_entity_id: The unique entity ID of the application in the SAML identity provider.
+        :param idp_metadata_content: The metadata of the SAML application, in XML format.
+        :param master_backend_role: The backend role that the SAML master user is mapped to. Any users with this backend role receives full permission in OpenSearch Dashboards/Kibana. To use a SAML master backend role, configure the ``rolesKey`` property. Default: - The master user is not mapped to a backend role
+        :param master_user_name: The SAML master username, which is stored in the domain's internal user database. This SAML user receives full permission in OpenSearch Dashboards/Kibana. Creating a new master username does not delete any existing master usernames. Default: - No master user name is configured
+        :param roles_key: Element of the SAML assertion to use for backend roles. Default: - roles
+        :param session_timeout_minutes: The duration, in minutes, after which a user session becomes inactive. Default: - 60
+        :param subject_key: Element of the SAML assertion to use for the user name. Default: - NameID element of the SAML assertion fot the user name
+
+        :exampleMetadata: infused
+
+        Example::
+
+            domain = Domain(self, "Domain",
+                version=EngineVersion.OPENSEARCH_1_0,
+                enforce_https=True,
+                node_to_node_encryption=True,
+                encryption_at_rest=EncryptionAtRestOptions(
+                    enabled=True
+                ),
+                fine_grained_access_control=AdvancedSecurityOptions(
+                    master_user_name="master-user",
+                    saml_authentication_enabled=True,
+                    saml_authentication_options=SAMLOptionsProperty(
+                        idp_entity_id="entity-id",
+                        idp_metadata_content="metadata-content-with-quotes-escaped"
+                    )
+                )
+            )
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__3971b3c73627d57587c667b1ede64fbba4de4fd4a086af959dc2d0f812f8e36b)
+            check_type(argname="argument idp_entity_id", value=idp_entity_id, expected_type=type_hints["idp_entity_id"])
+            check_type(argname="argument idp_metadata_content", value=idp_metadata_content, expected_type=type_hints["idp_metadata_content"])
+            check_type(argname="argument master_backend_role", value=master_backend_role, expected_type=type_hints["master_backend_role"])
+            check_type(argname="argument master_user_name", value=master_user_name, expected_type=type_hints["master_user_name"])
+            check_type(argname="argument roles_key", value=roles_key, expected_type=type_hints["roles_key"])
+            check_type(argname="argument session_timeout_minutes", value=session_timeout_minutes, expected_type=type_hints["session_timeout_minutes"])
+            check_type(argname="argument subject_key", value=subject_key, expected_type=type_hints["subject_key"])
+        self._values: typing.Dict[builtins.str, typing.Any] = {
+            "idp_entity_id": idp_entity_id,
+            "idp_metadata_content": idp_metadata_content,
+        }
+        if master_backend_role is not None:
+            self._values["master_backend_role"] = master_backend_role
+        if master_user_name is not None:
+            self._values["master_user_name"] = master_user_name
+        if roles_key is not None:
+            self._values["roles_key"] = roles_key
+        if session_timeout_minutes is not None:
+            self._values["session_timeout_minutes"] = session_timeout_minutes
+        if subject_key is not None:
+            self._values["subject_key"] = subject_key
+
+    @builtins.property
+    def idp_entity_id(self) -> builtins.str:
+        '''The unique entity ID of the application in the SAML identity provider.'''
+        result = self._values.get("idp_entity_id")
+        assert result is not None, "Required property 'idp_entity_id' is missing"
+        return typing.cast(builtins.str, result)
+
+    @builtins.property
+    def idp_metadata_content(self) -> builtins.str:
+        '''The metadata of the SAML application, in XML format.'''
+        result = self._values.get("idp_metadata_content")
+        assert result is not None, "Required property 'idp_metadata_content' is missing"
+        return typing.cast(builtins.str, result)
+
+    @builtins.property
+    def master_backend_role(self) -> typing.Optional[builtins.str]:
+        '''The backend role that the SAML master user is mapped to.
+
+        Any users with this backend role receives full permission in OpenSearch Dashboards/Kibana.
+        To use a SAML master backend role, configure the ``rolesKey`` property.
+
+        :default: - The master user is not mapped to a backend role
+        '''
+        result = self._values.get("master_backend_role")
+        return typing.cast(typing.Optional[builtins.str], result)
+
+    @builtins.property
+    def master_user_name(self) -> typing.Optional[builtins.str]:
+        '''The SAML master username, which is stored in the domain's internal user database.
+
+        This SAML user receives full permission in OpenSearch Dashboards/Kibana.
+        Creating a new master username does not delete any existing master usernames.
+
+        :default: - No master user name is configured
+        '''
+        result = self._values.get("master_user_name")
+        return typing.cast(typing.Optional[builtins.str], result)
+
+    @builtins.property
+    def roles_key(self) -> typing.Optional[builtins.str]:
+        '''Element of the SAML assertion to use for backend roles.
+
+        :default: - roles
+        '''
+        result = self._values.get("roles_key")
+        return typing.cast(typing.Optional[builtins.str], result)
+
+    @builtins.property
+    def session_timeout_minutes(self) -> typing.Optional[jsii.Number]:
+        '''The duration, in minutes, after which a user session becomes inactive.
+
+        :default: - 60
+        '''
+        result = self._values.get("session_timeout_minutes")
+        return typing.cast(typing.Optional[jsii.Number], result)
+
+    @builtins.property
+    def subject_key(self) -> typing.Optional[builtins.str]:
+        '''Element of the SAML assertion to use for the user name.
+
+        :default: - NameID element of the SAML assertion fot the user name
+        '''
+        result = self._values.get("subject_key")
+        return typing.cast(typing.Optional[builtins.str], result)
+
+    def __eq__(self, rhs: typing.Any) -> builtins.bool:
+        return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+    def __ne__(self, rhs: typing.Any) -> builtins.bool:
+        return not (rhs == self)
+
+    def __repr__(self) -> str:
+        return "SAMLOptionsProperty(%s)" % ", ".join(
+            k + "=" + repr(v) for k, v in self._values.items()
+        )
+
+
 @jsii.enum(jsii_type="aws-cdk-lib.aws_opensearchservice.TLSSecurityPolicy")
 class TLSSecurityPolicy(enum.Enum):
     '''The minimum TLS version required for traffic to the domain.'''
@@ -7823,6 +8040,7 @@ __all__ = [
     "EngineVersion",
     "IDomain",
     "LoggingOptions",
+    "SAMLOptionsProperty",
     "TLSSecurityPolicy",
     "WindowStartTime",
     "ZoneAwarenessConfig",
@@ -7835,6 +8053,8 @@ def _typecheckingstub__c1e95392d4761126042f2d6d6160889a80c269d2f13c21476fe92febd
     master_user_arn: typing.Optional[builtins.str] = None,
     master_user_name: typing.Optional[builtins.str] = None,
     master_user_password: typing.Optional[_SecretValue_3dd0ddae] = None,
+    saml_authentication_enabled: typing.Optional[builtins.bool] = None,
+    saml_authentication_options: typing.Optional[typing.Union[SAMLOptionsProperty, typing.Dict[builtins.str, typing.Any]]] = None,
 ) -> None:
     """Type checking stubs"""
     pass
@@ -8378,6 +8598,19 @@ def _typecheckingstub__6f2efbcf1fc757504a748851740a44deb59ed98ee9c1d8c213d60960f
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__3971b3c73627d57587c667b1ede64fbba4de4fd4a086af959dc2d0f812f8e36b(
+    *,
+    idp_entity_id: builtins.str,
+    idp_metadata_content: builtins.str,
+    master_backend_role: typing.Optional[builtins.str] = None,
+    master_user_name: typing.Optional[builtins.str] = None,
+    roles_key: typing.Optional[builtins.str] = None,
+    session_timeout_minutes: typing.Optional[jsii.Number] = None,
+    subject_key: typing.Optional[builtins.str] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__6aa10c95f5a58e650c77a0c42630f2fa77e6475974ad59138caebb586e5fad2c(
     *,
     hours: jsii.Number,