Configuring Single Sign-On (SAML) for Amazon Web Services

Configuring Single Sign-On (SAML) for Amazon Web Services

Identacor offers ease of access and secure authentication, serving as a single sign-on (SSO) provider to over 2500 cloud and software as a service (SaaS) applications, using open standard data formats. Amazon Web Services supports Security Assertion Markup Language (SAML) based single sign-on (SSO) protocol. With Identacor, configuring SSO/SAML authentication for Amazon Web Services (AWS) is just a snap! The following steps will guide you through the process to set-up and allow single sign-on (SSO) for Amazon Web Services:

01

Download SAML Metadata

  1. Log in to your Identacor subdomain as Administrator and navigate to Applications > Application Catalog > Amazon AWS Application. Click Add.

  2. Amazon AWS requires an XML file with information generated in your Identacor instance. You can download this file by navigating to the Getting Started tab and clicking on the SAML 2.0 Metadata link. Save this file locally.

02

Configure Amazon Web Services

  1. Go to your Amazon Web Services Console and select IAM (Secure AWS Access Control)

  2. Go to your Amazon Web Services Console and select IAM (Secure AWS Access Control)

  3. Go to your Amazon Web Services Console and select IAM (Secure AWS Access Control)

  4. Click Close to finish creating a SAML Provider and move on to the next step

03

Creating an IAM Role for WebSSO in AWS

The IAM role institutes trust with the identity provider and defines permissions for the federated user. Therefore, the next step is to create an IAM role for SSO in AWS.

  1. In the left navigation, click Roles and select Create Role. In the new pop-up window, enter a Role Name and click Continue.

  2. For role type, choose Role for Identity Provider Access and click Select to Grant Web Single Sign-On (SSO) access to SAML identity providers.

  3. Select your SAML Provider created in Step 2 and click Continue.

  4. Verify Role Trust

  5. Set permissions to state how you want to provide access to the role created.

    Select Administrator Access to provide full access to AWS services and resources.

    Select Power User Access to provide full access to AWS services and resources, but does not allow management of users and groups.

    Select Read Only Access to provide read-only access to AWS services and resources.

  6. Verify your permissions draft and click Continue.

  7. Click Create Role to complete the process. Repeat Step 3 to create more roles.

04

Setting Up Identacor

  1. In the SSO Tab, select the attribute used that represents the Amazon AWS Username. This should be set to email address in most cases.

  2. Under the SSO Tab, configure the Role Session Attribute. This can be done by setting the Role Session Attribute to Email Address. This will automatically create the custom RoleSessionName attribute https://aws.amazon.com/SAML/Attributes/RoleSessionName

  3. Add the IDP ARN and Role ARN values. You will get the IDP ARN and Role ARN values when you created the SAML Provider and Roles in the AWS IAM Console (in the earlier steps). This will automatically create the custom Role attribute https://aws.amazon.com/SAML/Attributes/Role

05

Assign Users and Groups

  1. After the account administrator completes the single sign-on configuration, you can navigate to Users and Groups tab assign access to the application.

06

Sign In Now!

  1. After the above setup tasks are complete, you can test single sign-on by clicking on the portal link located on your Application Portal page. You can also initiate single sign-on from your web browser or embed the URL on a company portal site using the direct Single Sign-On link. Users will be assigned temporary AWS security credentials which last up to 1 hour.