Setting up SSO with Amazon Web Services

The EmpowerID SSO framework allows you to create an SSO connection with Role passing for Amazon Web Services (AWS).

This topic demonstrates how to create an SSO application in EmpowerID for SSO with Role Passing for AWS and is divided into the following activities:

As a prerequisite to setting up EmpowerID for SSO with AWS, you must have an AWS account.

To create the AWS SAML Connection

  1. From the Navigation Sidebar of the EmpowerID Web interface, navigate to the find protected application resource page by expanding Applications and clicking Manage Applications.
  2. From the Actions pane of the find protected application resource page, click the Create SAML Connection link.
  3. This opens a blank Connection Details form. This form provides all the fields needed to create the SAML connection.

  4. Select Service Provider as the SAML Connection Type.
  5. Underneath Service Provider Details do the following:
    1. Select Default SSO Connection Settings from the SAML Application Template drop-down.
    2. Type https://signin.aws.amazon.com/saml in the Assertion Consumer URL field.
    3. Leave the Send RelayState to Provider and RelayState fields empty.
    4. The Service Provider Details section of the form should look like the below image.

  6. In the Connection Details section of the form, do the following:
    1. Type a name, display name and description for the SSO connection in the Name, Display Name, and Description fields, respectively.
    2. Select HTTPPost from the SAML Submission Method drop-down.
    3. Select Persistent from the Name Identifier Format drop-down
    4. Leave the Issuer field as is.
    5. In the User Entered URL field, replace <ServiceProviderName> with the name of the connection you are creating.
    6. Leave the Tile Image URL field as is.
    7. The Connection Details section of the form should look like the below image.

  7. Under Single Logout Configuration, verify that HTTPArtifact is selected as the Logout SAML Protocol.
  8. Under Account Information, select either Create a New Account Directory (recommended) or select an existing account directory from the Select existing Account Directory drop-down. Creating a new account directory for the SSO connection is advantageous in that doing so creates a one-to-one correlation between the account store and the connection, as well as any applications that use the SSO connection. In our example, we are creating a new account directory.
  9. Select the signing certificate used in your EmpowerID deployment from the Signing Certificate drop-down. Leave the other certificate fields empty.
  10. Click the Advanced Configuration tab.
  11. Under SAML User Configuration, verify that User ID in Subject Name Identifier is selected.
  12. Under Signing and Encryption, verify that the Assertion Encryption Method value is set to XmlEncAES256Url.
  13. Click the Subject Confirmations tab.
  14. Click the Add New (+) button and in the Details pane that appears, do the following:
    1. Type AWSSubjectConfirmation in the Name field.
    2. Select Transient from the Name Identifier drop-down.
    3. Select Bearer from the Subject Confirmation drop-down.
    4. Type https://sigin.aws.amazon.com/saml in the Recipient field.
    5. Click Save.
    6. You should see the Added flag update from 0 to 1.

  15. Click the Audiences tab.
  16. Click the Add New (+) button and in the Details pane that appears, do the following:
    1. Type AWS Audience in the Name field.
    2. Type https://sigin.aws.amazon.com/saml in the Recipient field.
    3. Click Save.
    4. You should see the Added flag update from 0 to 1.

  17. Click the Attributes tab. From this tab, you will create a SAML attribute statement with three SAML attributes.
  18. Click Create a New SAML Attribute Statement and then click Create a SAML Attribute.
  19. In the SAML Attribute pane that appears, do the following:
    1. Type https://aws.amazon.com/SAML/AttributeRole in the Name field.
    2. Type AWS Groups in the Display Name field.
    3. Type {Group} in the Attribute Value field.
    4. Select AWS from the Format drop-down.
    5. Click Save.
  20. To add the second attribute to the statement, click the Add New (+) button and in the Details pane that appears, do the following:
    1. Type https://aws.amazon.com/SAML/Attributes/RoleSessionName in the Name field.
    2. Type RoleSessionName in the Display Name field.
    3. Select Mapped Attribute.
    4. Type {PersonPrincipal.Email} in the Attribute Value field.
    5. Select Unspecified from the Format drop-down.
    6. Click Save.
  21. To add the third attribute to the statement, click the Add New (+) button again and in the Details pane that appears, do the following:
    1. Type AWS Management Roles in the Name field.
    2. Type AWS Management Roles in the Display Name field.
    3. Type {ManagementRole} in the Attribute Value field.
    4. Select AWS from the Format drop-down.
    5. Click Save.
  22. Click Save to create the SSO Connection. After the connection is created, you need to export the EmpowerID metadata file for it. This file will be used later when setting up AWS for your SSO application.
  23. After EmpowerID creates the connection, navigate to SSO Connection Manager by expanding Admin > SSO Connection and clicking SAML.
  24. In SSO Connection Manager, search for the SSO connection you just created.
  25. Click the Display Name link.
  26. This directs you to the View One page for the connection.

  27. Click the Export EmpowerID Metadata button.
  28. This opens a new browser tab with the EmpowerID metadata in XML format.

  29. Copy the XML and save it as an XML file. You will upload this file to AWS later.

The next step is to create the AWS application, adding to it the SSO connection you just created.

To Create the AWS application in EmpowerID

  1. From the Navigation Sidebar, navigate to the find protected application resource page by expanding Applications and clicking Manage Applications.
  2. From the Actions pane of the find protected application resource page, click the Create Application link.
  3. This opens a blank Application Details form. This form provides all the fields needed to create the AWS application.

  4. Select the General tab of the page.
  5. Type a name, display name and description for the AWS application in the Name, Display Name and Description fields, respectively.
  6. Optionally, replace the value in the Icon field with the path to the Amazon Web Services application image. The new value should be ~/Common/Images/AppLogos/amazon-webservices.png.
  7. Specify whether to allow users request access to the application by selecting or deselecting Allow Access Requests. When this option is selected, the application appears in the IT Shop, allowing users to request or claim an account in the application.
  8. Specify whether to allow users to request an account in the application by selecting or deselecting Allow Request Account. When this option is selected and Allow Access Requests is selected, users can request an account in the application.
  9. Specify whether to give users the ability to claim an account they have in the application by selecting or deselecting Allow Claim Account. When this option is selected, users can claim their accounts and gain instant access after passing the requisite identity proofs.
  10. Deselect Requires Account for SSO.
  11. Deselect Login Is Email Address.
  12. Specify whether you are the owner of the application by selecting or deselecting Make me the Application Owner. Application owners have the ability to manage the application and approve or deny access requests.
  13. Leave Configure Advanced Claim and Request Account Options deselected, unless you have custom pages and workflows configured in EmpowerID for processing access requests. If you have these, then select the option and provide the appropriate advanced configuration information.
  14. At this point, the General tab of the form should look similar to the below image.

  15. Click the Single Sign-On tab.
  16. Select SAML from the Single Sign-On Connection Type drop-down.
  17. Type the name of the AWS SAML connection you created above in the SAML Connection field and then click the tile for the connection to select it.
  18. Click the Users tab. You should see the account directory you selected for the AWS SSO connection listed in the Select existing Account Directory field.
  19. Click the Add to cart button located at the bottom of the page.
  20. Click the Cart icon located at the top of the page, type a comment in the Justification field and then click Submit.
  21. The next step is to set up AWS for your application.

To set up AWS for your application

  1. From your Web browser log in to your AWS console as an administrator.
  2. From the AWS console, select Identity & Access Management.
  3. Click the Identity Providers navigational link and then click Create Provider.
  4. Select SAML from the Provider Type drop-down.
  5. Type a name in the Provider Name field.
  6. To the right of Metadata Document, click Choose File and upload the EmpowerID Metadata XML file you exported and saved when you created the SSO Connection earlier.
  7. Click Next Step.
  8. Verify the provider information and then click Create.
  9. AWS creates the SAML provider and displays a message stating that you must create an IAM role using the provider's trust policy.

  10. Click the Do this now link.