Use this guide to enable Multi-Factor Authentication and Single Sign-on (SSO) access via SAML to AWS.
Three configuration steps are involved in the integration process:
Create a SecureAuth IdP realm for the AWS SAML integration, and generate the SAML metadata file used by AWS to validate assertions from SecureAuth IdP (SecureAuth IdP Configuration Steps Part 1).
Configure AWS to use SecureAuth IdP as a SAML Identity Provider, and create a Role that can access the AWS account via SSO (AWS Configuration Steps).
Input values from the AWS Role into the SecureAuth IdP realm to configure the SAML provider (SecureAuth IdP Configuration Steps Part 2).
Definitions / Descriptions
IdP Init (Identity Provider Initiated): The Identity Provider is used to initiate the login process by providing a SAML assertion.
IAM Role: A set of permissions that grant a user or service access to AWS resources, which are attached to this role, but not to the IAM user or group. At run time, applications or AWS services (e.g. Amazon EC2) can programmatically assume a role; and when a role is assumed, AWS returns temporary security credentials that the user or application can use to make programmatic requests to AWS. Since long-term security credentials are not required to be shared, separate IAM users do not need to be created for each entity that needs access to a resource.
ARN: Amazon Resource Names that uniquely identify AWS resources for IAM policies, tags, and API calls.
2. Click the Identity & Access Management link in the Security & Identity section
3. Select Identity Providers in the left pane and then click Create Provider at the top of the target pane
4. Select SAML from the Provider Type dropdown
5. Set the Provider Name, which cannot be changed once the Identity Provider profile is created in AWS
6. Click Choose File and select the MetaData.xml file downloaded from the SecureAuth IdP Web Admin (step 11)
7. Click Next Step
8. Review configured settings and click Create
9. Details about the SAML Identity Provider appear after the provider is successfully created
Role Creation is required for this integration. Any role (e.g. Admin or User role) can be utilized based on AWS preferences, but the created role must be applied to all end-users accessing the SecureAuth IdP realm.
As a best practice, SecureAuth recommends creating a SecureAuth IdP realm for each distinct AWS Role (e.g. SecureAuth IdP realm 1 for Admins; SecureAuth IdP realm 2 for Users). There are other options available; however, this method would require the least amount of configuration.
If utilizing only one Role (e.g. Admins), then only one SecureAuth IdP realm is required for AWS access.
For multiple Roles, and therefore multiple realms, the SecureAuth IdP Configuration Steps Part 1 and Part 2 would be required for the new realm, but the Part 2 configuration steps would include different ARN Values generated by completing the following steps for the second Role.
10. Select Roles in the left pane and then click Create New Role at the top of the target pane
Role Name and Type
11. Set the Role Nameand click Next Step
12. Select Role for Identity Provider Access and click Select to Grant Web Single Sign-on (Web SSO) access to SAML providers
13. Click Next Step
14. Select the newly-created SAML provider(steps 2 - 9) from the dropdown and click Next Step
15. Verify the Role's trust relationship and click Next Step
Attach Policy and Review
16. Select one or more policies to attach to the Role and click Next Step
17. Review information assigned to the Role, make any necessary edits, and then click Create Role
Note the Role ARN and Trusted Entities SAML Provider ARN appear in the Review page. These two ARN values are stored on the Active Directory server, or as a Global Auxiliary ID (as shown in SecureAuth IdP Configuration Steps 2), separated by a comma (e.g. arn:aws:iam:591083713422:role/Admin,arn:aws:iam::591083713422:saml-provider/SecureAuthTest). This information can be viewed at any time on the Trust Relationships tab in the Roles Summary page for the configured entity.
Roles Summary Screen Example
SecureAuth IdP Configuration Steps Part 2
1. In the Global Aux Fields section, set Global Aux ID 1 to the Role ARN and Trusted Entities SAML Provider ARN values(e.g. arn:aws:iam:591083713422:role/Admin,arn:aws:iam::591083713422:saml-provider/SecureAuthTest)
This is a suggested configuration rather than storing the values in the enterprise directory
If storing the values in the directory, then the attribute used to contain the values (e.g. description, postalAddress, etc.) must be mapped to a SecureAuth IdP Profile Property (e.g. Aux ID 1)
Click Save once the configurations are completed and before leaving the Data page to avoid losing changes
2. In the SAML Attributes / WS Federation section, set the Name for Attribute 1 to https://aws.amazon.com/SAML/Attributes/Role
3. Select Global Aux ID 1 from the Valuedropdown
If storing the ARN values in the directory instead of employing the Global Aux ID, then select the SecureAuth IdP Profile Property mapped to the attribute containing the ARN values
4. Set the Name for Attribute 2 to https://aws.amazon.com/SAML/Attributes/RoleSessionName
5. Select Authenticated User ID from the Value dropdown
This value appears in the upper right area of the AWS Management Console once the user is logged in
Click Save once the configurations have been completed and before leaving the Post Authentication page to avoid losing changes