Documentation

Table of Contents


Integration Guides and Other Resources


7.x Integration Guides

Knowledge Base Articles

This document contains specific information for SecureAuth IdP version 7.x. If using a different version of SecureAuth IdP, refer to the 8.x, 9.0.x, or 9.1 - 9.2 space accordingly.

Introduction

Use this guide to enable 2-Factor Authentication and Single Sign-on (SSO) access via SAML to AWS.

Three configuration steps are involved in the integration process:

  1. Create a SecureAuth IdP realm for the AWS SAML integration, and generate the SAML metadata file used by AWS to validate assertions from SecureAuth IdP (SecureAuth IdP Configuration Steps Part 1)
  2. Configure AWS to use SecureAuth IdP as a SAML Identity Provider, and create a Role that can access the AWS account via SSO (AWS Configuration Steps)
  3. Input values from the AWS Role into the SecureAuth IdP realm to configure the SAML provider (SecureAuth IdP Configuration Steps Part 2)

Definitions / Descriptions

  • IdP Init (Identity Provider Initiated): The Identity Provider is used to initiate the login process by providing a SAML assertion.
  • IAM Role: A set of permissions that grant a user or service access to AWS resources, which are attached to this role, but not to the IAM user or group. At run time, applications or AWS services (e.g. Amazon EC2) can programmatically assume a role; and when a role is assumed, AWS returns temporary security credentials that the user or application can use to make programmatic requests to AWS. Since long-term security credentials are not required to be shared, separate IAM users do not need to be created for each entity that needs access to a resource.
  • ARN: Amazon Resource Names that uniquely identify AWS resources for IAM policies, tags, and API calls.
Prerequisites

1. Have an AWS account established

Create an account here

2. Have SecureAuth IdP 7.4+

3. Create a New Realm in the SecureAuth IdP Web Admin for the AWS integration

4. Configure the following tabs in the Web Admin before configuring the Post Authentication tab:

  • User Interface – the description of the realm must be defined
  • Data Store – an enterprise directory must be integrated with SecureAuth IdP
  • Workflow – the way in which users will access this application must be defined
  • Registration Methods – the SSO Authentication method that will be used to access this page, as well as the realm's SMTP configuration, must be defined  

SecureAuth IdP Configuration Steps Part 1
Post Authentication

 

1. In the Post Authentication section, select SAML 2.0 (IdP Initiated) Assertion from the Authenticated User Redirect dropdown

2. An unalterable URL will be auto-populated in the Redirect To field, which appends to the domain name and realm number in the address bar (Authorized/SAML20IdPInit.aspx)

User ID Mapping

 

3. Select Authenticated User ID from the User ID Mapping dropdown

4. Select urn:oasis:names:tc:SAML:2.0:nameid-format:persistent from the Name ID Format dropdown

SAML Assertion / WS Federation

 

5. Set the SAML Consumer URL to https://signin.aws.amazon.com/saml

6. Set WSFed / SAML Issuer to a Unique Name that will be shared with AWS

The WSFed/SAML Issuer must match exactly on the SecureAuth IdP side and the AWS side

7. Set SAML Recipient to https://signin.aws.amazon.com/saml

8. Set SAML Audience to https://signin.aws.amazon.com/saml

9. Select True from the Sign SAML Assertion dropdown

10. Leave the Signing Cert Serial Number as the default value, unless there is a third-party certificate being used for the SAML assertion

If using a third-party certificate, click Select Certificate and choose the appropriate certificate

11. Provide the Domain name (Public Server Address) and click Download to save a copy of the realm's Metadata File

Be sure to note the download location of MetaData.xml; this file is used in the AWS Configuration Steps

Click Save once the configurations have been completed and before leaving the Post Authentication page to avoid losing changes

Additional SecureAuth IdP configuration steps are required after completing the AWS Configuration Steps (see below)

AWS Configuration Steps
Create SAML Provider

 

1. Log into the AWS Management Console at https://console.aws.amazon.com

2. Click the Identity & Access Management link in the Security & Identity section

3. Select Identity Providers in the left pane and then click Create Provider at the top of the target pane

Configure Provider


4. Select SAML from the Provider Type dropdown

5. Set the Provider Name, which cannot be changed once the Identity Provider profile is created in AWS

6. Click Choose File and select the MetaData.xml file downloaded from the SecureAuth IdP Web Admin (step 11)

7. Click Next Step

Verify

 

8. Review configured settings and click Create

 

9. Details about the SAML Identity Provider appear after the provider is successfully created

Create Role

Role Creation is required for this integration. Any role (e.g. Admin or User role) can be utilized based on AWS preferences, but the created role must be applied to all end-users accessing the SecureAuth IdP realm.

As a best practice, SecureAuth recommends creating a SecureAuth IdP realm for each distinct AWS Role (e.g. SecureAuth IdP realm A for Admins; SecureAuth IdP realm B for Users). There are other options available; however, this method would require the least amount of configuration.

If utilizing only one Role (e.g. Admins), then only one SecureAuth IdP realm is required for AWS access.

For multiple Roles, and therefore multiple realms, the SecureAuth IdP Configuration Steps Part 1 and Part 2 would be required for the new realm, but the Part 2 configuration steps would include different ARN Values generated by completing the following steps for the second Role.

 

10. Select Roles in the left pane and then click Create New Role at the top of the target pane

Role Name and Type

11. Set the Role Name and click Next Step

12. Select Role for Identity Provider Access and click Select to Grant Web Single Sign-on (Web SSO) access to SAML providers

13. Click Next Step

Establish Trust

14. Select the newly-created SAML provider (steps 2 - 9) from the dropdown and click Next Step

15. Verify the Role's trust relationship and click Next Step

Attach Policy and Review

16. Select one or more policies to attach to the Role and click Next Step

17. Review information assigned to the Role, make any necessary edits, and then click Create Role

Note the Role ARN and Trusted Entities SAML Provider ARN appear in the Review page. These two ARN values are stored on the Active Directory server, or as a Global Auxiliary ID (as shown in SecureAuth IdP Configuration Steps 2), separated by a comma (e.g. arn:aws:iam:591083713422:role/Admin,arn:aws:iam::591083713422:saml-provider/SecureAuthTest). This information can be viewed at any time on the Trust Relationships tab in the Roles Summary page for the configured entity.

 

 Roles Summary Screen Example

 

SecureAuth IdP Configuration Steps Part 2
Data Store

 

1. In the Global Aux Fields section, set Global Aux ID 1 to the Role ARN and Trusted Entities SAML Provider ARN values (e.g. arn:aws:iam:591083713422:role/Admin,arn:aws:iam::591083713422:saml-provider/SecureAuthTest)

This is a suggested configuration rather than storing the values in the enterprise directory

If storing the values in the directory, then the attribute used to contain the values (e.g. description, postalAddress, etc.) must be mapped to a SecureAuth IdP Profile Property (e.g. Aux ID 1)

Click Save once the configurations are completed and before leaving the Data Store page to avoid losing changes

Post Authentication

 

2. In the SAML Attributes / WS Federation section, set the Name for Attribute 2 to https://aws.amazon.com/SAML/Attributes/Role

3. Select Global Aux ID 1 from the Value dropdown

If storing the ARN values in the directory instead of employing the Global Aux ID, then select the SecureAuth IdP Profile Property mapped to the attribute containing the ARN values

4. Set the Name for Attribute 3 to https://aws.amazon.com/SAML/Attributes/Role SessionName

5. Select Authenticated User ID from the Value dropdown

This value appears in the upper right area of the AWS Management Console once the user is logged in

Click Save once the configurations have been completed and before leaving the Post Authentication page to avoid losing changes