These steps will guide you through setting up single-role single sign-on for for Amazon Web Services (AWS).
If you are trying to configure OneLogin SAML SSO to support multiple AWS roles or multiple AWS accounts, see Configuring SAML for Amazon Web Services (AWS) with Multiple Accounts and Multiple Roles.
In some cases, a field macro or custom user field can be used. However, using a custom user field requires a OneLogin unlimited account. Please contact your OneLogin support team for further information or see Custom User Fields.
Starting in OneLogin
In the OneLogin dashboard, do the following:
- Go to to Apps > Add Apps.
- Search for Amazon Web Services (AWS) that is a SAML 2.0 connector and select it.
You may edit the Display Name if desired.
- Click Save.
- Select the SSO tab.
- Copy down the Issuer URL.
- Visit this URL in a different browser window to download the metadata XML document. You will need this in the next section.
Configuring Amazon Web Services for Service Provider
In your Amazon Web Services Management Console do the following:
- Select IAM.
- On the subsequent page, select Identity Providers.
- Select Create SAML Provider.
- A new pop-up will appear, in these steps you will be taken through adding OneLogin as a trusted identity provider to your Amazon Web Services tenant/management console.
- Provide a name for the Identity Provider (such as OneLogin)
- Upload the metadata XML document you downloaded in step 5 of the Setting up OneLogin section above.
- For the provider, select OneLogin.
- Select Roles from the list.
- Click Create New Role at the top.
- Provide a friendly name for your role.
- For "Role Type" click Role For Identity Provider Access
- Select Grant Web Single Sign-On (Web SSO) access to SAML Providers.
- Choose your SAML Provider created in the previous step where you created a SAML provider.
- Decide how you want to condition access to this role. We provide a wide variety of SAML attributes you can match against.
Note: At least one condition *must* be present. WebSSO defaults to using the SAML:aud condition and it cannot be changed to another :aud value.
- Review the policy that was created.
- Choose the access policy (i.e., permissions) federated users will inherit when using this role.
- Review your settings.
We will now copy the appropriate value into the corresponding custom attribute field in OneLogin. This value will be the ARN identifier generated by AWS for the Role and the SAML Provider.
The format of the field-value will be roleARN, SAML Provider ARN - (both ARN's where Role comes first and separated by a comma). These values are found by selecting each item from the interface and navigating the data for that item that displays below.
The value we would use in the macro field is:
- two ARN values with a comma separating them.
Back in the OneLogin admin dashboard, do the following:
- Go to the Parameters tab and ensure the that Credentials are Configured by Admin.
The default OneLogin mappings are as follows:
Amazon Username -> Email
Role -> - No default -
(Role will be a custom field or OneLogin macro configured later)
RoleSessionName -> Email
RoleSessionName and Amazon Username are used to identify a username that is displayed in the AWS interface and a user identifier while the session is active. The default OneLogin value is Email but if your users have emails greater than 32 characters, we recommend using userPrincipleName or AD username.
This value must be between 2 and 32 characters long, can contain only alphanumeric characters, underscores, and the following characters: +=,.@-. and cannot contain spaces.
- Click Save.
- Go back to Apps > Company Apps > Amazon Web Services > Parameters.
- Select the Role field.
- Choose -Macro-, and then put your AWS Role ARN Value pairing.
- Click Save.
This will associate the configured Amazon Username and RoleSessionName with the ARN role value pairing.
Note: What this does is create a single app for that specific role in OneLogin and will SSO into that Role in AWS. This means that for each role you are signing into in AWS, you will have to create a separate app in OneLogin that maps to every ARN role value pairing.
- Click Save.
With the configuration complete, OneLogin and Amazon Web Services should be connected through SAML!