Amazon web services (AWS) can be configured for SSO using WSO2 Identity Cloud by adding it as an application. After the configuration is done, you can simply access the AWS application from the applications list in the User Portal of WSO2 Identity Cloud. This triggers an authentication request to the Identity Cloud using the SAML protocol. The Identity Cloud sends an authentication response, and you are able to log in to AWS. The following diagram illustrates this process:
Figure: Accessing a AWS application using Identity Cloud
Before you begin, download the metadata XML file that allows you to set the identity cloud configuration details in any third-party application without having to key them in.
- Log in to WSO2 Identity Cloud.
Click the menu icon on the top, left corner of the screen and click Applications:
Alternatively, click Overview on the menu bar and click View Applications.
- Click DOWNLOAD IDP METADATA to download the IDP metadata file. (This file gets downloaded to a local folder.)
Let's get started!
Setting up AWS for SSO
Go to https://aws.amazon.com and click Sign in to the Console.
- Sign in to AWS Console using a valid AWS account.
- In the AWS Services page, under Security, Identity & Compliance, click IAM.
- In the left navigation panel, click Identity providers.
- Click Create Provider.
- Create an identity provider by selecting the provider type as SAML, entering a Provider Name, uploading IDP metadata xml file, and clicking Next Step.
- Verify the Provider information and click Create.
Once the Identity Provider is created, you see the following screen with the message that the SAML provider is created and the created provider is listed with Type of protocol and Creation Time.
- Now, you need to configure a role for SSO. In the left navigation panel, click Roles.
- Click Create new role.
- In Select role type screen, select Role for identity provider access option and select Grant Web Single Sign-On (WebSSO) access to SAML providers by clicking Select button.
- In Establish Trust page, select the SAML provider that you have creating the role for (i.e. wso2_identity_cloud) and click Next Step.
- In Verify Role Trust page, verify the Policy Document, and Next Step.
- In Attach Policy page, select AdministratorAccess policy and click Next Step.
- In Set role name and review page, provide a valid role name and click Create Role.
Once the role is created, you can see it is listed with it's name, description and creation time.
- The next step is to configure an on-premise user store for AWS. Since AWS needs a special claim to help them decide the permissions of the signing in user, the following changes should be done in the <
ON_PREMISE_AGENT_HOME>/conf/claim-config.xmlfile. This file is created when you download the agent.
AWS LDAP Settings
It is required at the AWS end to have an LDAP attribute set for the users.
The value of the attribute should be <AWS_SSO_ROLE_ARN>,<AWS_SSO_IDP_ARN>
Configuring WSO2 Identity Cloud for SSO with AWS
- Log in to WSO2 Identity Cloud.
Click the menu icon on the top, left corner of the screen.
- Click Applications from the Admin Portal to navigate to the Application list.
- Click ADD APPLICATION to add a AWS application.
- Select AWS icon.
- Provide an application name and click Add.
- In Store Configuration, provide a Display name, and click Save.
The added AWS app is displayed in Identity Cloud/Applications page.
- Once the application is added, it is listed in User Portal. Click Go to User Portal at the top right corner of the page.
- Click the added AWS App.
Now you can access the AWS home page without having to sign in because you configured SSO between AWS and WSO2 Identity Cloud.