Amazon web services (AWS) supports single sign-on (SSO) that is initiated by the identity provider. AWS can be integrated with the WSO2 Identity Cloud as indicated in this topic to provide SSO for users of this application.
- Log in to the Identity Cloud.
- Click Download IDP metadata to download metadata xml.
- Go to https://aws.amazon.com and sign in to the AWS management console using valid AWS account.
- In the AWS services page, under security, identity & compliance, click IAM.
- In the left navigation panel, click Identity providers.
- Create an identity provider by selecting the provider type as SAML, entering a provider name and uploading IDP metadata xml file.
- Now, you need to configure a role for SSO. In the left navigation panel, click Roles.
- Enter a unique role name and click Next Step at the bottom of the page.
- In select role type page, select Role for Identity Provider Access and select Grant Web Single Sign-on (WebSSO) access to SAML providers.
- In establishing trust page, select the provider that you're creating the role for (i.e. wso2_identity_cloud) and click Next Step.
- In Verify Role Trust page, click Next Step at the bottom of the page.
- In Attach Policy page, select AdministratorAccess policy and click Next Step.
- Review role details and Create Role at the bottom of the page.
Once you created the role, you must complete the SAML trust by configuring Identity Cloud with information about AWS and the role(s) that you want your federated users to use. This is referred to as configuring relying party trust between Identity Cloud and AWS.
- Next step is to configure an on-premise user store for AWS. Since AWS needs a special claim to help them decide the permissions of the signing in user, the following changes should be done