Amazon web services (AWS) supports single sign-on (SSO) that is initiated by the identity provider. AWS can be integrated with the WSO2 Identity Cloud as indicated in this topic to provide SSO for users of this application.
- Log in to the Identity Cloud.
Click on the menu baron the top left corner and click Applications.
Alternatively, click on Overview on the menu bar and click View Applications.
Click Download IDP Metadata to download the IDP metadata file. (This file is downloaded to a local folder and is used to upload the IDP metadata information to AWS)
Go to https://aws.amazon.com and sign in to the AWS Management Console using valid AWS account.
- In the AWS Services page, under Security, Identity & Compliance, click IAM.
- In the left navigation panel, click Identity providers.
- Create an identity provider by selecting the provider type as SAML, entering a Provider Name and uploading IDP metadata xml file.
- Now, you need to configure a role for SSO. In the left navigation panel, click Roles.
- Enter a unique Role Name and click Next Step at the bottom of the page.
- In Select Role Type page, select Role for Identity Provider Access and select Grant Web Single Sign-on (WebSSO) access to SAML providers.
- In Establishing Trust page, select the SAML provider that you're creating the role for (i.e. wso2_identity_cloud) and click Next Step.
- In Verify Role Trust page, click Next Step at the bottom of the page.
- In Attach Policy page, select AdministratorAccess policy and click Next Step.
- Review role details and click Create Role at the bottom of the page.
Once you have created the role, you must complete the SAML trust by configuring Identity Cloud with information about AWS and the role(s) that you want your federated users to use. This is referred to as configuring relying party trust between Identity Cloud and AWS.
Next step is to configure an on-premise user store for AWS. Since AWS needs a special claim to help them decide the permissions of the signing in user, the following changes should be done in
ON_PREMISE_AGENT_HOME/conf/claim-config.xml.This file is created when you download the agent.
AWS LDAP Settings
It is required at the AWS end to have an LDAP attribute set for the users.
The value of the attribute should be <AWS_SSO_ROLE_ARN>,<AWS_SSO_IDP_ARN>
- In the Identity Cloud, click Add Application and provide a Display name and click Update.
- The application will be added to the Identity Cloud.
- Click on the Settings menu at the top right corner of the page and click User Portal.
- Click the added AWS App.
- You are directed to AWS home page without having to sign in explicitly. This shows SSO capability for AWS using Identity Cloud.