Amazon web services (AWS) supports single sign-on (SSO) that is initiated by the identity provider. AWS can be integrated with the WSO2 Identity Cloud as indicated in this topic to provide SSO for users of this application.
Amazon web services (AWS) can be configured for SSO using WSO2 Identity Cloud by adding it as an application. After the configuration is done, you can simply access the AWS application from the applications list in the User Portal of WSO2 Identity Cloud. This triggers an authentication request to the Identity Cloud using the SAML protocol. The Identity Cloud sends an authentication response, and you are able to log in to AWS. The following diagram illustrates this process:
Figure: Accessing a AWS application using Identity Cloud
The following diagram illustrates the process that is followed for authentication to a AWS application once this configuration is done with the WSO2 Identity Cloud.
Before you begin, download the metadata XML file that allows you to set the identity cloud configuration details in any third-party application without having to key them in.
- Log in to WSO2 Identity Cloud.
Click the menu icon on the top, left corner of the screen and click Applications:
Alternatively, click Overview on the menu bar and click View Applications.
- Click DOWNLOAD IDP METADATA to download the IDP metadata file. (This file gets downloaded to a local folder.)
Let's get started!
Setting up AWS for SSO
Sign in to AWS (https://aws.amazon.com ) using a valid AWS account and go to Management Console.
- In the AWS Services page, under Security, Identity & Compliance, click IAM.
- In the left navigation panel, click Identity providers.
- Create an identity provider by selecting the provider type as SAML, entering a Provider Name and uploading IDP metadata xml file.
- Now, you need to configure a role for SSO. In the left navigation panel, click Roles.
- Enter a unique Role Name and click Next Step at the bottom of the page.
- In Select Role Type page, select Role for Identity Provider Access and select Grant Web Single Sign-on (WebSSO) access to SAML providers.
- In Establishing Trust page, select the SAML provider that you're creating the role for (i.e. wso2_identity_cloud) and click Next Step.
- In Verify Role Trust page, click Next Step at the bottom of the page.
- In Attach Policy page, select AdministratorAccess policy and click Next Step.
- Review role details and click Create Role at the bottom of the page.
Once you have created the role, you must complete the SAML trust by configuring Identity Cloud with information about AWS and the role(s) that you want your federated users to use. This is referred to as configuring relying party trust between Identity Cloud and AWS.
- Next step is to configure an on-premise user store for AWS. Since AWS needs a special claim to help them decide the permissions of the signing in user, the following changes should be done in
ON_PREMISE_AGENT_HOME/conf/claim-config.xml.This file is created when you download the agent.
AWS LDAP Settings
It is required at the AWS end to have an LDAP attribute set for the users.
The value of the attribute should be <AWS_SSO_ROLE_ARN>,<AWS_SSO_IDP_ARN>
To integrate WSO2 Identity Cloud with Salesforce:
- In the Identity Cloud, click Add Application and provide a Display name and click Update.
- The application will be added to the Identity Cloud.
- Click on the Settings menu at the top right corner of the page and click User Portal.
- Click the added AWS App.
- You are directed to AWS home page without having to sign in explicitly. This shows SSO capability for AWS using Identity Cloud.