Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Version published after converting to the new editor

If your organization is using Amazon Web Services (AWS), you can configure EmpowerID for Single Sign-On (SSO) with Role Passing for AWS. The EmpowerID SSO framework allows you to create an SSO connection with Role passing for Amazon Web Services (AWS).

This topic demonstrates how to create an SSO application in EmpowerID for SSO with Role Passing for AWS and is divided into the following activities:

  • Creating the AWS SAML Connection in EmpowerID
  • Creating the AWS SSO Application in EmpowerID
  • Setting up AWS for your SSO Application


Info

As a prerequisite to setting up EmpowerID for SSO with AWS, you must have an AWS account.

To create the AWS SAML Connection

  1. From the navigation sidebar, expand Applications and click Manage Applications.
  2. From the Actions pane, click the Create SAML Connection link.

    This opens a blank Connection Details form. This form provides all the fields needed to create the SAML connection.





  3. Select Service Provider as the SAML Connection Type.
  4. Underneath Service Provider Details do the following:
    1. Select Default SSO Connection Settings from the SAML Application Template drop-down.
    2. Type https://signin.aws.amazon.com/saml in the Assertion Consumer URL field.
    3. Leave the Send RelayState to Provider and RelayState fields empty.

    The Service Provider Details section of the form should look like the below image.




  5. In the Connection Details section of the form, do the following:
    1. Type a name, display name and description for the SSO connection in the Name, Display Name, and Description fields, respectively.
    2. Select HTTPPost from the SAML Submission Method drop-down.
    3. Select Persistent from the Name Identifier Format drop-down
    4. Leave the Issuer field as is.
    5. In the User Entered URL field, replace <ServiceProviderName> with the name of the connection you are creating.
    6. Leave the Tile Image URL field as is.

    The Connection Details section of the form should look like the below image.




  6. Under Single Logout Configuration, verify that HTTPArtifact is selected as the Logout SAML Protocol.




  7. Under Account Information, select either Create a New Account Directory (recommended) or select an existing account directory from the Select existing Account Directory drop-down. Creating a new account directory for the SSO connection is advantageous in that doing so creates a one-to-one correlation between the account store and the connection, as well as any applications that use the SSO connection. In our example, we are creating a new account directory.




  8. Select the signing certificate used in your EmpowerID deployment from the Signing Certificate drop-down. Leave the other certificate fields empty.




  9. Click the Advanced Configuration tab.
  10. Under SAML User Configuration, verify that User ID in Subject Name Identifier is selected.




  11. Under Signing and Encryption, verify that the Assertion Encryption Method value is set to XmlEncAES256Url.




  12. Click the Subject Confirmations tab.
  13. Click the Add New (+) button and in the Details pane that appears, do the following:
    1. Type AWSSubjectConfirmation in the Name field.
    2. Select Transient from the Name Identifier drop-down.
    3. Select Bearer from the Subject Confirmation drop-down.
    4. Type https://sigin.aws.amazon.com/saml in the Recipient field.
    5. Click Save.

  14. Click the Audiences tab.
  15. Click the Add New (+) button and in the Details pane that appears, do the following:
    1. Type AWS Audience in the Name field.
    2. Type https://sigin.aws.amazon.com/saml in the Recipient field.
    3. Click Save.
  16. Click the Attributes tab. From this tab, you will create a SAML attribute statement with three SAML attributes.
  17. Click Create a New SAML Attribute Statement and then click Create a SAML Attribute.
  18. In the SAML Attribute pane that appears, do the following:
    1. ype https://aws.amazon.com/SAML/AttributeRole in the Name field.
    2. Type AWS Groups in the Display Name field.
    3. Type {Group} in the Attribute Value field.
    4. Select AWS from the Format drop-down.
    5. Click Save.
  19. To add the second attribute to the statement, click the Add New (+) button and in the Details pane that appears, do the following:
    1. Type https://aws.amazon.com/SAML/Attributes/RoleSessionName in the Name field.
    2. Type RoleSessionName in the Display Name field.
    3. Select Mapped Attribute.
    4. Type {PersonPrincipal.Email} in the Attribute Value field.
    5. Select Unspecified from the Format drop-down.
    6. Click Save.
  20. To add the third attribute to the statement, click the Add New (+) button again and in the Details pane that appears, do the following:
    1. Type AWS Management Roles in the Name field.
    2. Type AWS Management Roles in the Display Name field.
    3. Type {ManagementRole} in the Attribute Value field.
    4. Select AWS from the Format drop-down.
    5. Click Save.
  21. Click Save to create the SSO Connection. After the connection is created, you need to export the EmpowerID metadata file for it. This file will be used later when setting up AWS for your SSO application.
  22. After EmpowerID creates the connection, navigate to SSO Connection Manager by expanding Admin > SSO Connection and clicking SAML.
  23. In SSO Connection Manager, search for the SSO connection you just created.
  24. Click the Display Name link. This directs you to the View One page for the connection.
  25. Click the Export EmpowerID Metadata button.

    This opens a new browser tab with the EmpowerID metadata in XML format.




  26. Copy the XML and save it as an XML file. You will upload this file to AWS later.

The next step is to create the AWS application, adding to it the SSO connection you just created.

To create the AWS application in EmpowerID

...