Setting up SSO with Amazon Web Services

If your organization is using Amazon Web Services (AWS), you can configure EmpowerID for Single Sign-On (SSO) with Role Passing for AWS. The EmpowerID SSO framework allows you to create an SSO connection with Role passing for Amazon Web Services (AWS).

This topic demonstrates how to create an SSO application in EmpowerID for SSO with Role Passing for AWS and is divided into the following activities:

Creating the AWS SAML Connection in EmpowerID
Creating the AWS SSO Application in EmpowerID
Setting up AWS for your SSO Application

As a prerequisite to setting up EmpowerID for SSO with AWS, you must have an AWS account.

To create the AWS SAML Connection

From the navigation sidebar, expand Applications and click Manage Applications.
From the Actions pane, click the Create SAML Connection link.

This opens a blank Connection Details form. This form provides all the fields needed to create the SAML connection.
Select Service Provider as the SAML Connection Type.
Underneath Service Provider Details do the following:
1. Select Default SSO Connection Settings from the SAML Application Template drop-down.
2. Type https://signin.aws.amazon.com/saml in the Assertion Consumer URL field.
3. Leave the Send RelayState to Provider and RelayState fields empty.
The Service Provider Details section of the form should look like the below image.
In the Connection Details section of the form, do the following:
1. Type a name, display name and description for the SSO connection in the Name, Display Name, and Description fields, respectively.
2. Select HTTPPost from the SAML Submission Method drop-down.
3. Select Persistent from the Name Identifier Format drop-down
4. Leave the Issuer field as is.
5. In the User Entered URL field, replace <ServiceProviderName> with the name of the connection you are creating.
6. Leave the Tile Image URL field as is.
The Connection Details section of the form should look like the below image.
Under Single Logout Configuration, verify that HTTPArtifact is selected as the Logout SAML Protocol.
Under Account Information, select either Create a New Account Directory (recommended) or select an existing account directory from the Select existing Account Directory drop-down. Creating a new account directory for the SSO connection is advantageous in that doing so creates a one-to-one correlation between the account store and the connection, as well as any applications that use the SSO connection. In our example, we are creating a new account directory.
Select the signing certificate used in your EmpowerID deployment from the Signing Certificate drop-down. Leave the other certificate fields empty.
Click the Advanced Configuration tab.
Under SAML User Configuration, verify that User ID in Subject Name Identifier is selected.
Under Signing and Encryption, verify that the Assertion Encryption Method value is set to XmlEncAES256Url.
Click the Subject Confirmations tab.
Click the Add New (+) button and in the Details pane that appears, do the following:
1. Type AWSSubjectConfirmation in the Name field.
2. Select Transient from the Name Identifier drop-down.
3. Select Bearer from the Subject Confirmation drop-down.
4. Type https://sigin.aws.amazon.com/saml in the Recipient field.
5. Click Save.
Click the Audiences tab.
Click the Add New (+) button and in the Details pane that appears, do the following:
1. Type AWS Audience in the Name field.
2. Type https://sigin.aws.amazon.com/saml in the Recipient field.
3. Click Save.
Click the Attributes tab. From this tab, you will create a SAML attribute statement with three SAML attributes.
Click Create a New SAML Attribute Statement and then click Create a SAML Attribute.
In the SAML Attribute pane that appears, do the following:
1. ype https://aws.amazon.com/SAML/AttributeRole in the Name field.
2. Type AWS Groups in the Display Name field.
3. Type {Group} in the Attribute Value field.
4. Select AWS from the Format drop-down.
5. Click Save.
To add the second attribute to the statement, click the Add New (+) button and in the Details pane that appears, do the following:
1. Type https://aws.amazon.com/SAML/Attributes/RoleSessionName in the Name field.
2. Type RoleSessionName in the Display Name field.
3. Select Mapped Attribute.
4. Type {PersonPrincipal.Email} in the Attribute Value field.
5. Select Unspecified from the Format drop-down.
6. Click Save.
To add the third attribute to the statement, click the Add New (+) button again and in the Details pane that appears, do the following:
1. Type AWS Management Roles in the Name field.
2. Type AWS Management Roles in the Display Name field.
3. Type {ManagementRole} in the Attribute Value field.
4. Select AWS from the Format drop-down.
5. Click Save.
Click Save to create the SSO Connection. After the connection is created, you need to export the EmpowerID metadata file for it. This file will be used later when setting up AWS for your SSO application.
After EmpowerID creates the connection, navigate to SSO Connection Manager by expanding Admin > SSO Connection and clicking SAML.
In SSO Connection Manager, search for the SSO connection you just created.
Click the Display Name link. This directs you to the View One page for the connection.
Click the Export EmpowerID Metadata button.

This opens a new browser tab with the EmpowerID metadata in XML format.
Copy the XML and save it as an XML file. You will upload this file to AWS later.

The next step is to create the AWS application, adding to it the SSO connection you just created.

To create the AWS application in EmpowerID

From the Navigation Sidebar, expand Applications and clicking Manage Applications.
From the Actions pane of the find protected application resource page, click the Create Application link.

This opens the Application Details form, which contains various tabs and fields for creating the application.
From the General tab of the Application Details form, do the following:
1. Enter a name for the AWS application in the Name field.
2. Enter a display name and description for the application in the Display Name and Description fields, respectively.
3. In the Icon field, type ~Images/AppLogos/amazon-webservices.png. This is the path to the AWS image provided by EmpowerID. Users with access to the application will see this image for the AWS application in the EmpowerID Web interface.
4. Select or deselect Allow Access Requests to specify whether to allow access requests. When this option is selected, the application appears in the IT Shop, allowing users to request or claim an account in the application.
5. Select or deselect Allow Claim Account to specify whether to give users the ability to claim an account they have in the application. When this option is selected, users can claim their accounts and gain instant access after passing the requisite identity proofs.
6. Select or deselect Allow Request Account to specify whether to allow users to request an account in the application. When this option is selected and Allow Access Requests is selected, users can request an account in the application.
7. Deselect Login Is Email Address.
8. Select or deselect Make me the Application Owner to specify whether you are the owner of the application. Application owners have the ability to manage the application and approve or deny access requests.
9. Configure Advanced Claim and Request Account Options - Select this option and then provide the appropriate advanced configuration information if you have custom pages and workflows configured in EmpowerID for processing access requests as well as for managing any accounts linked to the application's (internal to EmpowerID) account directory.
Click the Single Sign-On tab and do the following:
1. Select SAML from the Single Sign-On Connection Type drop-down.
2. Type the name of the AWS SAML connection you created above in the SAML Connection field and then click the tile for the connection to select it.
Click the Users tab. You should see the account directory you selected for the AWS SSO connection listed in the Select existing Account Directory field.
Click the Add to cart button located at the bottom of the page.
Click the Cart icon located at the top of the page, type a comment in the Justification field and then click Submit.

The next step is to set up AWS for your application.

To set up AWS for your application

From your Web browser log in to your AWS console as an administrator.
From the AWS console, select Identity & Access Management.
Click the Identity Providers navigational link and then click Create Provider.
Select SAML from the Provider Type drop-down.
Type a name in the Provider Name field.
To the right of Metadata Document, click Choose File and upload the EmpowerID Metadata XML file you exported and saved when you created the SSO Connection earlier.
Click Next Step.
Verify the provider information and then click Create.
Click the Do this now link.