Amazon Web services
If your organization is using Amazon Web Services (AWS), you can configure EmpowerID for Single Sign-On (SSO) with Role Passing for AWS. The EmpowerID SSO framework allows you to create an SSO connection with Role passing for Amazon Web Services (AWS).
This topic demonstrates how to create an SSO application in EmpowerID for SSO with Role Passing for AWS and is divided into the following activities:
Creating the AWS SAML Connection in EmpowerID
Creating the AWS SSO Application in EmpowerID
Setting up AWS for your SSO Application
Create an SAML Connection for AWS in EmpowerID
On the navbar, expand Single Sign-On > SSO Connections and click SAML.
Click the Add New Connection button.
In the General tab of the Connection Details form that appears, enter the following information:
SAML Connection Type — Service Provider
SAML Application Template — Default SSO Connection Settings
Name — Name of the connection
Display Name — Display name of the connection
Name Identifier Format — Persistent
Issuer — EmpowerID
Initiating URL — /WebIdPForms/Login/<Service Provider Name> (Replace <Service Provider Name> with the name you gave to the connection
Tile Image URL — ~Images/AppLogos/amazon-webservices.png
Description — Description of the connection
Scroll to the Assertion Consumer URL / Circle of Trust pane and click the Add New button.
Enter the following information in the Details dialog that appears:
Assertion Consumer URL — Enter https://signin.aws.amazon.com/saml
Priority — Enter 1.
SAML Submission Method — Select HTTPPost.
Click Save to close the dialog.
Scroll to the Account Information section and do one of the following:
Create New Account Directory — Select this option if you are not inventorying AWS in EmpowerID. This creates a special type of account store internal to EmpowerID known as a “Tracking-Only account store.” These type of account stores are used to by EmpowerID to control and track access to applications not inventoried by the system.
Select existing Account Directory — If you are currently inventorying AWS, select the AWS account directory.
Under Certificates, do the following:
Enable Response Signature — Leave selected
Signing Certificate — Select the certificate used to sign SAML assertions for your environment.
Select the Advanced Configuration tab and verify the following information:
SAML User Configuration Section — User ID in Subject Name Identifier should be enabled (checked)
Encryption Options Section — Assertion Encryption Method value should be XmlEncAES256Url
Select the Subject Confirmations tab and click the Add New button.
Enter the following information in the Details pane and then click Save.
Name — AWSSubjectConfirmation
Name Identifier Format — Transient
Subject Confirmation Method — Bearer
Recipient — https://signin.aws.amazon.com/saml
Select the Audiences tab and click the Add New button.
Enter the following information in the Details pane and then click Save.
Name — AWS Audience
Audience URL — https://signin.aws.amazon.com/saml
Select the Attributes tab. From this tab, you will create a SAML attribute statement with three SAML attributes.
Click Create a New SAML Attribute Statement and then click the Add New button.
Click Create a SAML Attribute and enter the following information.
Name — https://aws.amazon.com/SAML/AttributeRole
Display Name — AWS Groups
Attribute Value — AWS Groups for Person
Format — AWS
Click Save.
Click the Add New (+) button again and then click Create a SAML Attribute.
Enter the following information for the second SAML attribute:
Name — https://aws.amazon.com/SAML/Attributes/RoleSessionName
Display Name — RoleSessionName
Mapped Attribute — Select this option
Attribute Value — PersonPrincipal.Email
Format — Unspecified
Click Save.
Click the Add New (+) button again and then click Create a SAML Attribute.
Enter the following information for the third SAML attribute.
Name — AWS Management Roles
Display Name — AWS Management Roles
Attribute Value — Management Roles for Person
Format — AWS
Click Save.
Click Save in the main page to create the AWS SAML Connection. After the connection is created, you need to export the EmpowerID metadata file for it. This file will be used later when setting up AWS for your SSO application.
After EmpowerID creates the connection, click the Find Connections breadcrumb.
Search for the SAML connection you just created and click the Display Name link for it to go to the View page for the connection.
On the View page, click the Export EmpowerID Metadata button.
Copy the XML and save it as an XML file. You will upload this file to AWS later.
The next step is to create an application for AWS application, adding to it the SAML connection you just created.
Create an application for AWS in EmpowerID
On the navbar, expand Single Sign-On and click Applications.
Click Create Application.
3. Enter the following information in the below fields under the General tab of the Application Details form that appears:
Field | Value |
---|---|
Name | Name of the application. This value entered must be one word. |
Description | Description of the application |
Create a Tracking Only Account Store | Select this option if you are not inventorying AWS in EmpowerID. Tracking-Only account stores are special types of account stores internal to EmpowerID used to control and track access to applications not inventoried by EmpowerID. When a user claims an “SSO” account, EmpowerID creates a user account for the user in the tracking-only account store and joins it to their EmpowerID Person. Each tracking-only account store has a one-to-one relationship with a specific application that is established at the time the application is created in EmpowerID. |
Select Existing Account Store (Directory) | If you are inventorying AWS, select the account store you created for AWS. |
Creation Location | Search for and select the desired location. |
Publish in IT Shop | When this option is selected, the application appears in the IT Shop to users eligible for the application. Eligible users can request or claim an account in the application when Allow Claim Account and Allow Request Account are enabled. |
Allow Claim Account | Specify whether to give users the ability to claim an account they have in the application. When this option is selected, users can claim their accounts and gain instant access after passing the requisite identity proofs. |
Login Is Email Address (Receive OPT to Claim) | Specify whether the login for the application is an email address. This setting is necessary for passing the appropriate identity assertion to the application when logging in from EmpowerID. |
Allow Request Account | Specify whether to allow users to request an account in the application. When this option is selected and Publish in IT Shop is selected, users can request an account in the application. |
Make Me the Owner | Select if you are the owner of the application. Owners can approve or reject access requests. |
Icon | ~Images/AppLogos/amazon-webservices.png |
3. Click Add to Cart.
4. Click the Cart icon, enter a reason for creating the application and then click Submit.
Configure AWS for your application
From your Web browser log in to your AWS console as an administrator.
From the AWS console, select Identity & Access Management.
Click the Identity Providers navigational link and then click Create Provider.
Select SAML from the Provider Type drop-down.
Type a name in the Provider Name field.
To the right of Metadata Document, click Choose File and upload the EmpowerID Metadata XML file you exported and saved when you created the SSO Connection earlier.
Click Next Step.
Verify the provider information and then click Create.
Click the Do this now link.
IN THIS ARTICLE