You are viewing an earlier version of the admin guide. For the latest version, please visit EmpowerID Admin Guide v7.211.0.0.

Amazon Web services

If your organization is using Amazon Web Services (AWS), you can configure EmpowerID for Single Sign-On (SSO) with Role Passing for AWS. The EmpowerID SSO framework allows you to create an SSO connection with Role passing for Amazon Web Services (AWS).

This topic demonstrates how to create an SSO application in EmpowerID for SSO with Role Passing for AWS and is divided into the following activities:

  • Creating the AWS SAML Connection in EmpowerID

  • Creating the AWS SSO Application in EmpowerID

  • Setting up AWS for your SSO Application

Create an SAML Connection for AWS in EmpowerID

  1. On the navbar, expand Single Sign-On > SSO Connections and click SAML.

  2. Click the Add New Connection button.

     

  3. In the General tab of the Connection Details form that appears, enter the following information:

    • SAML Connection Type — Service Provider

    • SAML Application Template — Default SSO Connection Settings

    • Name — Name of the connection

    • Display Name — Display name of the connection

    • Name Identifier Format — Persistent

    • Issuer — EmpowerID

    • Initiating URL — /WebIdPForms/Login/<Service Provider Name> (Replace <Service Provider Name> with the name you gave to the connection

    • Tile Image URL — ~Images/AppLogos/amazon-webservices.png

    • Description — Description of the connection

  4. Scroll to the Assertion Consumer URL / Circle of Trust pane and click the Add New button.

  5. Enter the following information in the Details dialog that appears:

    • Assertion Consumer URL — Enter https://signin.aws.amazon.com/saml

    • Priority — Enter 1.

    • SAML Submission Method — Select HTTPPost.

  6. Click Save to close the dialog.

  7. Scroll to the Account Information section and do one of the following:

    • Create New Account Directory — Select this option if you are not inventorying AWS in EmpowerID. This creates a special type of account store internal to EmpowerID known as a “Tracking-Only account store.” These type of account stores are used to by EmpowerID to control and track access to applications not inventoried by the system.

    • Select existing Account Directory — If you are currently inventorying AWS, select the AWS account directory.

  8. Under Certificates, do the following:

    • Enable Response Signature — Leave selected

    • Signing Certificate — Select the certificate used to sign SAML assertions for your environment.

  9. Select the Advanced Configuration tab and verify the following information:

    • SAML User Configuration Section User ID in Subject Name Identifier should be enabled (checked)

    • Encryption Options Section Assertion Encryption Method value should be XmlEncAES256Url

  10. Select the Subject Confirmations tab and click the Add New button.

     

  11. Enter the following information in the Details pane and then click Save.

    • Name — AWSSubjectConfirmation

    • Name Identifier Format — Transient 

    • Subject Confirmation Method — Bearer 

    • Recipient — https://signin.aws.amazon.com/saml

  12. Select the Audiences tab and click the Add New button.

  13. Enter the following information in the Details pane and then click Save.

    • Name — AWS Audience

    • Audience URL — https://signin.aws.amazon.com/saml

  14. Select the Attributes tab. From this tab, you will create a SAML attribute statement with three SAML attributes.

  15. Click Create a New SAML Attribute Statement and then click the Add New button.

     

  16. Click Create a SAML Attribute and enter the following information.

    • Name — https://aws.amazon.com/SAML/AttributeRole

    • Display Name — AWS Groups

    • Attribute Value — AWS Groups for Person

    • Format — AWS

  17. Click Save.

  18. Click the Add New (+) button again and then click Create a SAML Attribute.

  19. Enter the following information for the second SAML attribute:

    • Name — https://aws.amazon.com/SAML/Attributes/RoleSessionName

    • Display Name — RoleSessionName

    • Mapped Attribute — Select this option

    • Attribute Value — PersonPrincipal.Email

    • Format — Unspecified

  20. Click Save.

  21. Click the Add New (+) button again and then click Create a SAML Attribute.

  22. Enter the following information for the third SAML attribute.

    • Name — AWS Management Roles

    • Display Name — AWS Management Roles

    • Attribute Value — Management Roles for Person

    • Format — AWS

  23. Click Save.

  24. Click Save in the main page to create the AWS SAML Connection. After the connection is created, you need to export the EmpowerID metadata file for it. This file will be used later when setting up AWS for your SSO application.

  25. After EmpowerID creates the connection, click the Find Connections breadcrumb.

     

  26. Search for the SAML connection you just created and click the Display Name link for it to go to the View page for the connection.

     

  27. On the View page, click the Export EmpowerID Metadata button.

     

  28. Copy the XML and save it as an XML file. You will upload this file to AWS later.

The next step is to create an application for AWS application, adding to it the SAML connection you just created.

Create an application for AWS in EmpowerID

  1. On the navbar, expand Single Sign-On and click Applications.

  2. Click Create Application.

     

3. Enter the following information in the below fields under the General tab of the Application Details form that appears:

Field

Value

Field

Value

Name

Name of the application. This value entered must be one word.

Description

Description of the application

Create a Tracking Only Account Store

Select this option if you are not inventorying AWS in EmpowerID. Tracking-Only account stores are special types of account stores internal to EmpowerID used to control and track access to applications not inventoried by EmpowerID. When a user claims an “SSO” account, EmpowerID creates a user account for the user in the tracking-only account store and joins it to their EmpowerID Person. Each tracking-only account store has a one-to-one relationship with a specific application that is established at the time the application is created in EmpowerID.

Select Existing Account Store (Directory)

If you are inventorying AWS, select the account store you created for AWS.

Creation Location

Search for and select the desired location.

Publish in IT Shop

When this option is selected, the application appears in the IT Shop to users eligible for the application. Eligible users can request or claim an account in the application when Allow Claim Account and Allow Request Account are enabled.

Allow Claim Account 

Specify whether to give users the ability to claim an account they have in the application. When this option is selected, users can claim their accounts and gain instant access after passing the requisite identity proofs.

Login Is Email Address (Receive OPT to Claim)

Specify whether the login for the application is an email address. This setting is necessary for passing the appropriate identity assertion to the application when logging in from EmpowerID.

Allow Request Account

Specify whether to allow users to request an account in the application. When this option is selected and Publish in IT Shop is selected, users can request an account in the application.

Make Me the Owner

Select if you are the owner of the application. Owners can approve or reject access requests.

Icon

~Images/AppLogos/amazon-webservices.png

 

3. Click Add to Cart.

4. Click the Cart icon, enter a reason for creating the application and then click Submit.

 

Configure AWS for your application

  1. From your Web browser log in to your AWS console as an administrator.

  2. From the AWS console, select Identity & Access Management.

  3. Click the Identity Providers navigational link and then click Create Provider.

  4. Select SAML from the Provider Type drop-down.

  5. Type a name in the Provider Name field.

  6. To the right of Metadata Document, click Choose File and upload the EmpowerID Metadata XML file you exported and saved when you created the SSO Connection earlier.

  7. Click Next Step.

  8. Verify the provider information and then click Create.

  9. Click the Do this now link.

IN THIS ARTICLE