Hands-on:set up a system that connects to this in-house system using SAML 2.0 for AWS access.

Leave a Comment / By /
  1. Create a SAML identity provider in AWS.
    • Go to the IAM console.
    • In the navigation pane, choose Identity providers, and then choose Add provider.
    • Choose SAML.
    • Type a name for the identity provider.
    • For Metadata document, choose Choose file, and then specify the SAML metadata document that you downloaded from your in-house system.
    • (Optional) For Add tags, you can add key-value pairs to help you identify and organize your IdPs.
    • Choose Add provider.
  2. Create an IAM role for SAML 2.0 federation.
    • Go to the IAM console.
    • In the navigation pane, choose Roles, and then choose Create role.
    • Choose SAML 2.0 federation.
    • For Select a SAML provider, choose the provider that you created in step 1.
    • Choose Allow programmatic access only to create a role that can be assumed programmatically from the AWS API or AWS CLI.
    • Choose Next.
    • Attach the permissions that you want your users to have to AWS resources.
    • Choose Next.
    • Type a name for the role, and then choose Create role.
  3. Configure your in-house system to send SAML assertions to AWS.
    • Follow the instructions provided by your in-house system vendor.
  4. Test your SAML configuration.
    • Try to log in to the AWS Management Console using the SAML integration.

o implement the steps above using the AWS CLI, you will need to have the AWS CLI installed and configured.

1. Create a SAML identity provider in AWS.

aws iam create-saml-provider --name my-idp --saml-metadata-document file://saml-metadata.xml

Here is an example of a SAML metadata XML file:

2. Create an IAM role for SAML 2.0 federation.

aws iam create-role –role-name my-saml-role –assume-role-policy-document file://assume-role-policy.json

The assume-role-policy.json file should contain the following JSON:

JSON

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "https://signin.aws.amazon.com/saml"
      },
      "Action": "sts:AssumeRoleWithSAML",
      "Condition": {
        "StringEquals": {
          "SAML:Issuer": "https://my-idp.example.com/saml"
        }
      }
    }
  ]
}


The SAML metadata XML file that you provided contains the following information:

  • Entity ID: The entity ID is the unique identifier of the SAML identity provider. It is the URL that users will be redirected to in order to authenticate. In this example, the entity ID is https://my-idp.example.com/saml.
  • Public key certificate: The public key certificate is used to verify the SAML assertions that are sent to AWS. The SAML assertion is a digitally signed XML document that contains information about the user who is authenticating. AWS uses the public key certificate to verify the signature on the assertion and to ensure that it has not been tampered with.
  • Binding: The binding specifies how SAML assertions are sent to AWS. There are two supported bindings: HTTP POST and HTTP Redirect. In this example, the binding is HTTP POST.
  • Single sign-on service location: The single sign-on service location is the URL on the SAML identity provider where users are redirected to in order to authenticate. In this example, the single sign-on service location is https://my-idp.example.com/saml/sso.

Once you have configured your AWS SAML identity provider and IAM role for SAML 2.0 federation, your users will be able to log in to the AWS Management Console using their in-house system credentials.

Here is a more detailed explanation of the SAML authentication process:

  1. The user tries to access an AWS resource that requires SAML authentication.
  2. AWS redirects the user to the SAML identity provider.
  3. The SAML identity provider authenticates the user using the credentials that the user has configured in the in-house system.
  4. Once the user is authenticated, the SAML identity provider generates a SAML assertion.
  5. The SAML identity provider sends the SAML assertion to AWS.
  6. AWS verifies the signature on the SAML assertion using the public key certificate of the SAML identity provider.
  7. AWS authenticates the user and grants them access to the requested resource.

3. Configure your in-house system to send SAML assertions to AWS.

Follow the instructions provided by your in-house system vendor.

Example of SAML assertion

4. Test your SAML configuration.

aws sts assume-role-with-saml –role-arn arn:aws:iam::123456789012:role/my-saml-role –principal-arn arn:aws:iam::123456789012:saml-provider/my-idp –saml-assertion file://saml-assertion.xml

If the command is successful, it will return a temporary security token that you can use to access AWS resources.

Once you have completed these steps, your users will be able to log in to the AWS Management Console using their in-house system credentials.

Additional notes:

  • You can use the same SAML identity provider for multiple roles.
  • You can use the same IAM role for multiple SAML identity providers.
  • You can use the AWS CLI to create a SAML identity provider and an IAM role, but you must use the AWS API or AWS CLI to configure the SAML integration in your in-house system.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top