Setting Up Single Sign-On (SSO) Between AWS SSO and a SAML Service Provider

Leave a Comment / By /

Introduction

Welcome to our AWS Certified Solutions Architect Professional tutorial series. In this tutorial, we will walk you through the process of setting up Single Sign-On (SSO) between AWS Single Sign-On (SSO) and a sample SAML (Security Assertion Markup Language) service provider. SSO simplifies user access to multiple applications by allowing them to log in once and gain access to various services seamlessly. AWS SSO makes it easy to centralize user access management. If you’re interested in SSO or OpenID Connect, this tutorial is for you!

Before we dive into the hands-on section, consider subscribing to our channel for more tutorials related to SSO and identity management.

Prerequisites:

  • An AWS account with appropriate permissions.
  • Access to the AWS Management Console.
  • Familiarity with SAML and SSO concepts.

Step 1: Enabling AWS Single Sign-On

  1. Log in to your AWS Management Console.
  2. Navigate to AWS Single Sign-On (AWS SSO). If it’s your first time using AWS SSO, you may need to enable the service. Follow the on-screen instructions to do so.

Step 2: Choose Identity Source

  • AWS SSO allows you to choose your identity source, where user profiles are stored. For this example, we’ll stick with the default AWS SSO identity source, which is an internal database.

Step 3: Create a Test User

  1. Go to the “Users” section in AWS SSO.
  2. Add a new user, e.g., “test_user1.”
  3. Generate a temporary password for this user.
  4. Provide a valid email address and other user details.

Step 4: Test User Login

  1. Copy the temporary password and user portal URL.
  2. Open a new tab and navigate to the user portal URL.
  3. Enter the username (test_user1) and temporary password.
  4. Re-enter the temporary password when prompted.
  5. Set a new password as instructed.
  6. You should now be logged into the AWS SSO dashboard.

Step 5: Adding a SAML Application

  1. In the AWS SSO dashboard, go to the “Applications” tab. At this point, no applications are configured.
  2. Click “Add a new application.”
  3. Select “Custom SAML 2.0 application.”
  4. Name the application, e.g., “RC Test SAML.”

Step 6: Configure the SAML Application

  • In this step, we’ll configure the SAML application using the metadata provided by the sample SAML service provider (RSA in this case).
  1. Open a new tab and search for “RSA SAML test” on Google.
  2. Follow the instructions to obtain the metadata. The critical elements are the “Entity ID” and “Assertion Consumer Service URL.”
  3. Go back to the AWS SSO configuration and enter the obtained information in the application settings.
  4. Save the changes.

Step 7: Attribute Mapping

  • Attribute mapping defines what user attributes should be sent to the SAML application.
  1. In the AWS SSO dashboard, go to the “Attribute mappings” section.
  2. Map the “user.subject” attribute to the SAML “subject” attribute.
  3. Optionally, add more attributes like “given name,” “last name,” and “email” based on your requirements and attribute mappings provided by AWS SSO.

Step 8: Assign Users to the Application

  1. In the “Assign users” section, assign the “test_user1” to the “RC Test SAML” application.

Step 9: Test the SAML Application

  1. Open a new tab with the SAML application link provided by AWS SSO.
  2. You’ll be redirected to the AWS SSO login page. Sign in with your user credentials.
  3. Once authenticated, you’ll be redirected back to the SAML application, and you should see a successful login.

Step 10: Additional Attribute Testing

  1. To test additional attributes, go back to the AWS SSO dashboard.
  2. Modify the attribute mappings to include more attributes (e.g., “given name,” “last name,” and “email”).
  3. Repeat the login process with the SAML application and check if the attributes are passed successfully.

Conclusion

You’ve successfully set up Single Sign-On (SSO) between AWS SSO and a sample SAML service provider. This allows users to access applications seamlessly after a single login. You’ve also learned how to configure SAML applications, map attributes, and assign users to them. Feel free to explore further and adapt this tutorial to integrate with other identity providers or SAML-enabled applications. Thank you for watching! Please subscribe and leave your comments or questions.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top