Follow

Configure AWS Console SAML Application for SSO

AuthAnvil Single Sign On

  1. Log into the AuthAnvil Manager https://(Your Domain/AuthAnvil/Manager/ 
  2. Select Single Sign on.
  3. Select Roles
  4. Select Add a new role
  5. Select Save Changes
  6. Select the Users for Role and
  7. Select Save Changes
  8. Select  Single Sign On.
  9. Select Applications.
  10. Select Add new Application
  11. Select  Add an Application from the catalog.
  12. Select AWS Console
  13. Enable the application
  14. A the previously created role to the application
  15. Select Save Changes
  16. From Single Sign  On, select AWS Console again.
  17. Select Protocol Configuration 
    Copy the "Federation Metadata Endpoint"
  18. On newly opened window > Save as- FederationMetadata.xml
  19. Save the file to somewhere on the hard drive as it will be required later)                         
  20. Select Attribute Maps > Edit attribute name "AWSRole" to be the same name as your new role added in step 1
    Select {User.Email} with the outgoing claim of "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
  21. Enable Extended Properties > Add the attribute of "urn:Oasis:names:tc:SAML:2.0:Nameid-format:Persistent"
  22. Select Update Map & then Save Changes



AWS Console configuration

 

  1. Sign into Amazon Web Services.
  2. Select Identity & Access Management (it may show up as IAM)
  3. On the subsequent page, select Identity Providers.
  4. Select “Create SAML Provider”
  5. Provider type of “SAML”
  6. Give the new provider a name such as AuthAnvil
  7. Upload the MetaData.xml file and select “Next Step” & click the “Create” button.
  8. Select Roles from the list.
  9. Click Create New Role at the top.
  10. Provide a friendly name for your role.  (This should be the same name as the Role added in 2FA)
  11. For "Role Type" click Role For Identity Provider Access
  12. Select Grant Web Single Sign-On (Web SSO) access to SAML Providers.
  13. Choose your SAML Provider created in the previous step where you created a SAML provider.
  14. No conditions are required so click Next access to this role.
  15. Verify the information shown and click Next Step
  16. Choose the access policy (i.e., permissions) federated users will inherit when using this role.
    AdministratorAccess and IAMFullAccess should be enough (you may need to search for IAM Full Access in the search field)
  17. Review the policy that was created.
  18. Review your settings, click “Create Role” to complete the process.
  19. Select the new Role again to access the extended information screen.
  20. Copy the role “arn” value into notepad and add a comma at the end of it.
  21. Scroll down the screen and copy the “Trusted Entities” “arn value, paste that into notepad directly after the role arn value.
  22. The end result will look similar to this:
    arn:aws:iam::996226589224:role/AWSRole,arn:aws:iam::996226589224:saml-provider/AuthAnvil
  23. The two ARN values with a comma separating them and will be required once we go back into 2FA.
  24. Select “Create New Users” and ensure that the “Generate an access key for each user” box is not Selected.

  25. The user names should be the Email addresses of existing users in 2FA.





 

 

Linking Amazon Web Servers to to AuthAnvil

  1. Log back into 2FA > Single Sign On > Users
  2. Double click on the first user that will have access to the Amazon Web Services console and scroll to the bottom of the screen to the User Attribute area.
  3. Add new Attribute:
    Name = Role Name that exists in Amazon Web Services.
    Attribute Value = the two ARN values
  4. Select “Save”
  5. Go to SSO > Test “AWS Console”

 

Troubleshooting

The most common issues relate to the following configuration Areas:

  • Role Name not the same in Amazon Web Services and in the AuthAnvil Manager.
  • User Email address mismatch.
  • Metadata Mismatch.
  • AuthAnvil Single SIgn On user does not have the Attribute added.
  • The {User.Email} attribute for the “claims/name” does not have the extended properties of persistent added.

 

Questions?

If you have any questions or need some help, we would be happy to assist. Open a case at help.scorpionsoft.com or send an email to support@scorpionsoft.com.

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

Powered by Zendesk