Follow the steps below to set up a single role, single sign-on for Amazon Web Services (AWS).
If you are trying to configure OneLogin SAML SSO to support multiple AWS roles or multiple AWS accounts, see Configure SAML for Amazon Web Services (AWS) with Multiple Accounts and Multiple Roles.
In some cases, you can us a field macro or custom user field. However, using a custom user field requires a OneLogin unlimited account. Please contact your OneLogin support team for further information or see Custom User Fields.
Set Up OneLogin
In the OneLogin dashboard, do the following:
- Go to Apps > Add Apps.
- Search for Amazon Web Services (AWS) Single Role (CN) and select it.
You may edit the Display Name if desired.
- Click Save.
- Select the SSO tab.
- In the Issuer URL field, copy the URL.
- Visit this URL in a different browser window and download the metadata XML document. You will need it in the next step.
Configure Amazon Web Services for Service Provider
In your Amazon Web Services Management Console, search for and select IAM.
2. On the next page, select Identity Providers.
3. Select Create Provider.
4. Select SAML in the Provider Type dropdown. In the Provider Name field, enter OneLogin or the name of your choice.
5. Upload the metadata XML document you downloaded in step 5 of the Setting Up OneLogin section above and click next. Verify that the Provider Name contains the value you entered, and that Type is SAML. Click Create.
6. After you see the success message, navigate to Roles in the left-hand navigation, or simply click the Do this now text in the success message.
7. Select Create Role.
8. Select SAML 2.0 federation as the trusted entity type.
9. From the dropdown, select your newly created SAML provider name, and select the radio button that says, Allow programmatic and AWS Management Console access.
10. Add optional conditional access to this role. We provide a wide variety of SAML attributes you can match against.
11. Click Next: Permissions and attach one or more permissions policies to your new role. In addition to preconfigured policies to choose from, AWS provides an open JSON file where you can edit permissions at will.
12. Name your role, add an optional description, and review for accuracy. To finish, click Create Role. You can also click Previous to go back and correct any information.
13. Once your role is created, select it to view the summary. Find both the Role ARN (1) and the Trusted entities ARN (2) identifiers, highlighted below. The Role ARN is the first value listed, and the Trusted entities ARN is located within the Trust relationships tab.
Save this pairing for a later field in OneLogin.
1. Back in the OneLogin admin dashboard, in the Amazon Web Services app, go to the Parameters tab and ensure that the radio button for Configured by admin is selected.
Note: OneLogin mappings for Amazon Username and RoleSessionName are used for logging purposes. The values set for both fields must be between 2 and 32 characters long, can contain only alphanumeric characters, underscores, the following characters: +=,.@-. and cannot contain spaces. Most implementations set both of these values to Email, but if your users have email addresses longer than 32 characters, we recommend using userPrincipleName or AD username.
2. Select the Role field. From the dropdown, select Macro, and in the field that appears, enter the merged pairing of ARN fields from Step 14 above. Click Save.
This will associate the configured Amazon Username and RoleSessionName with the ARN role value pairing.
Note: This action creates a single app for that specific role in OneLogin and will SSO into that Role in AWS. This means that for each role you are signing into in AWS, you will have to create a separate app in OneLogin that maps to every ARN role value pairing.
With the configuration complete, OneLogin and Amazon Web Services will be connected through SAML.