This article describes the legacy method of configuring single sign-on (SSO) for Amazon Web Services (AWS) so that users can choose from among multiple AWS roles in multiple AWS accounts when they sign in using OneLogin. It uses the Amazon Web Services (AWS) Multi Role connector. The current method, which is more secure and easier to configure, uses the Amazon Web Services (AWS) Multi Account connector. We recommend it. See Configuring SAML for Amazon Web Services (AWS) with Multiple Accounts and Roles.
If you have thousands of AWS roles, this legacy method may perform better than the current one.
Prerequisite
Your account must allow provisioning and custom user fields, both of which require the OneLogin Unlimited plan. Go to Settings > Subscription to upgrade your account, if necessary, or contact OneLogin Sales.
Adding the AWS Multi Role app to OneLogin
- Log in to OneLogin as an admin.
- Go to to Apps > Add Apps.
- Search for Amazon Web Services (AWS) Multi Role and select it.
You can edit the Display Name and display icons. - Click Save to add the app to your Company Apps and display additional configuration tabs.
- Go to the Provisioning tab and select Enable provisioning.
-
Go to the More Actions menu and select
SAML Metadata to download the SAML metadata XML file.
You will provide this file when you configure the integration in your AWS account.
- Click Save.
Configuring OneLogin as an Identity Provider for each AWS account
Repeat the following for each AWS account you want users to access through OneLogin:
- Log in to your Amazon Web Services Management Console.
-
Select Identity and Access Management.
- In the Identity & Access Management (IAM) console, select Identity Providers from the left menu.
- Click the Create Provider button.
- For Provider Type, click Choose a provider type and select SAML from the dropdown menu.
-
Provide a name for the Identity Provider.
- For Metadata Document, click Choose File to specify and upload the SAML metadata XML document that you downloaded earlier.
- Verify your configuration and click Create.
Adding or updating AWS Roles to use OneLogin as the SAML provider
For each AWS role that you want users to be able to access through OneLogin SSO, you must update the configuration for each AWS account to grant OneLogin SSO access to the role in AWS.
The instructions that follow cover the basic process for creating roles in AWS that are enabled for SAML federation using OneLogin. For more detailed instructions about creating AWS roles for SAML federation, see Amazon Web Service's own documentation: Creating a Role for SAML 2.0 Federation (AWS Management Console).
You may want to update existing roles to enable them for SAML federation using OneLogin. To do so, you must update the role's trust policy and select your OneLogin identity provider as the SAML provider. For instructions, see Modifying a Role in the AWS documentation.
To create an AWS role that is enabled for SAML federation using OneLogin:
- In the AWS Identity & Access Management (IAM) console, select Roles from the left menu.
- Click the Create New Role button or select a role that you want to update.
- Provide a user-friendly name for your role, and click Next Step.
- Select Role For Identity Provider Access.
- Select Grant Web Single Sign-On (Web SSO) access to SAML Providers.
-
For SAML provider, select the identity provider that you created for OneLogin in the previous task.
-
(Optional) Add attribute conditions to this role.
The SAML:aud attribute is added automatically and set to the URL of the AWS SAML endpoint (https://signin.aws.amazon.com/saml).
To add additional attribute-related conditions, click Add Conditions, select the condition, specify a value, and click Add Condition.
- Click Next Step to view the trust policy that was created from the settings you entered.
-
Select the access policy that assigns the permissions that federated users will inherit when they use this role, and click Next Step.
-
Review your settings and click Create Role.
-
Make a note of the Role ARN and Trusted Entities ARN for the identity provider.
You will be providing these values when you assign OneLogin users to AWS roles in Assigning ARN values for your AWS accounts and roles to OneLogin users.
- Repeat for each role that you want users to be able access through OneLogin SSO.
Mapping AWS attributes to OneLogin values
Return to the OneLogin admin portal and do the following:
-
Create a custom user field to hold AWS account-role values.
In our example, we'll create a custom user field called "AWS custom role."
For instructions, see Custom User Fields.
- Go to Apps > Company Apps and select your Amazon Web Services (Multi-Role) app.
-
Go to the Parameters tab to map AWS attributes to OneLogin values.
The attributes listed on this tab will be included in the SAML assertion that OneLogin passes to AWS.
RoleSessionName and Amazon Username are used to identify a username that is displayed in the AWS interface and a user identifier while the session is active. This value must be between 2 and 32 characters long, can contain only alphanumeric characters, underscores, and the following characters: +=,.@-. and cannot contain spaces. The default OneLogin value is email, but if your users have email addresses greater than 32 characters, we recommend using userPrincipleName or AD username instead.
Role is used to pass the user's AWS roles to AWS. Click the Role parameter to open the Edit Field Role dialog:
Do the following:
-
Under Default if no value selected, select your custom field (AWS custom role in our example) from the first drop-down menu.
- From the second drop-down menu, select Semicolon Separated List.
- Select Include in User Provisioning; you might need to scroll down to see it.
Ignore the Value settings.
-
Assigning ARN values for your AWS accounts and roles to OneLogin users
Each AWS user in OneLogin must have the ARN values for their AWS roles populated in the custom user field that you created (AWS custom role, in our example). The most efficient way to assign these AWS role values is to use OneLogin mappings.
Note. Instead of using a mapping, you could assign the ARN values directly to each user, one-by-one, by going to Users > All Users, selecting the user, and entering the role and identity provider ARN values (using the syntax described in step 4, below) directly into the custom user field you created AWS roles (AWS custom role, in our example).
To assign AWS accounts and roles using mappings:
- Go to Users > Mappings.
- Select New Mapping.
- Set a condition that defines a group of users that should share the same AWS accounts and roles.
For example, if all of the members of your TechOps team require the same AWS account and role access, you could define the group as all members of the AD security group techops with the condition MemberOf > contains > techops.
-
From the Actions drop-down, select Set AWS Role and enter the ARN values of the AWS roles and accounts in the edit field.
Each role should include the ARN of the role and the ARN of the identity provider for the account, separated by commas. Each role ARN - account ARN pair should in turn be separated by semicolons. Here's an example, with two roles in one account and one role in a second account:
arn:aws:iam::111111111111:role/boomRole1,arn:aws:iam::111111111111:saml-provider/OL_boom;arn:aws:iam::111111111111:role/boomRole2,arn:aws:iam::111111111111:saml-provider/OL_boom;arn:aws:iam::222222222222:role/boomRoleSL_1,arn:aws:iam::222222222222:saml-provider/SL_boom
- Click Save.
- On the Mappings page, click the Reapply All Mappings button.
Now when the users on your TechOps team use OneLogin SSO to access AWS, they can choose from among the following three roles, from two accounts: