Configure Access Manager to access AWS Management Console with single Role using SAML federation - Part 1


1. Introduction

Amazon Web Service supports SAML based SSO in order to login to AWS Management Console using a standard web browser. From a user's perspective, the sign in process happens transparently. The user starts in the organization's internal portal and ends up at the AWS Management Console, without ever having to supply the AWS credentials.

The following diagram and steps illustrate the flow for SAML-enabled single sign-on.


Figure 1: AWS Single Sign on using SAML2

  1. The user browses to your NetIQ IDP initiated SSO URL to go to the AWS Management Console. Your IDP initialed URL: https:///nidp/saml2/idpsend?id=aws

  • NetIQ IDP verifies the user's identity against configured user store (LDAP/ Active Directory).

  • NetIQ IDP generates a SAML authentication response, which includes assertions that identify the user and include attributes (i.e. AWS Roles) about the user and sends this response to the client browser.

  • The client browser is redirected to the AWS single sign-on endpoint and posts the SAML assertion.

  • The endpoint requests temporary security credentials on behalf of the user and creates a console sign-in URL that uses those credentials.

  • AWS sends the sign-in URL back to the client as a redirect.

  • The client browser is redirected to the AWS Management Console. If the SAML authentication response includes attributes that map to multiple IAM roles, the user is first prompted to select the role to use for access to the console.

2. Configuration

Follow the steps below to configure NetIQ IDP to POST SAML assertion to AWS SSO end point to enable SSO between your organization and AWS Management console. The configuration helps to map corporate users to a single (constant) role in AWS.

2.1 Download SAML metadata from NetIQ IDP
Download NetIQ IDP SAML metadata by typing following URL in the browser and save the file as nam-idp-metadata.xml

2.2 Down SAML metadata from AWS
Download AWS SAML metadata by typing following URL in the browser and save the file as aws-sso-metadata.xml

2.3 Configure AWS as Service Provider in NetIQ Access Manager
Login into AWS management console using root account and open IAM. Click on “identity providers” from the left menu and click on “Create Provider” button. Provide following information and create IDP Provider in AWS

Provider Type: SAML
Provider Name: NAM-IDP
Metadata Document: Browse NAM IDP metadata file you downloaded in section 2.1

Identity Provider in AWS

Figure 2: Create Identity Provider in AWS

After Creation of identity provider in AWS, click on the provider name (i.e. NAM-IDP) and copy the Provider ARN. You need this ARN during SAML assertion configuration.

Identity Provider Created in AWS

Figure 3: Identity Provider created in AWS

Provider ARN: arn:aws:iam:::saml-provider/NAM-IDP

2.4 Create AWS Roles
Login into AWS management console using root account and open IAM. Click on “Roles” from the left menu and click on “Create new role” button.

  1. Choose role type as “Role for identity provider access” and select “Grant Web Single Sign-On (WebSSO) access to SAML providers”

    Select AWS Role Type

    Figure 4: Create IAM Role in AWS

  • Select SAML provider as “NAM-IDP”

    Established Trust with IDP

    Figure 5: Select SAML Provide to build trust between NetIQ IDP and AWS IAM Role

  • AWS creates Role Trust automatically to trust the NAM-IDP to Assume Role with SAML. AWS must trust NetIQ IDP in order to allow your organization’s user to login into AWS Management console using NAM IDP initiated URL. Click on “Next Step”

    Verify AWS Role Trust

    Figure 6: Verify Trust

  • Select the policy(s) (Permission for the Role) to attach to the Role. Search for EC2 and select “AmazonEC2FullAccess” and click on “Next Step”

    Select Policy

    Figure 7: Attach appropriate Policy document

  • Set role name as “awsEC2FullAccess”, enter Role Description and Create the Role.

    Provide Role Name

    Figure 8: Provide Role Name and Confirm Role creation

  • After Role creation click on the Role and copy Role ARN.
    Role ARN: arn:aws:iam:: :role/awsEC2FullAccess

2.5 Configure AWS as Service Provider in NetIQ Access Manager
Follow the steps to configure AWS as SAML 2.0 service provider in NetIQ Admin Console.
  1. Open NetIQ Admin Console and go to idp-cluster -> SAML 2.0 and create New -> Service Provider and put Service Provider details.

    Provider Type: General
    Source: Metadata Text
    Name: AmazonAWS (Provide any Name you like)
    Text: Copy AWS metadata XML file which was downloaded in Section 2.2 and paste the content here.

  • Click next, confirm the certificates and Finish creating Service Provider.

  • Open AmazonAWS Service Provider and go to Metdata tab and click on Edit. Update Provider Id to This value should match with “SAML:aud” value in Role Trust configuration at section 2.4 (iii)

    NetIQ IDP Side SAML Configuration

    Figure 9: Create SAML2 service provider in NetIQ IDP

  • Go to Configuration -> Intersite Transfer Service and add ID, Target and Domain List.

    ID: aws
    Domain List:

    NetIQ IDP Side Configuration

    Figure 10: Domain white list

  • Apply changes to all IDP servers.

2.6 Create Attribute Set for AWS SAML Assertion
Go to Shared Setting -> Attribute Sets and create new attribute set “AmazonWebServices”

  1. Create Mapping for “RoleSessionName” for LDAP attribute givenName

    Attribute Mapping

  • Map Remote Attribute “Role” to
    Constant value: arn:aws:iam:: :role/awsEC2FullAccess,arn:aws:iam:: :saml-provider/NAM-SANDBOX-IDP

    Attribute Mapping for Static Role

2.7 Complete SAML Service Provider setup in NAM
Go to IDP cluster, SAML 2.0 tab and open AmazonAWS service provider. Select Attribute Set: AmazonWebService and move available attributes from right box to left box.

select attribute

Apply all changes to IDP.

Now use the Identity provider’s url https://<nam-idp-sso-url>/nidp/saml2/idpsend?id=aws to login to the AWS management console. If the user is not already signed in, the user will be prompted to authenticate depending on the authentication contract you have used in the configuration.


How To-Best Practice
Comment List