SAML SSO to AWS (Amazon Web Services) with NetIQ Access Manager - Part 1

SAML SSO to AWS (Amazon Web Services) with NetIQ Access Manager - Part 1

Introduction



Many organizations need or desire to do SAML SSO to AWS.



AWS supports identity federation using SAML (Security Assertion Markup Language 2.0), an open standard used by many identity providers. This feature enables federated single sign-on (SSO), which lets users log into the AWS Management Console or make programmatic calls to AWS APIs. Using SAML can simplify the process of configuring federation with AWS, because you can use identity provider software instead of writing code.

AWS STS and IAM support following use cases:

  • Web-based single sign-on (WebSSO) to the AWS Management Console from your organization. Users can sign in to a portal in your organization, select an option to go to AWS, and be redirected to the console without having to provide additional sign-in information. For more information, see Giving AWS Console Access to Federated Users Using SAML.


Source: http://docs.aws.amazon.com/STS/latest/UsingSTS/CreatingSAML.html

Solution is divided into two parts.

Part 1 - explains basic configuration of NAM for how to achieve websso to AWS
Part 2 - coming next explains how to dynamically prepare attribute values like Role value.

Configuration steps




  1. Configuring AWS

  2. Configuring NAM Attribute set

  3. Configuring NAM with AWS as service provider

  4. Prepare IDP initiated login url to be used with portal or as bookmark.



Setup Information



AWS setup Information




  1. Download saml2 metadata of NAM, accessing http(s)://<www.idp.com>/nidp/saml2/metadata save this into local file and name it nam-saml2-metadata.xml

  2. Open AWS console in browser https://console.aws.amazon.com/console/home

  3. Login to AWS, it shows dashboard, If you don't see it click on orange icon left top corner.

  4. Select Identity & Access Management under "Administrator & Security"


  5. samlssotoaws-1



  6. Click on Identity Providers on left menu of newly opened page


  7. samlssotoaws-2



  8. Click on Create provider button, it opens "Configure Provider" page


  9. samlssotoaws-3



  10. Select SAML from dropdown menu of "Choose a provider type"

  11. Provider name e.g., NAM-IDP or idp2

  12. Click "Choose File" button and choose nam-saml2-metadata.xml saved at step 1.


  13. samlssotoaws-4



  14. Click Next


  15. samlssotoaws-5



  16. Finish wizard


  17. samlssotoaws-6



  18. IDP is configured by above steps now it is time to create roles

  19. Click on "Roles" at left menu


  20. samlssotoaws-7



  21. Click on "Create New Role"

  22. Provide new role name


  23. samlssotoaws-8



  24. Click Next, and select role type as "Role for Identity Provider Access"


  25. samlssotoaws-9



  26. Click Select against "Grant web Single Sign-On (WebSSO) access to SAML providers" and Click Next

  27. Select saml provider, one created at above steps.


  28. samlssotoaws-10



  29. Click "Next Step" and verify Role Trust shows, click "Next Step"


  30. samlssotoaws-11



  31. "Set Permissions" page shows up


  32. samlssotoaws-12



  33. Select permissions for federated user role, in this example flow select "Administrator Access" and click "Next Step"

  34. "Set Permissions" page shows up, click "Next Step"


  35. samlssotoaws-13



  36. Finally "Review" page shows


  37. samlssotoaws-14



  38. Note down "Role ARN" and "Trusted Entities" e.g., arn:aws:iam:625143326143:role/MyAdmin and arn:aws:iam:625143326143:saml-provider/idp1

  39. In case if you miss to note down above values, one can click on role and get these details


  40. samlssotoaws-15




NetIQ Access Manager Identity Server setup details

  1. Download metadata of AWS at https://signin.aws.amazon.com/static/saml-metadata.xml

  2. Login to NAM Admin console

  3. Select "Shared Settings" and create attribute set with required attributes

  4. Create two attributes one constant value and other attribute with username

  5. Constant attribute has following values

    1. Remote Attribute: "Role"

    2. Remote NameSpace: https://aws.amazon.com/SAML/Attributes/

    3. Constant value: Role ARN and SAML Provider ARN that is stored in AD. Both ARNs are separated by a comma delimiter e.g., arn:aws:iam::625143326143:role/Admin,arn:aws:iam::625143326143:saml-provider/idp1


    samlssotoaws-16




  6. Create one more attribute RoleSessionName
    localAttribute: select attribute which has username (this is used to display at AWS) e.g., givenName
    Remote Attribute: RoleSessionName
    Remote nameSpace: https://aws.amazon.com/SAML/Attributes/


  7. samlssotoaws-17



  8. Click "OK" and "Finish" and select "Servers"

  9. Navigate to saml2 section

  10. Select "New" and service provider

  11. Fill the values "Name" and "URL" as https://signin.aws.amazon.com/static/saml-metadata.xml


  12. samlssotoaws-18



  13. Click "Next" and finish wizard.

  14. Select created AWS Service provider and navigate to attributes

  15. Select attribute set created above e.g., aws, and move attributes to left to send along with authentication.


  16. samlssotoaws-19



  17. Change "Authentication Response" binding value as "POST"


  18. samlssotoaws-20



  19. Click ok and update cluster

  20. Health status shows yellow, because AWS metadata has selfsigned certificate

  21. To over this, do following steps at IDP

    1. Ssh to IDP

    2. Vi /opt/novell/nam/idp/conf/tomcat.conf

    3. Add following option
      "JAVA_OPTS="${JAVA_OPTS} -Dcom.novell.nidp.serverOCSPCRL=false"

    4. Save changes and restart IDP


  22. Now testing time.

    1. Access IDP initiated login to AWS https://<<www.idp.com>>:8443/nidp/saml2/idpsend?PID=urn:amazon:webservices


If any issues found in authenticating user at NAM, do add contract one used for authentication as step up method under AWS service provider configuration at NAM under options section.

Please share your comments!!

Labels (1)
Tags (3)

DISCLAIMER:

Some content on Community Tips & Information pages is not officially supported by Micro Focus. Please refer to our Terms of Use for more detail.
Top Contributors
Version history
Revision #:
3 of 3
Last update:
‎2020-01-31 22:06
Updated by:
Micro Focus Contributor
 
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.