SAML SSO to AWS (Amazon Web Services) with NetIQ Access Manager - Part 1
Many organizations need or desire to do SAML SSO to AWS.
AWS supports identity federation using SAML (Security Assertion Markup Language 2.0), an open standard used by many identity providers. This feature enables federated single sign-on (SSO), which lets users log into the AWS Management Console or make programmatic calls to AWS APIs. Using SAML can simplify the process of configuring federation with AWS, because you can use identity provider software instead of writing code.
AWS STS and IAM support following use cases:
- Web-based single sign-on (WebSSO) to the AWS Management Console from your organization. Users can sign in to a portal in your organization, select an option to go to AWS, and be redirected to the console without having to provide additional sign-in information. For more information, see Giving AWS Console Access to Federated Users Using SAML.
Solution is divided into two parts.
Part 1 - explains basic configuration of NAM for how to achieve websso to AWS
Part 2 - coming next explains how to dynamically prepare attribute values like Role value.
- Configuring AWS
- Configuring NAM Attribute set
- Configuring NAM with AWS as service provider
- Prepare IDP initiated login url to be used with portal or as bookmark.
AWS setup Information
- Download saml2 metadata of NAM, accessing http(s)://<www.idp.com>/nidp/saml2/metadata save this into local file and name it nam-saml2-metadata.xml
- Open AWS console in browser https://console.aws.amazon.com/console/home
- Login to AWS, it shows dashboard, If you don't see it click on orange icon left top corner.
- Select Identity & Access Management under "Administrator & Security"
- Click on Identity Providers on left menu of newly opened page
- Click on Create provider button, it opens "Configure Provider" page
- Select SAML from dropdown menu of "Choose a provider type"
- Provider name e.g., NAM-IDP or idp2
- Click "Choose File" button and choose nam-saml2-metadata.xml saved at step 1.
- Click Next
- Finish wizard
- IDP is configured by above steps now it is time to create roles
- Click on "Roles" at left menu
- Click on "Create New Role"
- Provide new role name
- Click Next, and select role type as "Role for Identity Provider Access"
- Click Select against "Grant web Single Sign-On (WebSSO) access to SAML providers" and Click Next
- Select saml provider, one created at above steps.
- Click "Next Step" and verify Role Trust shows, click "Next Step"
- "Set Permissions" page shows up
- Select permissions for federated user role, in this example flow select "Administrator Access" and click "Next Step"
- "Set Permissions" page shows up, click "Next Step"
- Finally "Review" page shows
- Note down "Role ARN" and "Trusted Entities" e.g., arn:aws:iam:625143326143:role/MyAdmin and arn:aws:iam:625143326143:saml-provider/idp1
- In case if you miss to note down above values, one can click on role and get these details
NetIQ Access Manager Identity Server setup details
- Download metadata of AWS at https://signin.aws.amazon.com/static/saml-metadata.xml
- Login to NAM Admin console
- Select "Shared Settings" and create attribute set with required attributes
- Create two attributes one constant value and other attribute with username
- Constant attribute has following values
- Remote Attribute: "Role"
- Remote NameSpace: https://aws.amazon.com/SAML/Attributes/
- Constant value: Role ARN and SAML Provider ARN that is stored in AD. Both ARNs are separated by a comma delimiter e.g., arn:aws:iam::625143326143:role/Admin,arn:aws:iam::625143326143:saml-provider/idp1
- Create one more attribute RoleSessionName
localAttribute: select attribute which has username (this is used to display at AWS) e.g., givenName
Remote Attribute: RoleSessionName
Remote nameSpace: https://aws.amazon.com/SAML/Attributes/
- Click "OK" and "Finish" and select "Servers"
- Navigate to saml2 section
- Select "New" and service provider
- Fill the values "Name" and "URL" as https://signin.aws.amazon.com/static/saml-metadata.xml
- Click "Next" and finish wizard.
- Select created AWS Service provider and navigate to attributes
- Select attribute set created above e.g., aws, and move attributes to left to send along with authentication.
- Change "Authentication Response" binding value as "POST"
- Click ok and update cluster
- Health status shows yellow, because AWS metadata has selfsigned certificate
- To over this, do following steps at IDP
- Ssh to IDP
- Vi /opt/novell/nam/idp/conf/tomcat.conf
- Add following option
- Save changes and restart IDP
- Now testing time.
- Access IDP initiated login to AWS https://<<www.idp.com>>:8443/nidp/saml2/idpsend?PID=urn:amazon:webservices
If any issues found in authenticating user at NAM, do add contract one used for authentication as step up method under AWS service provider configuration at NAM under options section.
Please share your comments!!