AWS SSO SAML 2.0 with SimpleSAMLphp

AWS SSO SAML 2.0

AWS supports Single sign On using Security Assertion Markup Language (SAML) 2.0, an open standard used by many identity providers. This feature enables single sign-on (SSO), which lets users log into the AWS Management Console without user having to enter credential again and again. One of our client have the requirement of AWS SSO with SimpleSAMLphp and we are not able to find a promising tutorial which can lead us to the integration process of AWS SSO SAML. In this article we have demonstrated the necessary steps for the integration of AWS SSO SAML.

Lets dive into the integration of AWS and SimpleSAMLphp

For the integration of AWS and simpleSAMLphp there are few necessary steps which should be followed step by step, so lets start with the first step of integration.

1) Create SAML provider in AWS and set the metadata for the SimpleSamlphp

This is the first step of the integration. Go to your amazon web service console and click on “Service” menu coming at the top  and then click on “IAM” link. Now click on the “Identity Provides” link coming in the left menu. After clicking on the link the identity providers window will open.

 

Now next step is to create a new identity provider. Click on the “Create Provider” link coming at the top. A new window will open as given in below screenshot.

From provide type options choose “SAML”.  After selecting SAML you will get two more options one is “Provider Name” and other is “Metadata document”. In Provider Name option fill any unique name and in the Metadata document option you have to upload the metadata file of your SimpleSAMLphp metadata. you can get the metadata file from the following url

http://yoursitedomain.com/simplesaml/saml2/idp/metadata.php?output=xhtml 

copy data from the textarea and paste into notepad and save file as metadata.xml.

After giving the name and upload the metadata, click on “next step” button. On clicking the “next step” a new verify window appears which will show the detail you have filled in previous step. now click on the “create” button. You will be redirected to the identity provider page and you can see your newly created identity provider there. Now our next step is to create a new role for this identity provider.

2) Create New Roles

Click on the “Roles” link coming in the left menu. A new window will open, then click on the “Create New Role” button. A new window will open with the option “Role name”. Fill any unique name in the textbox and click on “Next Step” button.

On click on “Next Step” a new window will open where you select role type. Select the option “Role for Identity Provider Access”. on selecting “Role for Identity Provider Access” you will get some more options, from those options click the select button of the option “Grant Web Single Sign-On (WebSSO) access to SAML providers” as given in below screenshot.

On click on select, a new window will open which will display the identity provider you have created and some other information. verify your “identity provider” and click on “Next Step” button.

On click on next button a new window open which will display the policy document of the role. verify the policy document and click on the “Next Step” button.

on click on ” Next Step” a new “Attach policy” window will appear. from this window attach the policies with role. these policies will decide the permissions of the role.

After selecting the policies click on the “Next Step” button.  A  “Review” window will appear, which have all the details of your roles. Review the details and click on the “Create Role” button.

On click “create Role” who will be redirected to role home page and you will be able to see the newly created role in the list. now next step is to create a new user which will be allowed to login into the aws console this step is very important in AWS SSO SAML.

3) Create a new user

Now we have to created a new user, which have the permission to login into the console of the AWS. to create a new user click on the link “Users” from the right hand side menu. you will have redirected to the users home page. now click the “Create New User” link. On click on the link Create user window opened. In this enter the username and click on “Create” button.

On click on create button a new window will open which will display information about newly created user and give a option to download the credential for that user. if you want to download you can click on the “Download Credential” button, otherwise click on “Close” button. On click on  “Close” you have redirected to user home page and you can see newly created user in the listing. Now we done with our AWS configuration part, in next step we will download the metadata given by AWS and parse it with the simpleSAMLphp parsing tool.

4) Register AWS SAML metadata in SimpleSAMLphp

Now we will download the AWS SSO SAML metadata. we can download from the following link

https://signin.aws.amazon.com/static/saml-metadata.xml

when you opened this link an xml file will opened. copy this xml and go to your simpleSAMLphp parse tool. you can open by entering the following url.

http://yoursitedomain.com/simplesaml/module.php/core/frontpage_federation.php and click on the option “XML to simpleSAMLphp metadata converter”

on click on the “XML to simpleSAMLphp metadata converter” a new window will open, paste the xml, which you have copied into the textarea and click on “parse” button. On click on parse you will get the parsed metadata. copy this parse metadata and paste into the sp-saml20-remote.php file in the metadata directory of simpleSAMLphp.

Default path of the sp-saml20-remote.php file is yoursimpleSAMLdirectory/metadata/sp-saml20-remote.php Next step is to add filter of AWS into the config file.

5) Add the authproc.ip filter into the config.php

After adding the metadata of AWS into SimpleSAMLphp now we have to apply a filter for the AWS for the AWS SSO SAML. copy the given below code and add this to your config.php file of config directory of simpleSAMLphp.

Default path of config.php is yoursimpleSAMLdirectory/config/config.php

       ‘authproc.ip’ => array(
           10 => array(
               ‘class’ => ‘core:AttributeAdd’,
                ‘https://aws.amazon.com/SAML/Attributes/Role‘ => array(‘arn:aws:iam::<account_number_without_spaces>:role/<role_name>,arn:aws:iam::<account_number_without_spaces>:saml-provider/<’saml_provider_name)
           ),
           20 => array(
              ‘class’ => ‘core:AttributeAdd’,
              ‘https://aws.amazon.com/SAML/Attributes/RoleSessionName‘ => array(‘uid’)
           ),
       ),

Now we have done with our integration of AWS and simpleSAMLphp for single sign on. we have to test the single sign on for testing we can go to the link

http://yoursitedomain.com/simplesaml/saml2/idp/SSOService.phpspentityid=urn:amazon:webservices and enter the logging detail of the user you have configure in your authsource.php file of the simpleSAMLphp and you should logged in with that user.

Conclusion

Single sign on is a very handy feature for any organization. With this AWS and simpleSAMLphp integration user can login into AWS without the botheration of remembering password. If you have any query, feel free to contact us.

References

http://docs.aws.amazon.com/STS/latest/UsingSTS/STSMgmtConsole-SAML.html

http://vlasenko.org/2015/04/05/howto-register-aws-saml-metadata-in-simplesamlphp/

Leave a Comment

Scroll to Top