SSO Agent - SAML Configuration - Amazon AWS RSA Ready SecurID Access Implementation Guide

Document created by RSA Information Design and Development Employee on Mar 7, 2019Last modified by RSA Information Design and Development Employee on Nov 27, 2019
Version 9Show Document
  • View in full screen mode

Amazon AWS can integrate with RSA SecurID Access using SAML SSO Agent. RSA has completed an integration on Amazon Web Services (AWS) that will tie Session Tags with identity context through RSA SecurID Access. This implementation guide covers setting up RSA SecurID Access as a SAML IdP to authenticate users trying to get access to Amazon AWS.

 

This section contains instructions on how to integrate RSA SecurID Access with Amazon AWS using a SAML SSO Agent.

Architecture Diagram

RSA Cloud Authentication Service

Follow the steps in this section to configure RSA Cloud Authentication Service as an SSO Agent SAML IdP to Amazon AWS.

Procedure

1. Logon to the RSA Cloud Administration Console and browse to Applications > Application Catalog, search for Amazon Web Services and click +Add to add the connector.

2. Enter a name for the application in the Name field on the Basic Information page and click the Next Step button.

3. Select the IDP-initiated radio button in the Initiate SAML Workflow section.

4. Scroll down to SAML Identity Provider (Issuer) section and perform following steps.

  1. Select Override and copy and paste the Identity Provider URL into the override field.
  2. Click on Generate Cert Bundle button to generate and download a zip file containing the private key and certificate. Unzip the downloaded file to extract the certificate and private key.
  3. Select the first Choose File and upload the RSA SecurID Access private key.
  4. Select the second Choose File and upload the RSA SecurID Access public certificate.

5. Scroll to the Service Provider section and enter https://signin.aws.amazon.com/saml in the Assertion Consumer Service (ACS) URL field.

6. Enter urn:amazon:webservices in the Audience (Service Provider Entity ID) field.

8. Scroll to the User Identity section, select persistent from the Identifier Type dropdown list, select the name of your user identity source and select the property value as mail.

9. Scroll to the Attribute Extension section and select Identity Source from the Attribute Source pulldown, give the attribute name as https://aws.amazon.com/SAML/Attributes/RoleSessionName , select the identity source and choose mail from the Property dropdown list.

10. For second attribute, select Attribute Source as Constant, give the attribute name as https://aws.amazon.com/SAML/Attributes/Role and provide its value in Property as comma separated values of The ARN of a role that the user can be mapped to, The ARN of the SAML provider. In this example, value is given as arn:aws:iam::380329356478:role/blrPE-role1,arn:aws:iam::380329356478:saml-provider/blrPE.

Note:  If the values for Role ARN and Provider ARN are not known, enter placeholder values <RoleARN>,<ProviderARN> in the Property field to continue with the configuration. The actual value will be entered after completing the configuration of Amazon AWS as the SP.

11. (Optional Step - This step is required only if session tags by AWS is to be used)
RSA SecurID Access supports Session Tags by AWS . The session tags can be passed along with the RoleSessionName and Role attributes. To enable the RSA Cloud Authentication Service to pass additional attributes as session tags follow the steps below:

  1. Click on the ADD button in the Attribute Extension section.

  2. For Principal Tags, select Attribute Type as Identity Source. The Attribute Name should be of the form https://aws.amazon.com/SAML/Attributes/PrincipalTag:<name> where <name> is used to identify the Tag and is user defined. Select Property as the Identity Source attribute you want to pass as Principal Tag. As an example, if we want to pass "team" and "project" as Principal Tags, then the Attribute Names should be "https://aws.amazon.com/SAML/Attributes/PrincipalTag:team" and "https://aws.amazon.com/SAML/Attributes/PrincipalTag:project" respectively.

  3. For TransitiveTagKeys, select Attribute Type as Constant. The Attribute Name should be https://aws.amazon.com/SAML/Attributes/TransitiveTagKeys and specify the Property as <name> where <name> is the name defined for the Principal Tag. As an example, if we want to pass "team" as the Transitive Tag Key, then the Property should be "team".

Note:  To configure and use session tags properly, the role permissions in AWS also needs to be modified according to Step 23 of Amazon AWS configurations.

Currently only single valued attributes are supported by RSA SecurID Access for both Principal Tags and TransitiveTagKeys.

For more information on Session Tags kindly refer to AWS documentation at https://docs.aws.amazon.com. For more information on how to map Identity Source attributes in RSA Cloud Authentication Service refer to https://community.rsa.com/docs/DOC-54073.

 

12. Scroll down to the Uncommon Formatting SAML Response Options section. Under Sign Outgoing Assertion, select Assertion within Response.

13. Click the Next Step button.

14. On the User Access page, select the access policy the identity router will use to determine which users can access the AWS service provider from the portal.

15. Click the Next Step button.

16. Configure the portal display settings on the Portal Display page.

17. Enter descriptive text about the application in the Application Tooltip field. The portal will display this text when a user passes the cursor over the application’s icon.

18. Click the Save and Finish button.

19. Click the Publish Changes button in the top left corner of the page and wait for the operation to complete.

20. Search for AWS in the list of applications and select Export Metadata from the Edit dropdown list to download an XML file containing your RSA SecurID Access IdP’s metadata. You will need this file when you configure AWS.

 

Amazon AWS

Follow the steps in this section to configure Amazon AWS as an SSO Agent SAML SP to RSA Cloud Authentication Service.

Procedure

1. Login into Identity and Access Management (IAM) console at https://console.aws.amazon.com/iam/. In the navigation pane, click on Identity Providers.

2. Click on Create Provider button on the top right section.

3. Choose Provider type as SAML.

4. Give Provider name of your choice in Provider Name section. In this example, Provider name is given as blrPEbiswaa2.

5. In Metadata Document section, choose IDP metadata file which we have downloaded from the IDP. (See Step 20 of configuring RSA Cloud Authentication Service).

6. Click on Next Step button in bottom right corner.

7. Verify your Provider Name and Type.

8. Click on Create button in the bottom right corner.

9. Click on your created Provider Name and copy Provider ARN which you have to use as one of the values of attribute https://aws.amazon.com/SAML/Attributes/Role in your IDP settings.

10. Click on Roles in the left pane.

11. Click on Create Role button in the top right section.

12. Select the SAML 2.0 federation in the Select type of trusted entity section.

13. Select the SAML provider created before from the SAML provider dropdown list under Choose a SAML 2.0 provider section.

14. Select Attribute as SAML:aud from the Attribute dropdown.

15. Enter value as https://signin.aws.amazon.com/saml in the Value field.

16. Click on the Next: Permissions button at the bottom of the page.

17. In the Attach permissions policies Section, select the Policy Name/s you want to select for this role.

18. Click on the Next: Tags button at the bottom of the page.

19. In the Add tags (optional) page, Click Next: Review button at the bottom of the page.

20. In the Review page, provide a Role Name of your choice in the Role name field. In this example, blrPE-role1 is given.

21. Review the information shown and click on Create role button at the bottom of the page.

22. Click on your created Role Name and copy Role ARN which you have to use as one of the values of attribute https://aws.amazon.com/SAML/Attributes/Role in your IDP settings.

23. (Optional Step - This step is only required if Session Tags by AWS is to be used)
RSA SecurID Access supports Session Tags by AWS. To be able to use Session Tags with this role, a new permission sts:TagSession needs to be added to the role. Follow the steps below to add this permission:

  1. Click on the created Role Name.

  2. Select Trust relationships tab.

  3. Click Edit trust relationship.

  4. In the policy document, add the following in the Statement section (<accountID> refers to your AWS Account ID and <provider-name> is the name of the provider created in Step 4):

    {
     "Effect": "Allow",
     "Principal": {
     "Federated": "arn:aws:iam::<accountID>:saml-provider/<provider-name>"
     },
      "Action": "sts:TagSession",
      "Condition": {
        "StringEquals": {
          "SAML:aud": "https://signin.aws.amazon.com/saml"
        }
      }
    }

  5. Click Update Trust Policy button.

Note:  To configure and use session tags properly, the Attribute Extension section of RSA Cloud Authentication Service also needs to be modified according to Step 11 of RSA Cloud Authentication Service configurations.

Currently only single valued attributes are supported by RSA SecurID Access for both Principal Tags and TransitiveTagKeys.

For more information on Session Tags kindly refer to AWS documentation at https://docs.aws.amazon.com.

 

RSA Cloud Authentication Service - Finishing the Configuration

Follow the steps in this section to finish configuring RSA Cloud Authentication Service as an SSO Agent SAML IdP to Amazon AWS.

Note:  This section is required only in case placeholder values were left during the initial configuration of RSA Cloud Authentication Service.

Procedure

1. Logon to the RSA Cloud Administration Console and browse to Applications > My Applications, search for the AWS application in the list of applications and click on the Edit button.

2. Click on the Connection Profile tab on the left side.

3. Scroll down to the Attribute Extension section and replace the placeholder values for Role ARN and Provider ARN with those obtained from step 22 and step 9 of AWS configuration.

4. Scroll to the top left pane of the page and click the Portal Display tab.

5. Click on the Save and Finish button at the bottom right of the page.

6. Click the Publish Changes button in the top left corner of the page and wait for the operation to complete.

 

Configuration is complete.

Return to the main page for more certification related information.

 

Attachments

    Outcomes