This section contains instructions on how to integrate RSA SecurID Access with Amazon AWS using a SAML SSO Agent.
RSA Cloud Authentication Service
Follow the steps in this section to configure RSA Cloud Authentication Service as an SSO Agent SAML IdP to Amazon AWS.
1. Logon to the RSA Cloud Administration Console and browse to Applications > Application Catalog, search for Amazon Web Services (AWS) and click +Add to add the connector.
2. Enter a name for the application in the Name field on the Basic Information page and click the Next Step button.
3. Select the IDP-initiated radio button in the Initiate SAML Workflow section.
4. Scroll down to SAML Identity Provider (Issuer) section and perform following steps.
- Select Override and copy and paste the Identity Provider URL into the override field.
- Click on Generate Cert Bundle button to generate and download a zip file containing the private key and certificate. Unzip the downloaded file to extract the certificate and private key.
- Select the first Choose File and upload the RSA SecurID Access private key.
- Select the second Choose File and upload the RSA SecurID Access public certificate.
5. Scroll to the Service Provider section and enter https://signin.aws.amazon.com/saml in the Assertion Consumer Service (ACS) URL field.
6. Enter urn:amazon:webservices in the Audience (Service Provider Entity ID) field.
8. Scroll to the User Identity section, select persistent from the Identifier Type dropdown list, select the name of your user identity source and select the property value as mail.
9. Scroll to the Attribute Extension section and select Identity Source from the Attribute Source pulldown, give the attribute name as https://aws.amazon.com/SAML/Attributes/RoleSessionName , select the identity source and choose mail from the Property dropdown list.
10. For second attribute, select Attribute Source as Constant, give the attribute name as https://aws.amazon.com/SAML/Attributes/Role and provide its value in Property as comma separated values of The ARN of a role that the user can be mapped to, The ARN of the SAML provider. In this example, value is given as arn:aws:iam::380329356478:role/blrPE-role1,arn:aws:iam::380329356478:saml-provider/blrPE.
Note: If the values for Role ARN and Provider ARN are not known, enter placeholder values <RoleARN>,<ProviderARN> in the Property field to continue with the configuration. The actual value will be entered after completing the configuration of Amazon AWS as the SP.
11. Scroll down to the Uncommon Formatting SAML Response Options section. Under Sign Outgoing Assertion, select Assertion within Response.
12. Click the Next Step button.
13. On the User Access page, select the access policy the identity router will use to determine which users can access the AWS service provider from the portal.
14. Click the Next Step button.
15. Configure the portal display settings on the Portal Display page.
16. Enter descriptive text about the application in the Application Tooltip field. The portal will display this text when a user passes the cursor over the application’s icon.
17. Click the Save and Finish button.
18. Click the Publish Changes button in the top left corner of the page and wait for the operation to complete.
19. Search for AWS in the list of applications and select Export Metadata from the Edit dropdown list to download an XML file containing your RSA SecurID Access IdP’s metadata. You will need this file when you configure AWS.
Follow the steps in this section to configure Amazon AWS as an SSO Agent SAML SP to RSA Cloud Authentication Service.
1. Login into Identity and Access Management (IAM) console at https://console.aws.amazon.com/iam/. In the navigation pane, click on Identity Providers.
2. Click on Create Provider button on the top right section.
3. Choose Provider type as SAML.
4. Give Provider name of your choice in Provider Name section. In this example, Provider name is given as blrPEbiswaa2.
5. In Metadata Document section, choose IDP metadata file which we have downloaded from the IDP. (See Step 19 of configuring RSA Cloud Authentication Service).
6. Click on Next Step button in bottom right corner.
7. Verify your Provider Name and Type.
8. Click on Create button in the bottom right corner.
9. Click on your created Provider Name and copy Provider ARN which you have to use as one of the values of attribute https://aws.amazon.com/SAML/Attributes/Role in your IDP settings.
10. Click on Roles in the left pane.
11. Click on Create Role button in the top right section.
12. Select the SAML 2.0 federation in the Select type of trusted entity section.
13. Select the SAML provider created before from the SAML provider dropdown list under Choose a SAML 2.0 provider section.
14. Select Attribute as SAML:aud from the Attribute dropdown.
15. Enter value as https://signin.aws.amazon.com/saml in the Value field.
16. Click on the Next: Permissions button at the bottom of the page.
17. In the Attach permissions policies Section, select the Policy Name/s you want to select for this role.
18. Click on the Next: Tags button at the bottom of the page.
19. In the Add tags (optional) page, Click Next: Review button at the bottom of the page.
20. In the Review page, provide a Role Name of your choice in the Role name field. In this example, blrPE-role1 is given.
21. Review the information shown and click on Create role button at the bottom of the page.
22. Click on your created Role Name and copy Role ARN which you have to use as one of the values of attribute https://aws.amazon.com/SAML/Attributes/Role in your IDP settings.
RSA Cloud Authentication Service - Finishing the Configuration
Follow the steps in this section to finish configuring RSA Cloud Authentication Service as an SSO Agent SAML IdP to AmazonAWS.
Note: This section is required only in case placeholder values were left during the initial configuration of RSA Cloud Authentication Service.
1. Logon to the RSA Cloud Administration Console and browse to Applications > My Applications, search for the AWS application in the list of applications and click on the Edit button.
2. Click on the Connection Profile tab on the left side.
4. Scroll to the top left pane of the page and click the Portal Display tab.
5. Click on the Save and Finish button at the bottom right of the page.
6. Click the Publish Changes button in the top left corner of the page and wait for the operation to complete.
Configuration is complete.
Return to the main page for more certification related information.