AWS IAM - SAML My Page SSO Configuration - RSA Ready Implementation Guide

2 years ago

This article describes how to integrate AWS IAM with RSA Cloud Authentication Service using My Page SSO.

Configure RSA Cloud Authentication Service

Perform these steps to configure RSA Cloud Authentication Service using My Page SSO.
Procedure

Enable My Page SSO by accessing the RSA Cloud Administration Console > Access > My Page > Single Sign-On (SSO). Ensure it is enabled and protected using two-factor authentication - Password and Access Policy.
On the Applications > Application Catalog page, search for AWS and click Add to add the connection.
On the Basic Information page, enter a name for the configuration in the Name field and click Next Step.
On the Connection Profile page, click the IdP-initiated option.
Provide the Service Provider details in the following format:
1. ACS URL: https://signin.aws.amazon.com/saml
2. Service Provider Entity ID: urn:amazon:webservices
In the SAML Response Protection section, choose IdP signs assertion within response.
Select the Override default signing key and certificate checkbox and click Generate Cert Bundle.
Extract the bundle and upload the Private Key and Certificate from the bundle.
Click Show Advanced Configuration.
Under the User Identity section, configure Identifier Type and Property. For example, Identifier Type: persistent and Property: mail.
Under the Statement Attributes section, add the following attributes.
1. Attribute 1
  1. Attribute Name: https://aws.amazon.com/SAML/Attributes/RoleSessionName
  2. Attribute Source: Identity Source
  3. Property: mail
2. Attribute 2
  1. Attribute Name: https://aws.amazon.com/SAML/Attributes/Role
  2. Attribute Source: Constant
  3. Property: AWS role arn value,AWS saml-provider arn value
    For example:
    arn:aws:iam::664847341240:role/AWSFinal,arn:aws:iam::664847341240:saml-provider/AWSFinal
    Refer to the Configure AWS IAM section to obtain the AWS role arn value and AWS saml-provider arn value.
Add the Relay State: https://console.aws.amazon.com/iam.
Choose your desired Access Policy for this application and click Next Step > Save and Finish.
On the My Applications page click the Edit drop-down icon and select Export Metadata to download the metadata.
Click Publish Changes. Your application is now enabled for SSO.

Configure AWS IAM

Perform these steps to configure AWS IAM.
Procedure

Log on to AWS IAM as a root user.
Under Access management, select Identity Providers.
Click Add provider.
Select SAML as Provider type.
Scroll down and provide the following details.
1. Provider name: Provide a name for your configuration.
2. Metadata document: Click Choose file and upload the downloaded metadata.
Scroll to the bottom of the page and click Add provider.
Click the provider that you configured.
Copy the provider ARN value.
Under Access management, click Roles.
Click Create role.
Choose the Trusted entity type as SAML 2.0 federation.
Perform the following and click Next:
1. SAML 2.0-based provider: Select the provider you configured in the Identity Providers section.
2. Attribute: Select the attribute as SAML:aud.
3. Value: Provide this URL - https://signin.aws.amazon.com/saml. This should be the same as the ACS URL used for configuring RSA.
Provide your desired permissions as required and click Next.
Provide a name for the role and click Create Role.
Click the role that you configured.
Copy the role ARN value.
Combine the role ARN value followed by ‘,’ with the Provider ARN value to use it as Property value in RSA.