AWS Workspaces - SAML My Page SSO Configuration - RSA Ready Implementation Guide

2 years ago

This article describes how to integrate AWS Workspaces with RSA Cloud Authentication Service using My Page SSO.

Configure RSA Cloud Authentication Service

Perform these steps to configure RSA Cloud Authentication Service using My Page SSO.
Procedure

Enable My Page SSO by accessing the RSA Cloud Administration Console > Access > My Page > Single Sign-On (SSO). Ensure it is enabled and protected using two-factor authentication - Password and Access Policy.
On the Applications > Application Catalog page, search for AWS and click Add to add the connection.
On the Basic Information page, enter a name for the configuration in the Name field and click Next Step.
On the Connection Profile page, click the IdP-initiated option.
Provide the Service Provider details in the following format:
1. ACS URL: https://signin.aws.amazon.com/saml
2. Service Provider Entity ID: urn:amazon:webservices
In the SAML Response Protection section, choose IdP signs assertion within response.
Select the Override default signing key and certificate checkbox and click Generate Cert Bundle.
Extract the bundle and upload the Private Key and Certificate from the bundle.
Click Show Advanced Configuration.
Under the User Identity section, configure Identifier Type and Property. For example, Identifier Type: Auto Detect and Property: Auto Detect.
Under the Statement Attributes section, add the following Attributes.
1. Attribute 1:
  1. Attribute Name - https://aws.amazon.com/SAML/Attributes/RoleSessionName
  2. Attribute Source - Identity Source
  3. Property - mail
2. Attribute 2:
  1. Attribute Name - https://aws.amazon.com/SAML/Attributes/Role
  2. Attribute Source - Constant
  3. Property - AWS role arn value,AWS saml-provider arn value
    For example:
    arn:aws:iam::664847341240:role/ aws_ws_role,arn:aws:iam::664847341240:saml-provider/ aws_ws
    Refer to the Configure AWS Workspaces section to obtain the AWS role arn value and AWS saml-provider arn value.
Provide the Default Relay State for this application and click Next Step.
Choose your desired Access Policy for this application and click Next Step > Save and Finish.
On the My Applications page, click the Edit drop-down icon and select Export Metadata to download the metadata.
Click Publish Changes. Your application is now enabled for SSO.

Configure AWS Workspaces

As a prerequisite, create or register a directory for WorkSpaces by using the document - WorkSpaces management console.
Perform these steps to configure AWS Workspaces.
Procedure

Log on to AWS IAM as Root user.
Under Access management, click Identity providers.
Click on Add provider.
Select SAML as Provider type.
Scroll down and provide the following details.
1. Provider name – Provide a name for your configuration.
2. Metadata document – Click Choose file and upload the downloaded metadata.
Scroll down to the bottom of the page and click Add provider.
Click on the provider you configured.
Copy the provider ARN value.
Under the Access management, click Roles.
Click Create role.
Select the Trusted entity type as SAML 2.0 federation.
Perform the following steps and click Next:
1. SAML 2.0-based provider – Select the provider that you configured in the Identity Providers section.
2. Attribute – Select the attribute as SAML:aud.
3. Value – Provide the URL, https://signin.aws.amazon.com/saml which should be the same as the ACS URL that is used to configure RSA.
Provide your desired permissions as required and click Next.
Provide a name for the role and click Create Role.
Click the role that you configured.
Copy the role ARN value.
Combine the Role ARN value followed by ‘,’ with Provider ARN value to use it as Property value in RSA.