Amazon Web Services - SAML IDR SSO Configuration - RSA Ready Implementation Guide
2 years ago
This section describes how to integrate Amazon Web Services (AWS) with RSA Cloud Authentication Service using IDR SSO.

Configure RSA Cloud Authentication Service

Perform these steps to configure RSA Cloud Authentication Service as an SSO Agent SAML IdP to AWS.
Procedure
  1. Sign into the RSA Cloud Administration Console and navigate to Applications > Application Catalog.
  2. Search for Amazon Web Services and click Add to add the connector.                                                                                                     image.png
  3. On the Basic Information page, choose Identity Router.
  4. Enter the name for the application in the Name field and click Next Step.                                                                                                          image.png
  5. In the Initiate SAML Workflow section, choose IDP-initiated.                                                                                                                       image.png
  6. In the Identity Provider section, perform the following steps:
    1. Choose the Override option, copy the value from the Identity Provider URL field, and enter in the Override field.
    2. Click Generate Cert Bundle to generate and download the zip file containing the private key and certificate. Unzip the downloaded file to extract the certificate and private key.
    3. Click Choose File and upload the RSA private key.
    4. Click Choose File and upload the RSA public certificate.                                                                                                                  image.png
  7. In the Service Provider section, enter https://signin.aws.amazon.com/saml in the Assertion Consumer Service (ACS) URL field.
  8. Enter urn:amazon:webservices in the Audience (Service Provider Entity ID) field.                                                                                image.png
  9. In the User Identity section:
    1. Select persistent in the Identifier Type list.
    2. Select the name of your user Identity Source.
    3. Select the Property value as mail.                                                                                                                                               image.png
  10. In the Attribute Extension section:
    1. Select Identity Source in the Attribute Source list.
    2. Provide the Attribute Name as https://aws.amazon.com/SAML/Attributes/RoleSessionName.
    3. Select the Identity Source and choose mail from the Property list.
  11. To add a second attribute:
    1. Select Attribute Source as Constant.
    2. Provide the Attribute Name as https://aws.amazon.com/SAML/Attributes/Role.
    3. Provide Property as comma-separated values of the ARN of a role that the user can be mapped to, the ARN of the SAML provider. For example, the value is arn:aws:iam::380329356478:role/blrPE-role1, arn:aws:iam::380329356478:saml-provider/blrPE.                 image.png
  12. (This step is required only if Session Tags by AWS need to be used.)
    RSA supports Session Tags by AWS. The Session Tags can be passed with the RoleSessionName and Role attributes. To enable the RSA Cloud Authentication Service to pass additional attributes as Session Tags, perform the following steps:
    1. In the Attribute Extension section, click ADD.
    2. For Principal Tags, select Attribute Source as Identity Source. The Attribute Name should be of the format https://aws.amazon.com/SAML/Attributes/PrincipalTag:<name> where <name> is used to identify the Tag and is user-defined. Select Property as the Identity Source attribute that you want to pass as Principal Tag. For example, if you want to pass "team" and "project" as Principal Tags, then the Attribute Names should be "https://aws.amazon.com/SAML/Attributes/PrincipalTag:team" and "https://aws.amazon.com/SAML/Attributes/PrincipalTag:project" respectively.
    3. For TransitiveTagKeys, select Attribute Type as Constant. The Attribute Name should be https://aws.amazon.com/SAML/Attributes/TransitiveTagKeys and specify the Property as <name> where <name> is the name defined for the Principal Tag. For example, if you want to pass "team" as the Transitive Tag Key, then the Property should be "team".                                                                                                                                                                                  image.png
  13. Scroll down to the Uncommon Formatting SAML Response Options section. Under Sign Outgoing Assertion, choose Assertion within Response.                                                                                                                                                                                   image.png
  14. Click Next Step.
  15. On the User Access page, select the access policy the identity router will use to determine which users can access the AWS service provider from the portal.                                                                                                                                                                           image.png
  16. Click Next Step.
  17. Configure the portal display settings on the Portal Display page.
  18. Enter descriptive text about the application in the Application Tooltip field. The portal displays this text when a user hovers over the application icon.
  19. Click Save and Finish.                                                                                                                                                                           image.png
  20. In the upper-right corner of the page, click Publish Changes and wait for the operation to be completed.                                               image.png
  21. Search for AWS in the list of applications and select Export Metadata in the Edit list to download an XML file containing your RSA IdP’s metadata. You need this file for configuring AWS.                                                                          image.png
Notes:
  • To configure and use Session Tags properly, the role permissions in AWS need to be modified according to Step 24 of next section.
  • Currently, only single-valued attributes are supported by RSA for both Principal Tags and TransitiveTagKeys.
  • If the values for Role ARN and Provider ARN are not known, enter placeholder values <RoleARN>,<ProviderARN> in the Property field to continue with the configuration. The actual value can be entered after completing the configuration of AWS as the Service Provider.

Configure AWS

Perform these steps to configure AWS.
Procedure
  1. Sign into Identity and Access Management (IAM) console at https://console.aws.amazon.com/iam/ and in the navigation pane, click Identity providers.                                                                                                                                                                                               image.png
  2. In the upper-right section, click Create Provider.                                                                                                                                           image.png
  3. Choose Provider Type as SAML.                                                                                                                                                  image.png
  4. In the Provider Name section, enter a name for the Provider. For example, blrPEbiswaa2.
  5. In the Metadata Document section, choose the IDP metadata file that was downloaded from the IDP. (See Step 19 of configuring RSA Cloud Authentication Service).                                                                                                                                                              image.png
  6. In the Metadata Document field, choose the IDP metadata file that was downloaded from the IDP. (See Step 21 of the previous section.)
  7. Click Next Step.
  8. Verify your Provider Name and Type.
  9. Click Create.                                                                                                                                                                                                image.png
  10. Click the created Provider Name and copy Provider ARN which you must use as one of the values of attribute https://aws.amazon.com/SAML/Attributes/Role in your IDP settings.                                                                                                    image.png
  11. In the left pane, click Roles.                                                                                                                                                                                                                                                                                                            image.png
  12. Click Create role.                                                                                                                                                                                     image.png
  13. In the Select type of trusted entity section, click SAML 2.0 federation.                                                                              image.png
  14. Select the SAML provider created before from the SAML provider list under Choose a SAML 2.0 provider section.
  15. In the Attribute list, select SAML:aud.
  16. In the Value field, enter https://signin.aws.amazon.com/saml.                                                                                                         image.png
  17. Click Next: Permissions.
  18. In the Attach permissions policies section, select the Policy Name/s you want to select for this role.                                              image.png
  19. Click Next: Tags.
  20. On the Add tags (optional) page, click Next: Review.
  21. On the Review page, provide a Role name. For example, blrPE-role1.                                                                                            image.png
  22. Review the information and click Create role.                                                                                                                                             image.png
  23. Click the created Role name and copy Role ARN which you must use as one of the values of attribute https://aws.amazon.com/SAML/Attributes/Role in your IDP settings.                                                                                                image.png
  24. (This step is required only if Session Tags by AWS need to be used.)
    RSA supports Session Tags by AWS. To use Session Tags with this role, a new permission sts:TagSession needs to be added to the role. Perform the following steps to add this permission:
    1. Click the created Role name.
    2. Click the Trust relationships tab.
    3. Click Edit trust relationship.
    4. In the policy document, add the following lines in the Statement section (<accountID> refers to your AWS Account ID and <provider-name> is the name of the provider created in Step 4.                                                                                        
      {
 "Effect": "Allow",
 "Principal": {
 "Federated": "arn:aws:iam::<accountID>:saml-provider/<provider-name>"
 },
  "Action": "sts:TagSession",
  "Condition": {
    "StringEquals": {
      "SAML:aud": "https://signin.aws.amazon.com/saml"
    }
  }
}
                                                                                                 image.png
    5. Click Update Trust Policy.
Notes:
  • To configure and use session tags properly, the Attribute Extension section of RSA Cloud Authentication Service needs to be modified according to Step 12 of the previous section.
  • Currently, only single-valued attributes are supported by RSA for both Principal Tags and TransitiveTagKeys.

The configuration is complete.
Return to Amazon Web Services - RSA Ready Implementation Guide.
 
Don't see what you're looking for?