This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Integrations

SSO Agent - SAML Configuration - Amazon AWS RSA Ready SecurID Access Implementation Guide

Amazon AWS can integrate with RSA SecurID Access using SAML SSO Agent. RSA has completed an integration on Amazon Web Services (AWS) that will tie Session Tags with identity context through RSA SecurID Access. This implementation guide covers setting up RSA SecurID Access as a SAML IdP to authenticate users trying to get access to Amazon AWS.

 

This section contains instructions on how to integrate RSA SecurID Access with Amazon AWS using a SAML SSO Agent.

Architecture Diagram

arch-diag-sso-saml_624x403.png

RSA Cloud Authentication Service

Follow the steps in this section to configure RSA Cloud Authentication Service as an SSO Agent SAML IdP to Amazon AWS.

Procedure

1. Logon to the RSA Cloud Administration Console and browse to Applications > Application Catalog, search for Amazon Web Services and click +Add to add the connector.

int-conf-sso-agnt-saml-cas-step1_624x70.png

2. Enter a name for the application in the Name field on the Basic Information page and click the Next Step button.

int-conf-sso-agnt-saml-cas-step2_624x328.png

3. Select the IDP-initiated radio button in the Initiate SAML Workflow section.

int-conf-sso-agnt-saml-cas-step3_624x326.png

4. Scroll down to SAML Identity Provider (Issuer) section and perform following steps.

  1. Select Override and copy and paste the Identity Provider URL into the override field.
  2. Click on Generate Cert Bundle button to generate and download a zip file containing the private key and certificate. Unzip the downloaded file to extract the certificate and private key.
  3. Select the first Choose File and upload the RSA SecurID Access private key.
  4. Select the second Choose File and upload the RSA SecurID Access public certificate.

int-conf-sso-agnt-saml-cas-step4_624x502.png

5. Scroll to the Service Provider section and enter https://signin.aws.amazon.com/saml in the Assertion Consumer Service (ACS) URL field.

6. Enter urn:amazon:webservices in the Audience (Service Provider Entity ID) field.

int-conf-sso-agnt-saml-cas-step6-7_624x176.png

8. Scroll to the User Identity section, select persistent from the Identifier Type dropdown list, select the name of your user identity source and select the property value as mail.

int-conf-sso-agnt-saml-cas-step8_624x185.png

9. Scroll to the Attribute Extension section and select Identity Source from the Attribute Source pulldown, give the attribute name as https://aws.amazon.com/SAML/Attributes/RoleSessionName , select the identity source and choose mail from the Property dropdown list.

10. For second attribute, select Attribute Source as Constant, give the attribute name as https://aws.amazon.com/SAML/Attributes/Role and provide its value in Property as comma separated values of The ARN of a role that the user can be mapped to, The ARN of the SAML provider. In this example, value is given as arn:aws:iam::380329356478:role/blrPE-role1,arn:aws:iam::380329356478:saml-provider/blrPE.

Note:  If the values for Role ARN and Provider ARN are not known, enter placeholder values <RoleARN>,<ProviderARN> in the Property field to continue with the configuration. The actual value will be entered after completing the configuration of Amazon AWS as the SP.

int-conf-sso-agnt-saml-cas-step9-10_624x179.png

11. (Optional Step - This step is required only if session tags by AWS is to be used)
RSA SecurID Access supports Session Tags by AWS . The session tags can be passed along with the RoleSessionName and Role attributes. To enable the RSA Cloud Authentication Service to pass additional attributes as session tags follow the steps below:

  1. Click on the ADD button in the Attribute Extension section.

  2. For Principal Tags, select Attribute Type as Identity Source. The Attribute Name should be of the form https://aws.amazon.com/SAML/Attributes/PrincipalTag:<name> where <name> is used to identify the Tag and is user defined. Select Property as the Identity Source attribute you want to pass as Principal Tag. As an example, if we want to pass "team" and "project" as Principal Tags, then the Attribute Names should be "https://aws.amazon.com/SAML/Attributes/PrincipalTag:team" and "https://aws.amazon.com/SAML/Attributes/PrincipalTag:project" respectively.

  3. For TransitiveTagKeys, select Attribute Type as Constant. The Attribute Name should be https://aws.amazon.com/SAML/Attributes/TransitiveTagKeys and specify the Property as <name> where <name> is the name defined for the Principal Tag. As an example, if we want to pass "team" as the Transitive Tag Key, then the Property should be "team".

int-conf-sso-agnt-saml-cas-step-session-tag-note1_624x302.png

Note:  To configure and use session tags properly, the role permissions in AWS also needs to be modified according to Step 23 of Amazon AWS configurations.

Currently only single valued attributes are supported by RSA SecurID Access for both Principal Tags and TransitiveTagKeys.

For more information on Session Tags kindly refer to AWS documentation at https://docs.aws.amazon.com. For more information on how to map Identity Source attributes in RSA Cloud Authentication Service refer to https://community.rsa.com/docs/DOC-54073.

 

12. Scroll down to the Uncommon Formatting SAML Response Options section. Under Sign Outgoing Assertion, select Assertion within Response.

int-conf-sso-agnt-saml-cas-step11_624x225.png

13. Click the Next Step button.

14. On the User Access page, select the access policy the identity router will use to determine which users can access the AWS service provider from the portal.

int-conf-sso-agnt-saml-cas-step13_624x180.png

15. Click the Next Step button.

16. Configure the portal display settings on the Portal Display page.

17. Enter descriptive text about the application in the Application Tooltip field. The portal will display this text when a user passes the cursor over the application’s icon.

18. Click the Save and Finish button.

int-conf-sso-agnt-saml-cas-step14-15-16-17_624x416.png

19. Click the Publish Changes button in the top left corner of the page and wait for the operation to complete.

int-conf-sso-agnt-saml-cas-step18.png

20. Search for AWS in the list of applications and select Export Metadata from the Edit dropdown list to download an XML file containing your RSA SecurID Access IdP’s metadata. You will need this file when you configure AWS.

int-conf-sso-agnt-saml-cas-step19_624x101.png

 

Amazon AWS

Follow the steps in this section to configure Amazon AWS as an SSO Agent SAML SP to RSA Cloud Authentication Service.

Procedure

1. Login into Identity and Access Management (IAM) console at https://console.aws.amazon.com/iam/. In the navigation pane, click on Identity Providers.

int-conf-sso-agnt-saml-aws-step1.png

2. Click on Create Provider button on the top right section.

int-conf-sso-agnt-saml-aws-step2.png

3. Choose Provider type as SAML.

int-conf-sso-agnt-saml-aws-step3_624x195.png

4. Give Provider name of your choice in Provider Name section. In this example, Provider name is given as blrPEbiswaa2.

5. In Metadata Document section, choose IDP metadata file which we have downloaded from the IDP. (See Step 20 of configuring RSA Cloud Authentication Service).

int-conf-sso-agnt-saml-aws-step4-5_624x230.png

6. Click on Next Step button in bottom right corner.

7. Verify your Provider Name and Type.

int-conf-sso-agnt-saml-aws-step6-7.png

8. Click on Create button in the bottom right corner.

9. Click on your created Provider Name and copy Provider ARN which you have to use as one of the values of attribute https://aws.amazon.com/SAML/Attributes/Role in your IDP settings.

int-conf-sso-agnt-saml-aws-step8-9_624x188.png

10. Click on Roles in the left pane.

int-conf-sso-agnt-saml-aws-step10.png

11. Click on Create Role button in the top right section.

int-conf-sso-agnt-saml-aws-step11.png

12. Select the SAML 2.0 federation in the Select type of trusted entity section.

int-conf-sso-agnt-saml-aws-step12_624x138.png

13. Select the SAML provider created before from the SAML provider dropdown list under Choose a SAML 2.0 provider section.

14. Select Attribute as SAML:aud from the Attribute dropdown.

15. Enter value as https://signin.aws.amazon.com/saml in the Value field.

int-conf-sso-agnt-saml-aws-step13-14-15_624x264.png

16. Click on the Next: Permissions button at the bottom of the page.

17. In the Attach permissions policies Section, select the Policy Name/s you want to select for this role.

int-conf-sso-agnt-saml-aws-step16-17_624x371.png

18. Click on the Next: Tags button at the bottom of the page.

19. In the Add tags (optional) page, Click Next: Review button at the bottom of the page.

20. In the Review page, provide a Role Name of your choice in the Role name field. In this example, blrPE-role1 is given.

int-conf-sso-agnt-saml-aws-step18-19-20_624x171.png

21. Review the information shown and click on Create role button at the bottom of the page.

int-conf-sso-agnt-saml-aws-step21.png

22. Click on your created Role Name and copy Role ARN which you have to use as one of the values of attribute https://aws.amazon.com/SAML/Attributes/Role in your IDP settings.

int-conf-sso-agnt-saml-aws-step22_624x240.png

23. (Optional Step - This step is only required if Session Tags by AWS is to be used)
RSA SecurID Access supports Session Tags by AWS. To be able to use Session Tags with this role, a new permission sts:TagSession needs to be added to the role. Follow the steps below to add this permission:

  1. Click on the created Role Name.

  2. Select Trust relationships tab.

  3. Click Edit trust relationship.

  4. In the policy document, add the following in the Statement section (<accountID> refers to your AWS Account ID and <provider-name> is the name of the provider created in Step 4😞

    {
     "Effect": "Allow",
     "Principal": {
     "Federated": "arn:aws:iam::<accountID>:saml-provider/<provider-name>"
     },
      "Action": "sts:TagSession",
      "Condition": {
        "StringEquals": {
          "SAML:aud": "https://signin.aws.amazon.com/saml"
        }
      }
    }

    int-conf-sso-agnt-saml-aws-step-session-tag-note1.png

  5. Click Update Trust Policy button.

Note:  To configure and use session tags properly, the Attribute Extension section of RSA Cloud Authentication Service also needs to be modified according to Step 11 of RSA Cloud Authentication Service configurations.

Currently only single valued attributes are supported by RSA SecurID Access for both Principal Tags and TransitiveTagKeys.

For more information on Session Tags kindly refer to AWS documentation at https://docs.aws.amazon.com.

 

RSA Cloud Authentication Service - Finishing the Configuration

Follow the steps in this section to finish configuring RSA Cloud Authentication Service as an SSO Agent SAML IdP to Amazon AWS.

Note:  This section is required only in case placeholder values were left during the initial configuration of RSA Cloud Authentication Service.

Procedure

1. Logon to the RSA Cloud Administration Console and browse to Applications > My Applications, search for the AWS application in the list of applications and click on the Edit button.

int-conf-sso-agnt-saml-cas2-step1_624x162.png

2. Click on the Connection Profile tab on the left side.

int-conf-sso-agnt-saml-aws2-step2.png

3. Scroll down to the Attribute Extension section and replace the placeholder values for Role ARN and Provider ARN with those obtained from step 22 and step 9 of AWS configuration.

int-conf-sso-agnt-saml-aws2-step3_624x186.png

4. Scroll to the top left pane of the page and click the Portal Display tab.

int-conf-sso-agnt-saml-cas2-step4.png

5. Click on the Save and Finish button at the bottom right of the page.

6. Click the Publish Changes button in the top left corner of the page and wait for the operation to complete.

int-conf-sso-agnt-saml-cas-step18.png

 

Configuration is complete.

Return to the main page for more certification related information.


Labels (1)
Labels:
0 Likes
Was this article helpful? Yes No
No ratings
Version history
Last update:
‎2019-03-07 01:19 PM
Updated by:
Beginner
Contributors

Related Content

Article Dashboard
© 2023 RSA Security LLC or its affiliates. All rights reserved.