AWS allows customers to logon to their account via User and Password, but also using their own SAML Identity Provider. In this blog I will walk you through setting up SAP IAS (Identity and Authentication Service) as IDP for AWS.
The root information sources for this are:
In brief, the process involves several steps:
- SAP: Create an Application (Service Provider) for AWS in SAP IAS
- AWS: Prepare AWS to act as a SAML Service Provider and trust SAP IAS
- AWS: Create a AWS Role that would grant specific access
- SAP: Configure the SAP IAS to send the required metadata to AWS
AWS: Prepare AWS to act as a SAML Service Provider and trust SAP IAS
- In AWS go to your IAM Dashboard (just search for SAML or IAM when you login to the AWS Management Console)
- Navigate to Identity Providers and press [Create Provider]
- Select Provider Type [SAML], and enter some name, e.g. "sapias"
- In your SAP IAS Admin Console, navigate to "Tenant Settings->SAML 2.0 Configuration", open it, and then in the bottom left, press [Download Metadata file]. Store this XML file
- Back in AWS, add this XML in the "Metadata document" box, and press Next
- On the next page, press [Create]
- At least as of 31.Jan.2018, you should get red text "
We encountered the following errors while processing your request:
Server error: OK"
- This is OK - press [Cancel], then back to the "Identity Providers" list. And now when you refresh it with F5, you will see the new provider
- That is it - AWS now Trusts SAP IAS
AWS: Create a AWS Role that would grant specific access
Once AWS receives the SAML assertion, based on it's attributes it can assign different roles. Each role in AWS can be bound to specific services and permissions. To do this follow the description here
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html
Once you create the Role, go to its Summary and open the "Trusted Relationships" panel
the details you will need later are in the red rectangles
SAP: Configure the SAP IAS to send the required metadata to AWS
- Go to your SAP IAS Admin Console and from "Applications & Resources -> Applications", add a new Application. E.g. "aws-console"
- Establish trust from SAP IAS to AWS, by downloading this file https://signin.aws.amazon.com/static/saml-metadata.xml (one and the same for all), and imporing it in "SAP IAS Admin Console" -> Applications -> <your application> -> Trust -> SAML 2.0 cofiguration
- In Trust -> Name ID Attribute -> Select "E-Mail"
- In "Default name ID Format"-> "E-mail>
- In "Assertion Attributes", select the attribute that will be used to display the user name in AWS. E.g. if you like to see there the "First Name" - then for "First Name" place the value "https://aws.amazon.com/SAML/Attributes/RoleSessionName"
- In "Default Attributes", add a new attribute: "https://aws.amazon.com/SAML/Attributes/Role", whose value is assembled from the values from the screenshot above in the format <role arn>,<trusted entity>. For example: arn:aws:iam::422576689966:role/AwsFullAdmin,arn:aws:iam::422576689966:saml-provider/hcptesttenatnt
- That is it. To get the link now to login into AWS, go to "SAP IAS Admin Console" -> Tenant Settings . On the bottom, make sure "IDP-Initiated SSO" is enabled. You will see a link like https://<tenant>.accounts.ondemand.com/saml2/idp/sso?sp=[&RelayState=]. For "sp=", use "sp=urn:amazon:webservices" (you can find it in the SAML 2.0 Configuration panel)
Troubleshooting
In case you have issues
- Install SAML Tracer plugin for Firefox and monitor what exactly is sent
- Install some plugin to clean up cache and cookies easiely, and always try with cookies cleared
- If AWS gives you errors look the up here https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_saml.html