Configuring AWS as a Service Provider in Access Manager

  1. Click Devices > Identity Servers > Edit > SAML 2.0 > New > Service Provider.

  2. Specify the following details:

    Provider Type: Select Amazon Web Services.

    By default, the Metadata Text source is selected and Text is pre-filled with the metadata XML.

    Title: Specify a name for the provider and click Next.

    Role ARN: Specify role ARN. For example, arn:aws:iam:625143326143:role/MyAdmin

    Trusted SAML Provider ARN: Specify the trusted SAML provider ARN. For example, arn:aws:iam:625143326143:saml-provider/idp1

    To fetch ARN values, see Enabling Web Single Sign-On in the AWS Console.

    NOTE:Role ARN and Trusted SAML Provider ARN are used to create the attribute mapping. If you have configured multiple roles in AWS, you can add any Role ARN while creating a service provider. To modify the attribute set, see Re-Mapping Attribute Sets.

  3. Review the metadata certificates and click Finish.

  4. Click OK, then update Identity Server.

Re-Mapping Attribute Sets

By default, the AWS wizard creates an attribute set with the name AmazonWebServices. This attribute set has the following mappings:

  1. Constant Value: It is created using the Role ARN and trusted SAML provider. It is mapped to Role.

    For example: if Role ARN is arn:aws:iam::638116851885:role/NewRole and the Trusted SAML Provider ARN is arn:aws:iam::638116851885:saml-provider/NAM-IDP, then, the constant value is arn:aws:iam::638116851885:role/NewRole,arn:aws:iam::638116851885:saml-provider/NAM-IDP. This is mapped to the Role.

    NOTE:When multiple roles are configured in AWS, create a virtual attribute to change Role ARN dynamically depending on the user. After creating a virtual attribute, create the corresponding attribute mapping. For information, see use case 3 in Sample JavaScripts with Examples.

  2. LDAP Attribute: It is the givenName mapped to the Remote Attribute RoleSessionName. You can also map any other attribute instead of the givenName.

If you want to use any other LDAP attribute to be mapped for RoleSessionName, perform the following steps:

  1. Click Devices > Identity Server > Shared Settings > Attribute Sets > AmazonWebServices > Mapping.

    In the attribute list, select the existing LDAP attribute set.

  2. Click Delete.

  3. Click Apply > OK > New.

  4. In Add Attribute Mapping, specify the following details:

    1. Local attribute: Select a local attribute from the available list.

    2. Remote Attribute: Specify RoleSessionName.

    3. Remote nameSpace: Specify http://aws.amazon.com/SAML/Attributes/

  5. Click OK > Finish.

  6. Click Devices > Identity Servers > Edit > SAML 2.0.

  7. Select AWS and click Attributes.

  8. Select the new attribute set from Available and move it to Send with authentication.

  9. Click OK, then update Identity Server.

Re-Importing the Metadata

The AWS metadata has a validity associated with it. You need to re-import the metadata before the license expires. To re-import the metadata, perform the following steps:

  1. Click Devices > Identity Servers > Edit > SAML 2.0.

  2. Under Trusted provider, click AWS service provider.

  3. In Metadata, click Reimport.

  4. Specify the following:

    1. Provider Type: Select General.

    2. Source: Select Metadata text.

    3. Name: Name for the service provider is displayed by default.

    4. Text: Fetch the metadata from: https://signin.aws.amazon.com/static/saml-metadata.xml. Remove the string content <KeyDescriptor use="signing"> .... </KeyDescriptor>. Copy this edited metadata and paste it in Text.

  5. Click Next.

  6. Confirm metadata certificates, then click Finish.

  7. Update Identity Server.