Configuring SAML for AWS IAM Identity Center


This article describes how to enable OneLogin's Single Sign-on connector using SAML for the AWS IAM Identity Center (successor to AWS SSO).

Prerequisites

  1. Sign in to the OneLogin admin portal. Go to Applications > Applications and click Add App.
    Add Application (screenshot)
  2. Search for and select and select AWS Single Sign-on.
    Find Applications - AWS Single Sign-on (screenshot)
  3. Customize the app's display information if desired, then click Save.
    New Application - AWS Single Sign-on (screenshot)
  4. In the More Actions menu, download the SAML metadata and store the file in a safe place.
    AWS Single Sign-on - Download SAML metadata (screenshot)
  5. Open your AWS Management Console in a new tab, go to the IAM Identity Center and click Choose your identity source.
    AWS Management Console - IAM Identity Center (screenshot)
  6. Select External identity provider, upload the metadata XML file you previously downloaded from OneLogin, and click Next: Review.
    AWS Management Console - Upload external identity provider (screenshot)
  7. Go to your Settings and click View Details in the Authentication row under Identity source.
    AWS Management Console - Settings - View Authentication Details (screenshot)
  8. Copy the AWS SSO ACS URL and the AWS SSO Issuer URL and paste them in a safe location.
    AWS Management Console - Authentication Details (screenshot)
  9. Return to your settings and click Enable automatic provisioning in the Provisioning row.
    AWS Management Console - Settings - Enable automatic provisioning (screenshot)
  10. Copy the SCIM endpoint and Access token and paste them in your safe location. Remove the trailing / at the end of the URL.
    AWS Management Console - Settings - Provisioning details (screenshot)
  11. Return to the OneLogin tab with your AWS app settings and go to Configuration.
    • Under Application Details, paste the AWS SSO issuer URL and AWS SSO ACS URL values that you copied from Amazon into their respective fields.
    • Under API Connection, paste your SCIM endpoint into the SCIM Base URL field and your Access Token into the SCIM Bearer Token field, then click Enable.
    AWS Single Sign-on - Configuration (screenshot)
  12. Go to Users > Custom Fields and create a New User Field.
    Custom User Fields - New User Field (screenshot)
  13. Set the Name to cost-center and give it a Shortname of your choice.
    Custom User Field - cost-center (screenshot)
  14. Return to Applications, open the AWS app you configured, and go to Parameters. Click + to create a custom parameter for configuring Attribute Based Access Control (ABAC) control through session tags.
    AWS Application - Parameters (screenshot)
    User groups can't be automatically fetched from AWS and must be created in OneLogin and pushed to AWS; for more information on provisioning user groups in OneLogin, see Introduction to User Provisioning.
  15. Enter https://aws.amazon.com/SAML/Attributes/AccessControl:cost-center as the Field name, verify that Include in SAML assertion is checked, and click Save.
    AWS Application - New Parameter (screenshot)
  16. In the Value dropdown, we recommend using AWS Session Tags (Custom) so that the value for the session tag can be defined at the user level. Alternatively, you can select Macro and enter the value of the session tag to be passed for all users, effectively defining the session tag value at the app level.
    AWS Application - New Parameter Value (screenshot)
  17. Go to the Provisioning tab, check Enable provisioning, and click Save.
    AWS Application - Provisioning (screenshot)
  18. Assign the application to a user, open it from their OneLogin portal, and verify that AWS successfully grants them access. Your setup is complete.
    OneLogin Portal - AWS SSO (screenshot)