Solution Overview and Features

Cloud user and account setup and access management can quickly get complicated as you build out your AWS environment, but AWS Control Tower provides the easiest path to build a baseline environment based on best industry practices. OneLogin's IAM integrates with AWS's to ensure that your organization has the appropriate identity safeguards and automation as you scale your multi-account, multi-role environment.

OneLogin can help scale your AWS infrastructure securely and seamlessly with:

• Identity Federation - OneLogin's best-in-class directory connectors can integrate AWS with multiple user stores in real-time, including Active Directory, LDAP, Google and more. Depending on your environment, you can integrate in minutes rather than days or weeks, and provide your users with consistent federation from the cloud.
• Strong & Adaptive Authentication - Secure access and allow users to use their master credentials to log in to AWS and all their corporate SaaS applications. Prevent password theft and orphaned AWS accounts with single sign-on (SSO) and contextual multi-factor authentication (MFA).
• Automated User and Access Provisioning - OneLogin's intuitive rules engine easily maps multiple roles per user for comprehensive access assertion. Automate and manage least privileged access based on directory attributes such as account and role (e.g. Amazon RDS Power User, Amazon S3 Power User, Amazon EC2 Power User, etc.). Provision users in real-time with appropriate role privileges with JIT provisioning.
• Centralize Access Management - Create and enforce customized security policies such as MFA, password complexity, session timeout, and more. Easily apply those policies based on user attributes or other identifiers such as IP address to help prevent unauthorized application access.
• Decrease Administration and Support Costs - Free up IT with built-in self-service password reset and automated user provisioning and deprovisioning. Spend your time and resources focused on other infrastructure, IT, or development initiatives.
• Accelerate Your Cloud Migration - Equip your baseline AWS environment with identity guardrails such as access controls, Smartfactor MFA, and automated security policies. Automatically replicate as you create additional AWS accounts, roles, and tenants. You can also integrate OneLogin with AWS Organizations, AWS IAM, and Session Tags.

Architecture Diagram

Implementing strong, scalable IAM is a best practice for security and scalability. OneLogin's Trusted Experiences Platform is built to seamlessly manage all digital identities for your workforce and customers from the cloud. With OneLogin's powerful authentication and role-based user provisioning engine, quickly enable SSO across mobile, web and desktop, enforce MFA and security policies like password complexity and IP restriction, and automate user account provisioning across your corporate applications. OneLogin's automated AWS role provisioning enables organizations to streamline the most complicated of user policies and assign least-privileged policies to hundreds or thousands of permissions. OneLogin also enhances AWS's native security capabilities and is commonly used alongside AWS STS, AWS Organizations, AWS Session Tags, AWS Control Tower, AWS IAM, and Amazon EventBridge.

OneLogin integrates with AWS Control Tower in two ways:

• OneLogin and AWS Control Tower with AWS IAM Identity Center
• OneLogin and AWS Control Tower with SAML (this article)

In this document, you can find the implementation guidelines for the second scenario where OneLogin and AWS Control Tower are integrated using SAML roles. OneLogin provides a sample CloudFormation Template that is used to set up identity federation with OneLogin, as well as to provide guidance on sample AWS IAM Roles and permissions in the different AWS accounts. After AWS Control Tower creates the various AWS accounts, OneLogin can perform identity federation via AWS IAM Identity Center or directly to the accounts themselves.

Deployment and Configuration

Connecting OneLogin & AWS Control Tower with SAML

This topic describes how to use SAML to connect OneLogin with AWS Control Tower.

Adding a new Amazon Web Services Application to OneLogin

1. Log in to OneLogin as an administrator and click Administration in the upper-right corner.
2. Go to Applications > Applications, then click Add Application.
3. Search for and select Amazon Web Services (AWS) Multi Account. Click Save.
4. Go to Configuration, then click Generate Token. Copy the value generated into a separate document for later use. Click Save.
5. Open the More Actions menu, right-click SAML Metadata, and select Copy Link Address.

   

6. Keep the OneLogin tab open as you proceed to next sections.

Deploying OneLogin Within AWS Control Tower

Architecture Overview

1. Download the CloudFormation aws-onelogin-integration template, then go to the CloudFormation StackSet console in the Master account and click Create StackSet.
2. Select Upload a Template File, then choose aws-onelogin-integration.template and click Next.

   

3. Choose a name for your StackSet and configure your template parameters.

   
   

   1. Determine if you require these roles for the Control Tower integration. They're created by default; if you don't want to create them, select false.
   2. Paste the OneLogin Identity Provider Metadata URL you copied from your OneLogin AWS application configuration.
   3. Set the OLExternalId, that will be assigned to the Role that uses OneLogin to extract the Role List. This is probably Amazon Web Services (AWS) Multi Account unless you changed its name.

4. Click Next.
5. On the Configure StackSet options page, choose Self Service Permissions under the Permission section, then navigate to the IAM Admin Role ARN section and select AWSControlTowerStackSetRole from the IAM Role Name list.
6. Enter AWSControlTowerExecution for the IAM Execution role name and click on Next.
7. Specify the Accounts and Region to deploy into - Accounts, Organizational Units (OUs), or a CSV list of valid accounts - and click Next. These are the accounts that you want to use OneLogin to federate.
8. Review and acknowledge the IAM box, then click Submit. It may take a moment for instances to appear.

   

Completing Your AWS Multi-Account Configuration in OneLogin

1. Return to your OneLogin tab and set the External Role Name as the name of the Role you used in the aws-onelogin-integration.template from StackSet. By default, the role's name is OLGetRoles.
2. Add the List of SAML Identity Providers created by the StackSet. The format is arn:aws:iam::account-id:saml-provider/idp-name.
   
   • The account-id is the AWS account you selected for identity management
   • The idp-name is the name you used on the template in the aws-onelogin-integration.template from StackSet (the default is OLIDP).

   

   Note: You can look up your IdP ARN in your AWS account > IAM Console > Identity providers.
3. Click Enable under API Connection.

   

4. Click Save, then open the More Actions menu to Reapply entitlement mappings.
5. Go to Provisioning, select Enable Provisioning, and click Refresh under Entitlements. Click Save.

   

Optional: Mapping OneLogin Roles to AWS Multi-Accounts

1. Go to Access to assign the OneLogin roles that should have access to the AWS Multi-Account app and select an app security policy. For example, you can attach a policy to the app to require multi-factor authentication or you can navigate to Users > Users to add the app to individual user accounts.

   

Creating Rules on OneLogin to Assign to AWS Accounts/Roles

1. Go Rules, click Add Rule, give your Rule a name, and Save the Rule.

   

2. Open the More Actions menu and select Reapply Provisioning Mappings.

   

   Note: You must reapply mappings any time you create or update rules. In order for a user's AWS accounts and roles to be included in the SAML assertion when they use OneLogin SSO to log into AWS, they must first have been subject to a provisioning event, like reapplying a provisioning mapping.
3. Repeat for each group of OneLogin users that requires access to a particular set of AWS account-role pairs.
   Note: If the administrator has already given the user access to your AWS Multi-Account app in OneLogin, they can also assign individual OneLogin users to AWS account-role pairs by selecting the account-role pairs directly on the user's login record for the app.
   

   1. Go to Users in the AWS Multi-Account App edit page and select the user from the Users list.
   2. Select the roles you want to assign from the Available Values list.
   3. Click the right arrow to add them to the Selected Values list.
   4. Click Save.
4. Users are now presented with an AWS page that lets them choose from the accounts and roles you’ve given them access to.