AWS Identity Center (SSO) ClickOps

This guide provides an overview of setting up AWS Identity Center (SSO) with ClickOps, detailing prerequisites and supported external identity providers. It explains how to integrate AWS SSO with providers like Azure AD, JumpCloud, Okta, and Google Workspace, including specific steps for configuring each.

How it Works

AWS Single Sign-On (AWS SSO) is a service that simplifies access management for AWS accounts and applications. It enables users to sign in to AWS once and access multiple AWS accounts and applications without the need to re-enter credentials. To use it with an identity provider (e.g. such as Okta) for AWS SSO, administrators typically need to configure the integration within the AWS Management Console. This involves setting up a new AWS SSO instance, connecting it the IdP, and specifying the users or groups that should have access to AWS resources. AWS SSO provides logging and auditing capabilities, allowing organizations to track user access to AWS resources and monitor security-related events

1. SAML-Based Authentication

   The integration between the IdP and AWS SSO relies on the Security Assertion Markup Language (SAML) for authentication and authorization. SAML enables the exchange of authentication and authorization data between Okta and AWS, allowing users to log in once to Okta and gain access to AWS resources without additional logins.

2. User Provisioning

   AWS SSO can be configured to automatically provision and de-provision user accounts based on changes in the IdP directory. This helps keep user access in sync with changes made in the Okta environment.

3. AWS SSO Permission Sets

   AWS SSO allows administrators to define fine-grained access policies, specifying which AWS accounts and services users from the IdP can access

4. Multi-Factor Authentication (MFA)

   Organizations using Okta for authentication with AWS SSO can enhance security by enforcing multi-factor authentication (MFA) for added identity verification.

Once configured, users can experience single sign-on when accessing AWS resources. They log in to their IdP account and seamlessly gain access to AWS without needing to provide credentials again.

It's important to note that the specifics of the integration process may be subject to updates or changes, so it's recommended to refer to the official AWS documentation and Okta documentation for the most accurate and up-to-date information based on your current date.

Prerequisites

First, enable the AWS IAM Identity Center (successor to AWS Single Sign-On) service in the core-root account. This is the account where the aws-sso component will be deployed.

1. Navigate to the core-root account in the AWS Web Console
2. Select your primary region
3. Go to AWS IAM Identity Center (successor to AWS Single Sign-On)
4. Enable the service

Configure your Identity Provider

These are the instructions for the most common Identity Providers. Alternatives are available, but the steps may vary depending on the provider.

It's important to note that the specifics of the integration process may be subject to updates or changes, so it's recommended to refer to the official AWS documentation and respective IdP documentation for the most accurate and up-to-date information based on your current date.

For providers not included in the following section, please follow the AWS documentation for setting up an IdP integration with AWS. This list includes Azure AD, CyberArk, OneLogin, and Ping Identity.

Okta

Okta is a common business suite that has an active director to manage users and permissions. We can utilize this to login to AWS by leveraging Applications that are used to sign in to things from your Okta Account.

Setup Okta

1. Under the Admin Panel go to Applications
2. Click Browse App Catalog
3. Search for AWS IAM Identity Center and click Add Integration
4. Keep the default settings of App Label ("AWS IAM Identity Center") and Application Visibility
5. Go to Sign On and Copy information from the SAML Metadata section, this will be used in AWS SSO.
6. Then go to Provisioning and click Configure API Integration

Setup AWS SSO

1. Sign into AWS SSO under your management account (core-root)
2. Go to the AWS IAM Identity Center (successor to AWS Single Sign-On) application
3. Enable IAM Identity Center
4. On the left panel click Settings
5. Under Identity Source click edit and add an External identity provider
6. Copy the information from Okta into the fields
7. The Okta App will need to be updated with the Service provider metadata

JumpCloud

JumpCloud is a cloud-based directory service that provides secure, frictionless access to AWS resources. It can be used as an identity provider for AWS (Amazon Web Services) through a feature called AWS Single Sign-On (AWS SSO).

Follow the JumpCloud official documentation for setting up JumpCloud with AWS IAM Identity Center:

Integrate with AWS IAM Identity Center

Integrating JumpCloud with AWS IAM Identity Center

The official AWS documentation for setting up JumpCloud with AWS IAM Identity Center is not accurate. Instead, please refer to the JumpCloud official documentation

Microsoft 365

Microsoft 365 (formerly known as Office 365) can be used as an identity provider for AWS (Amazon Web Services) through a feature called AWS Single Sign-On (AWS SSO).

AWS SSO allows organizations to centralize identity management and provide users with seamless access to AWS resources using their existing Microsoft 365 credentials.

Setup Microsoft 365

1. Under https://aad.portal.azure.com/#allservices/category/All go to Enterprise Applications
   

2. Click New Application

3. Choose the right application, for SSO it’s AWS IAM Identity Center (successor to AWS Single Sign-On)

4. Click Create, default options are fine

5. On the Left Panel Click Single sign-on, then download the XML File by Pressing the Button on step 5 Set up AWS IAM Identity Center (successor to AWS Single Sign-On)

   

   The Metadata file downloaded will need to be given to the CloudPosse team, as it is used in AWS for setting up SSO.

6. Similarly, in Jumpstarts the Cloud Posse Team will give you an XML file from AWS SSO that contains metadata. Upload this by clicking the Upload metadata file button.

   

7. SAVE

Automatic Provisioning

1. Cloud Posse team will provide a URL and secret via 1Password

2. Go to Your App for Single Sign On, on the left Panel go to Provisioning

3. Set the mode to Automatic and Paste the Values provided into the Admin Credentials Section
   

GSuite and Other External IdPs

For non-explicitly supported Identity Providers, such as GSuite, set up the app integration with a custom external identity provider. The steps may be different for each IdP, but the goal is ultimately the same.

aws-ssosync

GSuite does not automatically sync both Users and Groups with AWS Identity Center without additional configuration! If using GSuite as an IdP, considering deploying the ssosync tool.

Please see our aws-ssosync component for details!

1. Open the Identity account in the AWS Console

2. On the Dashboard page of the IAM Identity Center console, select Choose your identity source

3. In the Settings, choose the Identity source tab, select the Actions dropdown in the top right, and then select Change identity source

4. By default, IAM Identity Center uses its own directory as the IdP. To use another IdP, you have to switch to an external identity provider. Select External identity provider from the available identity sources

5. Configure the custom SAML application with the Service provider metadata generated from your IdP. Follow the next steps from your IdP, and then complete this AWS configuration afterwards

6. Open your chosen IdP

7. Create a new SSO application

8. Download the new app's IdP metadata and use this to complete step 5 above

9. Fill in the Service provider details using the data from IAM Identity Center, and then choose Continue. The mapping for the data is as follows:

   For ACS URL, enter the IAM Identity Center Assertion Consumer Service (ACS) URL.
   For Entity ID, enter the IAM Identity Center issuer URL.
   Leave the Start URL field empty.
   For Name ID format, select EMAIL.

10. If required for the IdP, enable the application for all users

11. Finally, define specific Groups to match the given Group names by the aws-sso component (stacks/catalog/aws-sso.yaml). In the default catalog, we define four Groups: DevOps, Developers, BillingAdmin, and Everyone

If set up properly, Users and Groups added to your IdP will automatically populate and update in AWS.

Additional IdP specific setup reference can be found here:

• How to use Google Workspace as an external identity provider for AWS IAM Identity Center