Before start you should generate Keys and Certificates for SSO. You will require 2 files: rsacert.pem and rsaprivkey.der
1. Configuring OpenIAM side.
1.1 Login to OpenIAM as a administrator (user with whole access). Navigate to webconsole application and there select "Access Control" → "Authentication Providers" → "Create New Provider"
1.2 Select type SAML Service Provider
1.3 Fill the form
|Provider Name||AWS Service Provider|
|Linked to Managed System||OPENIAM|
|Sign Response?||yes, and upload rsacert.pem file|
|Sign-in page URL|
|Sign-out page URL|
http://<Your OpenIAM UI location>/idp/saml2/idp/logout
for example, http://lnx1.openiamdemo.com/idp/saml2/idp/logout
|SAML Issuer Name||aws.openiam|
|Destination attribute enabled||true|
1.4 Save configuration.
1.5 Navigate to webconsole application and there select "Access Control" → "Authentication Providers" → "Create New Provider" again and now select SAML IDP Provider type
1.6 Fill the form
|Provider Name||AWS IDP|
value of Issuer param must be the same as SAML Issuer Name value on Service Provider configuration screen
|Linked to Managed System||OPENIAM|
|Sign Response?||yes. Upload rsacert.pem as a Public Key, and rsaprivkey.der as a Private Key|
|Assertion Consumer URL||https://signin.aws.amazon.com/saml|
|Name ID Format||urn:oasis:names:tc:SAML:2.0:nameid-format:persistent|
1.7 Save configuration.
1.8 Wait near 5 minutes (usually less) for re-cache changes inside of OpenIAM and click SAML Metadata Button on the bottom! You will got xml with OpenIAM idp metadata. Right click on xml → Save as... → save file to your computer.
1.9 Navigate to Access Control → Role → Create New Role
1.10 Fill Role Name as AWS SSO Provider and Managed System "OPENIAM". Click Save
1.11 On Left menu click Role Entitlements → Entitled To Resources → Add Resource. Select Resource Type: "Authentication Provider". Click Search. Add both "AWS Service provider" and "AWS IDP". Now all users that should have access to AWS must be entitled with AWS SSO Provider role in OpenIAM
2 Configuring AWS side.
Complete information about AWS IDP you could get by following link: Creating SAML Identity Providers
2.1 Sign in to the IAM console at https://console.aws.amazon.com/iam/.
2.2 In the navigation pane, click Identity Providers and then click Create Provider.
2.3 For Provider Type, click Choose a provider type and click SAML.
2.4 Type a name for the identity provider.
2.5 Upload metadata file that was save in 1.8. Save changes. Copy Provider ARN value to text file.
2.6 In the navigation pane, click Roles and then click Create new Role.
2.7 Select Role for identity provider access and after select Grant Web Single Sign-On (WebSSO) access to SAML providers
2.8 As a
2.9 On Attach Policy page select required policies. Click Next Step
2.10 Fill the name and description if required. and Create a role.
2.11 On a roles list page select just created role. and copy Role ARN value to the same text file where you have Provider ARN. value sshould be separated by comma. You shoud have something like arn:aws:iam::00000000:saml-provider/OpenIAM,arn:aws:iam::00000000:role/OpenIAM
2.12. Go back to OpenIAM to created IDP provider. On left menu select "Request Attributes".
add attribute with name "https://aws.amazon.com/SAML/Attributes/RoleSessionName", type: String, Property Type: Property from User, Value: Principal
add another attribute with name "https://aws.amazon.com/SAML/Attributes/Role", type: String, Property Type: Static Value, Value: text that you are storing in text file 2.11. For example, arn:aws:iam::00000000:saml-provider/OpenIAM,arn:aws:iam::00000000:role/OpenIAM
3 Test User
3.1 Go to webconsole User Admin → Create new User
3.2 Fill the form with required fields. as a login select User name of account that exist in your AWS IAM. Select AWS SSO Provider role in Access Rules section. Save the user. Logout from OpenIAM.
3.3 Login with Test User. (default password is Password$51) to selfservice.
3.4 Navigate to My Applications. and Click AWS IDP. If you did all correct you will be signed in to AWS console.