Child pages
  • Configuring SSO to Amazon Web Services (AWS).
Skip to end of metadata
Go to start of metadata

Before start you should generate Keys and Certificates for SSO. You will require 2 files: rsacert.pem and rsaprivkey.der

1. Configuring OpenIAM side.

1.1 Login to OpenIAM as a administrator (user with whole access). Navigate to webconsole application and there select "Access Control" → "Authentication Providers" → "Create New Provider"

1.2 Select type SAML Service Provider

1.3 Fill the form 

Field NameValue
Provider NameAWS Service Provider
Linked to Managed SystemOPENIAM
Sign Response?yes, and upload rsacert.pem file
Sign-in page URL

http://<Your OpenIAM UI location>/idp/saml2/idp/login

for example, http://lnx1.openiamdemo.com/idp/saml2/idp/login

Sign-out page URL

http://<Your OpenIAM UI location>/idp/saml2/idp/logout

for example, http://lnx1.openiamdemo.com/idp/saml2/idp/logout

SAML Issuer Nameaws.openiam
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
Destination attribute enabledtrue

1.4 Save configuration. 

1.5 Navigate to webconsole application and there select "Access Control" → "Authentication Providers" → "Create New Provider" again and now select SAML IDP Provider type

1.6 Fill the form

Field NameValue
Provider NameAWS IDP
Application URL

http://lnx1.openiamdemo.com/idp/saml2/sp/login?issuer=aws.openiam

value of Issuer param must be the same as SAML Issuer Name value on Service Provider configuration screen

Linked to Managed SystemOPENIAM
Sign Response?yes. Upload rsacert.pem as a Public Key, and rsaprivkey.der as a Private Key
Request Issueraws.openiam
Response Issueraws.openiam
Assertion Consumer URLhttps://signin.aws.amazon.com/saml
Audienceshttps://signin.aws.amazon.com/saml,urn:amazon:webservices
Metdata ExposedYes
Name ID Formaturn:oasis:names:tc:SAML:2.0:nameid-format:persistent
Sign AssertionYes

1.7 Save configuration. 


1.8 Wait near 5 minutes (usually less) for re-cache changes inside of OpenIAM and click SAML Metadata Button on the bottom! You will got xml with OpenIAM idp metadata. Right click on xml → Save as... → save file to your computer. 

1.9 Navigate to Access Control → Role → Create New Role

1.10 Fill Role Name as AWS SSO Provider and Managed System "OPENIAM". Click Save 


1.11 On Left menu click Role Entitlements → Entitled To Resources → Add Resource. Select Resource Type: "Authentication Provider". Click Search. Add both "AWS Service provider" and "AWS IDP". Now all users that should have access to AWS must be entitled with AWS SSO Provider role in OpenIAM

2 Configuring AWS side.

Complete information about AWS IDP you could get by following link: Creating SAML Identity Providers


2.1 Sign in to the IAM console at https://console.aws.amazon.com/iam/.

2.2 In the navigation pane, click Identity Providers and then click Create Provider.

2.3 For Provider Type, click Choose a provider type and click SAML.

2.4 Type a name for the identity provider.

2.5 Upload metadata file that was save in 1.8. Save changes. Copy Provider ARN value to text file. 

2.6 In the navigation pane, click Roles and then click Create new Role.

2.7 Select Role for identity provider access and after select Grant Web Single Sign-On (WebSSO) access to SAML providers

2.8 As a 

2.9 On Attach Policy page select required policies. Click Next Step


2.10 Fill the name and description if required. and Create a role.

2.11 On a roles list page select just created role. and copy Role ARN value to the same text file where you have Provider ARN. value sshould be separated by comma. You shoud have something like arn:aws:iam::00000000:saml-provider/OpenIAM,arn:aws:iam::00000000:role/OpenIAM

2.12. Go back to OpenIAM to created IDP provider.  On left menu select "Request Attributes". 

add attribute with name "https://aws.amazon.com/SAML/Attributes/RoleSessionName", type: String,  Property Type: Property from User, Value: Principal

add another attribute with name "https://aws.amazon.com/SAML/Attributes/Role", type: String,  Property Type: Static Value, Value: text that you are storing in text file  2.11. For example, arn:aws:iam::00000000:saml-provider/OpenIAM,arn:aws:iam::00000000:role/OpenIAM



3 Test User

3.1 Go to webconsole User Admin → Create new User

3.2 Fill the form with required fields. as a login select User name of account that exist in your AWS IAM. Select AWS SSO Provider role in Access Rules section. Save the user. Logout from OpenIAM.

3.3  Login with Test User. (default password is Password$51) to selfservice.

3.4 Navigate to My Applications. and Click AWS IDP. If you did all correct you will be signed in to AWS console.


  • No labels