G-Suite Login with AWS Single Sign-On to Amazon Connect
The most appropriate response to the need to centrally manage users and login details, for AWS as well as for the vast majority of applications that need multi-user authentication, is called Single-sign-on (SSO).
Typically, the SSO mechanism is based on an Identity Provider (a centralized repository of all corporate identities with their attributes — username, password, groups, roles, etc…) and a series of Service Providers (applications where users can log in with their corporate identities) that are federated to the Identity Provider with strong trust relationships that are typically based on shared keys, certificates or tokens. This allows users to use a single user profile (and therefore a single password and a single TFA), which is centrally managed, to log into all the applications that have been enabled for them.
A very widespread trend in businesses is to use the company G Suite — a widely-used service mostly used for its email and collaboration functions — as an Identity Provider. By doing so, you can use SSO on a multitude of applications that already natively support the “login with Google” function, but also on those (as is the case with the AWS console) that support the SAML standard, which G Suite has been providing the service of Identity Provider for around a year.
So let’s see how to configure our AWS and G Suite accounts to make Single-Sign-On work with SAML
Lets configure our AWS Connect first. Assume you already have AWS Connect ready.
Here, you have to note down your REGION Name, Account ID, and resource name. This will be needed in our next steps.
Once we have all these records stored, we gonna create a policy for that AWS Connect Resource. In IAM > Policies > Create policy > JSON and put this, make sure you changed your REGION ID , ACCOUNT ID, RESOURCE ID.
JSON link.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Action": "connect:GetFederationToken",
"Resource": [
"arn:aws:connect:REGION-ID:ACCOUNET-ID:instance/RESOURCE-ID/user/${aws:userid}"
]
}
]
}and lets give it a name Connect-SSO-Policy.
We are done creating AWS Connect Resource and it’s policy.
Now, lets move on Google G-Suit.
In G Suite Admin panel, search users
Now create a custom attribute class and call it “AWS SAML” and then create the attributes “IAM Role” and “SessionDuration”. It is important for both attributes to be private (that is, not viewable by all users in your organization).
Gsuit SAML Attributes for AWS:
IAM_Role > Text > Multi value > Admin&User
SessionDuration > Whole number > Single Value > Admin&User
With this done, go into the “Apps” section and add a new SAML application, starting with the per-configured template for AWS (Later you have to edit it for AWS Connect End Point). Here we gonna Setup Our Own Custom App
Download (option 2) the IDP Metadata (which is an .xml file that contains some configuration parameters and the X509 certificate that the trust relationship between IdP and SP is based on) and set it aside for a later step.
WARNING!!! The contents of this file should not be released for any reason; the security of the entire solution relies on its remaining confidential!
We continue the configuration by mapping the SAML entity known as “Name ID” on “Primary Email” (that is, the user will be presented to the AWS console with their email address as their unique identifier).
Use these information to connect with your AWS Connect End Point. Make sure you changed Start URL value with according to your resource id and region id that we created in in beginning of the post.
ACS URL *: https://signin.aws.amazon.com/saml
Entity ID *: https://signin.aws.amazon.com/saml
Start URL: https://REGION-ID.console.aws.amazon.com/connect/federate/RESOURCE-ID?destination=%2Fconnect%2Fccp-v2
In the next step, we need to configure three additional mappings following these:
- https://aws.amazon.com/SAML/Attributes/RoleSessionName — Basic Information — Primary Mail
- https://aws.amazon.com/SAML/Attributes/Role — AWS SAML — IAM_Role
- https://aws.amazon.com/SAML/Attributes/SessionDuration — AWS SAML — SessionDuration
At this point, all we have left to do is enable the SAML application that we created, and all users will find a new icon in their quick access menu for Google Apps.
At this point, the configuration of G Suite is finished and we move on to the configuration of AWS.
In AWS Console, We go into the IAM section –> Identity Providers and create a new one.
SAML type, which we will call “G-Suit”; at this point, we will have to upload the IdP metadata that we downloaded earlier (once the file is uploaded at this point, we suggest deleting it from your computer).
Here, you have to store Identity providers ARN .
Then we create a new IAM role , Role -> “ Select type of trusted entity” –> “ SAML 2.0 federation” and associate it with the “G-Suit” Identity Provider we’ve just created.
After clicking Next: Permissions, you will be prompt to attach policy. If you remember, in the beginning of the the post we created a policy called “ Connect-SSO-Policy” search, select and press Next. Set is as“ Connect-SSO-Role”.
Again, we will store this ARN because it would be needed. At this point, the configuration of AWS is finished and we move on to the configuration of G Suite.
Now we turn to the administration of G Suite, to assign individual users permissions according to which roles they can take and on which AWS accounts.
This is the least intuitive part of the configuration: with regard to the roles and accounts that are accessible, AWS expect values like this from Google:
arn:aws:iam::ACCOUNT-ID:saml-provider/G-Suit,arn:aws:iam::ACCOUNT-ID:role/Connect-SSO-RoleAs you can see, these are two ARNs separated by a comma. The first is the ARN of the role that that user can assume, the second is the ARN of the identity provider that we created within the AWS account. (The number 1234567891012 is a placeholder that must be replaced with the actual account number of your AWS account). This value must be entered in the custom field “IAM role” that we created earlier. This allows us to specify which role each user can take on and on which AWS account.
In the custom field “SessionDuration”, you can specify the duration of the login session in seconds for each user. I suggest the value 28800, which corresponds to 8 hours: more or less a typical workday.
We’ll log in with our test account and, by clicking on the corresponding icon, we will magically be directed to the AWS console where, as you can see, we are logged in with our federated account.
To use G Suite user with AWS Connect, you must create same email address in Connect Portal otherwise user can’t connect thought G Suite.
Reference Credit: https://medium.com/faun/single-sign-on-with-g-suite-on-the-amazon-web-services-console-18b88c838cae
