Amazon Web Services and VMware Identity Manager

If you have used Amazon Web Services (AWS) then you are likely aware that it supports Single Sign-On (SSO) via SAML and OpenID Connect. In this post, I would like to cover how to configure VMware Identity Manager (vIDM) as a SAML provider with AWS. Read on to learn more!


Before you begin, you need to ensure you have the following:

  • At least IAMFullAccess on AWS
  • At least Tenant Admin rights on vIDM

AWS Configuration

First, let’s configure the Identity Provider. This requires three steps:

  1. Get the idp.xml from vIDM: https://<vidm>/SAAS/API/1.0/GET/metadata/idp.xml
  2. Configure the Identity Provider in AWS
    • Go to: Services > IAM > Identity Providers > Create Provider
    • Provider Type: SAML
    • Provider Name: <anyNameYouWant> # I would recommend using the vIDM FQDN here
    • Metadata Document: Choose the idp.xml file you downloaded in step 1
  3. Create and associate a role to the Identity Provider in AWS
    • Go to: Services > IAM > Roles > Create Role
    • Role Name: <anyNameYouWant> # I would recommend using the vIDM FQDN here
    • Select Role Type: Role for Identity Provider Access > Grant Web Single Sign-On (WebSSO) access to SAML providers
    • SAML provider: Name you created in step 2
    • Verify Role Trust: No changes, select Next Step
    • Attach Policy: Select the default policy you want users to get when they sign in via vIDM

vIDM Configuration

Next, let’s configure the vIDM catalog.

  • In vIDM, go to Administrative Console > Catalog > Add Application > …from the cloud application catalog > Amazon Web Services
  • Details: No changes needed, but edit as desired
  • Configuration > Application Parameters
    • roleName: Name used in step 3 above
    • identityProviderName: Name used in step 2 above
    • awsAccNum: Easiest way to get this is on AWS IAM > Identity Providers > Step 2 name > Provider ARN number. Format is:
    • Entitlements: Add group or individual entitlements as desired. For each you have the option of either deploying automatically — meaning the users/groups will see the new catalog item automatically — or user-activated — meaning the users/groups would need to manual add a new catalog item.

IMPORTANT: If you do not configure entitlements then no one will see the catalog item!

© 2016, Steve Flanders. All rights reserved.

One comment on “Amazon Web Services and VMware Identity Manager

We’ve been using the services of AWS and though it may not be a perfect system, our expectations have been surpassed.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top