If you have used Amazon Web Services (AWS) then you are likely aware that it supports Single Sign-On (SSO) via SAML and OpenID Connect. In this post, I would like to cover how to configure VMware Identity Manager (vIDM) as a SAML provider with AWS. Read on to learn more!
Prerequisites
Before you begin, you need to ensure you have the following:
- At least IAMFullAccess on AWS
- At least Tenant Admin rights on vIDM
AWS Configuration
First, let’s configure the Identity Provider. This requires three steps:
- Get the idp.xml from vIDM: https://<vidm>/SAAS/API/1.0/GET/metadata/idp.xml
- Configure the Identity Provider in AWS
- Go to: Services > IAM > Identity Providers > Create Provider
- Provider Type: SAML
- Provider Name: <anyNameYouWant> # I would recommend using the vIDM FQDN here
- Metadata Document: Choose the idp.xml file you downloaded in step 1
- Create and associate a role to the Identity Provider in AWS
- Go to: Services > IAM > Roles > Create Role
- Role Name: <anyNameYouWant> # I would recommend using the vIDM FQDN here
- Select Role Type: Role for Identity Provider Access > Grant Web Single Sign-On (WebSSO) access to SAML providers
- SAML provider: Name you created in step 2
- Verify Role Trust: No changes, select Next Step
- Attach Policy: Select the default policy you want users to get when they sign in via vIDM
vIDM Configuration
Next, let’s configure the vIDM catalog.
- In vIDM, go to Administrative Console > Catalog > Add Application > …from the cloud application catalog > Amazon Web Services
- Details: No changes needed, but edit as desired
- Configuration > Application Parameters
- roleName: Name used in step 3 above
- identityProviderName: Name used in step 2 above
- awsAccNum: Easiest way to get this is on AWS IAM > Identity Providers > Step 2 name > Provider ARN number. Format is:
arn:aws:iam::<awsAccNum>:saml-provider/<nameInStep2>
- Entitlements: Add group or individual entitlements as desired. For each you have the option of either deploying automatically — meaning the users/groups will see the new catalog item automatically — or user-activated — meaning the users/groups would need to manual add a new catalog item.
IMPORTANT: If you do not configure entitlements then no one will see the catalog item!
© 2016, Steve Flanders. All rights reserved.
We’ve been using the services of AWS and though it may not be a perfect system, our expectations have been surpassed.