Tutorial: How to Configure SAML with AWS
How to set up SAML with AWS on Access Server. A step-by-step guide for configuration of SAML on Access Server with AWS.
Overview
Access Server 2.11 and newer supports authentication using SAML with AWS as the identity provider. You can configure this in AWS with Access Server as your service provider using AWS IAM Identity Center.
The following steps walk you through enabling SAML authentication for users and groups from AWS to Access Server.
You need the following to get started:
A deployed Access Server.
Important
We recommend using all lowercase usernames when signing in with SAML.
With AWS, you must create a custom SAML application.
Now that you have your SP information, you can create a new AWS SAML app and enter that information during app creation:
Sign into your AWS portal and open the IAM Identity Center console.
Under Application assignments, click Applications.
Click Add Application.
Under Custom application, click Add custom SAML 2.0 application, and click Next.
Under Display name, enter the name of your SAML custom app and an optional Description.
Under Application properties, and Application metadata, use the SP information from Access Server to enter the following into the AWS app:
Application ACS URL: Enter the Access Server SP ACS.
Application SAML audience: Enter the Access Server SP Identity.
Relay state - (optional): Enter ‘cws’ for the Client Web UI or ‘profile’ to provide users with a downloadable profile. (See “How to set up IdP-initiated flow” below for more details.)
Click Submit.
Click Assign Users.
Select your users and click Assign Users.
Important
In our testing, AWS SAML IdP produces invalid SAML assertions that violate the XML Schema Definition if no or only one SAML attribute is configured. We therefore recommend configuring two SAML attributes until this problem is fixed by Amazon.
With the AWS SAML app, configure attribute mappings:
Under Applications, click your SAML custom app.
Under the Actions tab, click on edit attribute mappings.
Under Maps to this string value or user attribute in IAM Identity Center, enter ${user:AttributeName} and map at least two attributes. For example: If you want your AWS IAM username as the SAML username, enter ${user:subject}, or if you want your AWS IAM email address, enter ${user:email}.
Click Add new attribute mapping.
Under User attribute in the application, enter name.
Under Maps to this string value or user attribute in IAM Identity Center, enter email.
Click Save changes.
Option 1: Download the AWS metadata file for automatic configuration
Under Applications, click your SAML custom app.
Under the Actions tab, click edit configuration.
Under IAM Identity Center SAML metadata file, click Download.
Option 2: Copy the AWS SAML data for manual configuration
Under Applications, click your SAML custom app.
Under the Actions tab, click edit configuration.
Copy the content in IAM Identity Center sign-in URL, and IAM Identity Center SAML issuer URL.
Click Identity Center Certificate to download the certificate in PEM format.
The simplest way to set up AWS SAML for Access Server is by providing the metadata XML file (option 1), but you can also manually configure it (option 2).
Option 1: Upload the AWS metadata file in the Admin Web UI
Provide the downloaded metadata XML file to your Access Server through the Admin Web UI to automatically configure SAML:
Sign into your Access Server Admin Web UI.
Click Authentication > SAML.
Click Configure Identity Provider (IdP) Automatically via Metadata to expand the section.
Click Choose File for Select IdP Metadata File.
Select your AWS metadata XML file, click Upload, and click Update Running Server.
The IdP fields are now populated under Configure Identity Provider (IdP) Manually.
Option 2: Manually configure AWS SAML
Sign into your Access Server Admin Web UI.
Click Authentication > SAML.
Click Configure Identity Provider (IdP) Manually to expand the section.
Paste the following from AWS to the Access Server fields:
Paste the AWS IAM Identity Center sign-in URL into Access Server’s Sign On Endpoint.
Paste the AWS IAM Identity Center SAML issuer URL into Access Server’s IdP EntityId.
Paste the AWS Identity Center Certificate into Access Server’s Certificate (PEM format).
The IdP fields save.
You can configure an IdP-initiated flow for signing into Access Server from AWS with the following steps:
Sign in to the AWS admin portal.
Under Applications, click your custom SAML app.
Under the Actions tab, click edit configuration.
Under Application properties, enter one of the following for Relay state - (optional):
cws: This directs your users to the Client Web UI after sign-in.
profile: This directs your users to a profile download after sign-in.
Save changes.