AWS IAM Identity Center (successor to AWS SSO) Integration Guide for Custom SAML 2.0 application

Introduction

This document helps you configure IAM Identity Center to facilitate single sign-on (SSO) for Custom SAML 2.0 application using SAML.

Topics

• Prerequisites

• Setup instructions

• Verification

• Troubleshooting

Prerequisites

You'll need the following to set up SSO access to Custom SAML 2.0 application:

• Access to the IAM Identity Center console with permissions to manage applications.

• Access to set up and configure your SAML application.

Setup instructions

1. On the Configure page, in the Details section, fill in the Display name and the Description(optional) of the application.

Note

We suggest that you choose a unique display name if you plan to have more than one of the same application.

2. Open your Custom SAML 2.0 application as an administrator.

3. Do one of the following, depending on whether your application supports SAML metadata import:

   • If your application supports SAML metadata import, you can download the SAML metadata file from the IAM Identity Center metadata section and import it into your application.

   • If your application does not support SAML metadata import, you need to enter the SSO configuration information using the steps given below.

     • Download the IAM Identity Center Certificate from the application configuration page.

     • Depending on how your application expects the certificate you might be required to remove the headers in the IAM Identity Center Signing Certificate.

     • Upload the certificate in your application.

     • Copy IAM Identity Center sign-in URL, IAM Identity Center sign-out URL, and IAM Identity Center issuer URL from IAM Identity Center application configuration page and configure these in your application as required.

4. Do one of the following, depending on whether your application provides SAML metadata for export:

   • If your application provides SAML metadata for the identity provider to use, download it.

   • Go back to the IAM Identity Center console page where you are configuring the application and import it.

   • If your application does not provide SAML metadata, you need to enter the SSO configuration information using the steps given below.

     • You need to enter the values for Application ACS URL, Application SAML audience.

     • Application start URL and Application certificate are optional. Configure them only if your application requires those.

     • Click Save Changes

5. Referencing the documentation provided by Custom SAML 2.0 application, configure a user to use SSO in Custom SAML 2.0 application.

6. Choose Attribute Mappings tab. Click on Add a new attribute mapping. Add an attribute for the Role.

Note

This step is important as some service providers require custom SAML assertions to pass additional data about user sign-ins. In that case, the correct way to map applications user attributes to corresponding attributes in IAM Identity Center is important before we assign the users to the applications. If correct attribute mappings are not present it could lead to 403: No Access errors

7. Assign a user to the application in IAM Identity Center.

Verification

Use the following sections to verify the SSO integration.

Note

Ensure that the user performing the verification is logged out of both IAM Identity Center and the application before performing the steps in each section.

Note

Users will not be able to login using SSO unless the user exists in both your directory and Custom SAML 2.0, and the user is assigned to the application.

Verifying SSO from IAM Identity Center

1. Access the AWS access portal using the credentials of a user assigned to the Custom SAML 2.0 application.

2. In the list of applications, choose the Custom SAML 2.0 application with the display name you set earlier.

3. If login was successful you will be signed-in to the Custom SAML 2.0 application application.

Troubleshooting

If sign in was not successful, please see the troubleshooting steps.

Verifying Service Provider Initiated SSO from Custom SAML 2.0 application

1. Access Custom SAML 2.0 application.

2. Based on how your application login page is configured, you will be redirected to IAM Identity Center user portal for authentication.

3. In the user portal, log in as a user who has been granted access to the Custom SAML 2.0 application.

4. In the user portal, choose the Custom SAML 2.0 application with the display name you set earlier.

5. On the Custom SAML 2.0 application home page, verify that both Custom SAML 2.0 application and IAM Identity Center are logged in with the same user.

Troubleshooting

If sign in was not successful, please see the troubleshooting steps.

Troubleshooting

For general troubleshooting problems, please refer to Troubleshooting Guide.

User Provisioning Types

There are two user provisioning you need to aware of:

• Preprovisioned users

  Preprovisioned users, means users must already exist in the downstream SaaS application. For instance, you may need to create SaaS users with the same subject as the AD users.

• JIT users

  JIT (or Just-In-Time) users, means users do not necessarily exist in the downstream SaaS application, and will be provisioned/created/registered the first time the user federates. You may need to enable JIT option in your SaaS application for the AD domain.