AWS IAM Identity Center (successor to AWS SSO) Integration Guide for Uptime.com
Introduction
This document helps you configure IAM Identity Center to facilitate single sign-on (SSO) for Uptime.com using SAML.
Topics
Prerequisites
You’ll need the following to set up SSO access to Uptime.com:
-
Access to the IAM Identity Center console with permissions to manage applications.
-
An Uptime.com account with administrator access to configure SAML SSO.
Setup instructions
- On the Uptime.com page in the IAM Identity Center Console, in the Details section, fill in the Display name, and the Description(optional) of the application.
Note
We suggest that you choose a unique display name if you plan to have more than one of the same application.
-
Log into your Uptime.com account as an administrator.
-
Navigate to the Settings option on the left of the navigation bar and choose SSO.
-
Insert these values under the Step 2 section.
- Download and copy the contents of the IAM Identity Center Certificate and paste its content into the Identity Provider's Certificate field.
-
Choose Save Settings.
-
Take note of the ACS URL / Consumer URL / Recipient and EntityID / Audience URI values as it is required later for the IAM Identity Center application configuration.
-
Go back to the IAM Identity Center console page where you are configuring the Application.
-
Under Application metadata, choose If you don't have a metadata file, you can manually type your metadata values. to display the application metadata settings.
-
Insert these values you got from step 7:
| Field | Value |
|---|---|
| Application ACS URL | ACS URL / Consumer URL / Recipient |
| Application SAML audience | EntityID / Audience URI |
-
Click Save Changes.
-
Assign a user to the application in IAM Identity Center.
Verification
Use the following sections to verify the SSO integration.
Note
Ensure that the user performing the verification is logged out of both IAM Identity Center and the application before performing the steps in each section.
Verifying SSO from IAM Identity Center
-
Access the AWS access portal using the credentials of a user assigned to the Uptime.com application.
-
In the list of applications, choose Uptime.com to initiate a login to Uptime.com.
-
If login was successful you will be signed-in to the Uptime.com application.
Troubleshooting
If sign in was not successful, please see the troubleshooting steps.
Verifying Service Provider Initiated SSO from Uptime.com
- Access https://Uptime.com/dashboard and enter the email address of a user assigned to the Uptime.com application in the IAM Identity Center console then choose Login.
Note
Alternatively, you can also access the WAYFLess URL (optional) provided to you by Uptime.com and available in the Uptime.com console. WAYFLess URL also initiates the Service Provider (SP) initiated flow from Uptime.com.
-
You will be redirected to IAM Identity Center portal, type the credentials of user assigned to the Uptime.com application in the IAM Identity Center console.
-
Choose Sign In.
-
If login was successful you will be signed-in to the Uptime.com application.
Troubleshooting
If sign in was not successful, please see the troubleshooting steps.
Troubleshooting
| Error | Issue | Solution |
|---|---|---|
| 404 | The ACS URL may be incorrect | Review the Application ACS URL attribute configured in your IAM Identity Center if it matches the one provided from Uptime.com. |
| "404 Resource not found" | It's possible that Issuer URL from AWS is incorrect under the Uptime.com configuration | Make sure that the URLs from AWS inserted under Uptime.com are correct. |
| "SAML Authentication Error. The Identity Provider's Certificate configured in the Uptime.com.com SSO Setup Form is incorrect" | It's possible that the certificate inserted is incorrect | Make sure that you have correctly inserted the AWS certificate under your Uptime.com configuration. |
| "SAML Authentication Error. While trying to check the signature of the assertion, the SAML library could not find an appropriate metadata entry for the Issuer specified in the SAML response." | It's possible that the IAM Identity Center Issuer is incorrect | Make sure that the URL for the EntityID inserted under Uptime.com is correct. |
| Other | When IAM Identity Center creates a SAML Assertion for a user, it uses the value of the 'email' and 'subject' fields (if they are present) from the connected directory to populate the 'Email' and 'Subject' attributes in the SAML assertion. Many service providers expect these attributes to contain the user’s email address. By default your directory is configured to send 'windowsUPN' in both fields. | Your directory may be configured to contain the users email in the 'Email' attribute instead. If so, you may need to change this in your Connected directory settings. Additionally the 'name' attribute being sent to the provider should not be the user's email address, make sure that your attribute name is not mapping to an email. |
For general troubleshooting problems, please refer to Troubleshooting Guide.
User Provisioning Types
There are two user provisioning you need to aware of:
-
Preprovisioned users
Preprovisioned users, means users must already exist in the downstream SaaS application. For instance, you may need to create SaaS users with the same subject as the AD users.
-
JIT users
JIT (or Just-In-Time) users, means users do not necessarily exist in the downstream SaaS application, and will be provisioned/created/registered the first time the user federates. You may need to enable JIT option in your SaaS application for the AD domain.
User Provisioning
-
Preprovisioned users Preprovisioned users, means users must already exist in the downstream SaaS application. For instance, you may need to create SaaS users with the same email as the AD users
-
JIT users JIT (or Just-In-Time) users, means users do not necessarily exist in the downstream SaaS application, and will be provisioned/created/registered the first time the user federates. You may need to enable JIT option in your SaaS application for the AD domain.