AWS IAM Identity Center - SAML My Page SSO Configuration - RSA Ready Implementation Guide
2 years ago
This article describes how to integrate AWS IAM Identity Center with RSA Cloud Authentication Service using My Page SSO.

Configure RSA Cloud Authentication Service

Perform these steps to configure RSA Cloud Authentication Service using My Page SSO.
Procedure
  1. Sign in to the RSA Cloud Administration Console with administrator credentials.
  2. Enable SSO on the My Page portal by accessing the RSA Cloud Administration Console > Access My Page > Single Sign-On (SSO). Ensure it is enabled and protected by two-factor authentication using a Password and Access Policy.image.png
  3. On the Applications > Application Catalog page, click on Create From Template.image.png
  4. On the Choose Connector Template page, click Select for SAML Direct.image.png
  5. On the Basic Information page, enter a name for the configuration in the Name field and click Next Step.image.png
  6. In the Connection Profile section, select IdP-initiated option.image.png
  7. To provide Service Provider details, select Import Metadata, click the Choose File button, and select the file downloaded from the Service Provider.image.png
    Refer to the AWS IAM Identity Center configuration steps to get metadata file.
  8. Assertion Consumer Service (ACS) URL and Service Provider Entity ID values will be auto filled.image.png
  9. In the SAML Response Protection section, select IdP signs assertion within response, and download the certificate by clicking Download Certificate.image.png
  10. Under the User Identity section, select Show Advanced Configuration, then configure Identifier Type and Property as follows: 
    1. Identifier Type: Auto Detect 
    2. Property: Auto Detect
image.png
  1. Under the Statement Attributes section, add the following attributes:
    1. First Attribute: 
      1. Attribute Name: https://aws.amazon.com/SAML/Attributes/RoleSessionName.
      2. Attribute SourceIdentity Source.
      3. Propertymail.
    2. Second Attribute:
      1. Attribute Namehttps://aws.amazon.com/SAML/Attributes/Role.
      2. Attribute SourceConstant.
      3. Property: AWS role ARN value, AWS IAM instance session ARN value.
For example: Combine the Role ARN and the Provider ARN value, separated by a comma, to use as the Property value.
arn:aws:sso:::instance/ssoins-7223fbc530cf9d85,arn:aws:iam::664847341240:role/RSA_Role1image.png
Refer to the AWS IAM Identity Center Configuration section to obtain AWS role ARN value and AWS IAM instance session ARN value.
  1. Click Next Step.
  2. Choose your desired Access Policy for this application and click Next Step > Save and Finish.image.png
  3. On the My Applications page, click the Edit dropdown and select Export Metadata to download the metadata.image.png
  4. Click Publish Changes to save your settings. After publishing, your application will be enabled for SSO.image.pngimage.png

Configure AWS IAM Identity Center

Perform these steps to configure AWS IAM Identity Center.
Procedure
  1. Access the AWS Mangement Console by logging in to your AWS account with admin credentials.
  2. Under Services, go to Security, Identity, & Compliance, and select IAM Identity Center.image.png
  3. Click Go to Settings on the right.image.png
  4. Under Identity Source tab, select Change identity source from the Actions dropdown menu.image.png
  5. Select External identity provider, then click Next.image.png
  6. Configure the external identity provider and click Next:
    1. Service provider metadata: Click Download metadata file to download the SP metadata.
    2. IdP SAML metadata: Click Choose file and upload the metadata downloaded from the RSA platform.
image.png
image.png
  1. Review the list of changes. Once you ready to proceed, type ACCEPT and click Change identity source.image.png
  2. Go to Settings and copy the Instance ARN for the RSA configuration (Attribute mapping).image.png
  3. To create groups, navigate to AWS IAM.image.png
  4. Select User groups, then choose Create group.image.png
  5. Provide the following details, then scroll down and click Create group.
    1. Name the group - In the User group name text box, enter the name of the group.image.pngimage.png
  6. To create a user, go to Access management > User, then click Create user.image.png
  7. Under User details, enter the user name in the User name text box, then click Next.image.png
  8. To create roles, go to Access Management > Roles, then click Create role.image.png
  9. Select the Trusted entity type as SAML 2.0 federation.image.png
  10. Provide the following details and click Next.
    1. SAML 2.0-based provider: Name for the SAML 2.0 trusted provider.
    2. Attribute: SAML:aud.
    3. Value: Assertion URL of the service provider metadata downloaded from the IAM Identity Center.
image.png
  1. Copy the ARN. This is the same value as AWS role ARN value used in the RSA configuration (Attribute mapping).
  2. Combine the Role ARN and the Provider ARN value, separated by a comma, to use as the Property value in the RSA platform.image.png
The configuration is complete.
Return to AWS IAM Identity Center- RSA Ready Implementation Guide .

Related Articles

Trending Articles

Don't see what you're looking for?