This article describes how to integrate AWS IAM with RSA Cloud Authentication Service using My Page SSO.

Configure RSA Cloud Authentication Service

Perform these steps to configure RSA Cloud Authentication Service as an Identity provider to Amazon Web Services (AWS) IAM.
Procedure

1. Sign in to the RSA Cloud Administration Console.
2. Navigate to Applications > Application Catalog and search for Amazon Web Services.
3. Click Add to add the connector or click Create from Template. The latter option is used in this guide.
4. Select SAML Direct and choose Cloud.
5. On the Basic Information page, enter the name for the application in the Name field and click Next Step.
   
6. In the Initiate SAML Workflow section, choose IdP-initiated.
7. Under the Service Provider section, enter https://signin.aws.amazon.com/saml in the Assertion Consumer Service (ACS) URL field.
8.  In the Service Provider Entity ID field, enter urn:amazon:webservices.
   
9. In the Message Protection section:
   1. Choose IdP signs assertion within response.
   2. Select the Override default signing key and certificate checkbox and perform the following steps.
      1. Click Generate Cert Bundle to generate and download a zip file containing the private key and certificate. Unzip the downloaded file to extract the certificate and private key.
      2. Click the first Choose File and upload the RSA private key.
      3. Click the next Choose File and upload the RSA public certificate.
         
10. Scroll down to the User Identity section, select persistent in the Identifier Type drop-down list, and select the property value as mail.
11. Scroll down to the Statement Attribute section:
    1. Select Identity Source in the Attribute Source drop-down list.
    2. Provide the Attribute Name as https://aws.amazon.com/SAML/Attributes/RoleSessionName.
    3. Select the identity source and choose mail from the Property drop-down list.
    4. Select Attribute Source as Constant.
    5. Provide the Attribute Name as https://aws.amazon.com/SAML/Attributes/Role and provide its value in Property as comma-separated values of the ARN of the role (in AWS) that the SAML provider is to be mapped to and the ARN of the SAML provider. In this example, the value is given as
       .
       
12. (Optional step: This step is required only if session tags by AWS are to be used) RSA supports Session Tags by AWS. The session tags can be passed along with the RoleSessionName and Role attributes. To enable the RSA Cloud Authentication Service to pass additional attributes as session tags, perform the following steps:
    1. Click Add in the Statement Attribute section.
    2. For Principal Tags, select Attribute Source as Identity Source. The Attribute Name should be of the form https://aws.amazon.com/SAML/Attributes/PrincipalTag:<name> where <name> is used to identify the Tag and is user-defined. Select Property as the Identity Source attribute you want to pass as Principal Tag. As an example, if you want to pass team and project as Principal Tags, then the Attribute Names should be https://aws.amazon.com/SAML/Attributes/PrincipalTag:team and https://aws.amazon.com/SAML/Attributes/PrincipalTag:project respectively.
    3. For TransitiveTagKeys, select Attribute Type as Constant. The Attribute Name should be https://aws.amazon.com/SAML/Attributes/TransitiveTagKeys and specify the Property as <name> where <name> is the name defined for the Principal Tag. As an example, if you want to pass team as the Transitive Tag Key, then the Property should be team.
13. Click Next Step.
14. On the User Access page, select the configured access policy.
15. Click Next Step.
16. Configure the portal display settings on the Portal Display page.
17. Enter descriptive text about the application in the Application Tooltip field. The portal displays this text when a user passes the cursor over the application’s icon.
18. Make the required changes in the Fulfillment tab.
19. Click Save and Finish.
20. Click Publish Changes and wait for the operation to be completed.
    
21. Search for AWS in the list of applications and select Export Metadata from the Edit drop-down list to download an XML file containing your RSA IdP’s metadata. This is needed for AWS side configurations.
    

Notes

• Currently, only single-valued attributes are supported by RSA for both Principal Tags and TransitiveTagKeys.
• If the values for Role ARN and Provider ARN are not known, enter placeholder values <RoleARN>, and <ProviderARN> in the Property field to continue with the configuration. The actual value can be entered after completing the configuration of AWS IAM as the Service Provider.
• Attribute source selected here are constant for the testing purpose . These values can be sourced from identity source.

Configure AWS IAM 

Perform the following steps to configure AWS IAM as a SAML Service provider to RSA Cloud Authentication Service.
Procedure

1. Log on to the Identity and Access Management (IAM) console with the appropriate admin role or as a root user at https://console.aws.amazon.com/iam/.
2. Select IAM and click Identity Providers.
   
3. Click Add Provider in the upper-right corner.
4. Choose Provider type as SAML.
   
5. Give the provider the name of your choice in the Provider Name section. In this example, the Provider Name is given as RSA.
6. In the Metadata document section, choose the IDP metadata file that was downloaded from the IDP. (See the Configure RSA Cloud Authentication Service section).
7. Click Add provider in the lower-right corner.
8. Leave the Add tags section if session tags are not to be used.
9. Click your Provider Name and copy Provider ARN from the upper-right corner. This is one of the values of attribute https://aws.amazon.com/SAML/Attributes/Role in your IDP settings.
   
10. Click Assign role in the upper-right corner.
11. Select the Create a new role option.
    
12. In the Select trusted entity section, select SAML 2.0 federation.
    
13. Select the SAML provider created earlier in the SAML provider drop-down list under the SAML 2.0 federation section.
    
    Attribute and Value are pre-populated.
14. Click Next.
15. In the Permissions policies section, select the Policy names you need for this role.
    
16. Click Next.
17. Provide the role name and click Create role.
18. Click your Role Name and copy ARN which you must use as one of the values of attribute https://aws.amazon.com/SAML/Attributes/Role in your IDP settings.
    
19. (Optional Step: This step is required only if Session Tags by AWS are to be used) RSA supports Session Tags by AWS. To be able to use Session Tags with this role, a new permission sts:TagSession needs to be added to the role. Perform the following steps to add this permission:
    1. Click the created Role Name.
    2. Click the Trust relationships tab.
    3. Click Edit trust policy.
    4. Copy and paste the following snippet after making changes to the name and values of the tags with the ARN of the identity provider.
       

       {

                 "Version": "2012-10-17",

                 "Statement": [

                           {

                                      "Sid": "AllowSamlIdentityAssumeRole",

                                      "Effect": "Allow",

                                     "Principal": {

                                                "Federated": "<ARN of the identity provider created>"

                                      },

                                      "Action": [

                                                "sts:AssumeRoleWithSAML",

                                                "sts:TagSession"

                                      ],

                                     "Condition": {

                                                "StringEquals": {

                                                          "SAML:aud": "https://signin.aws.amazon.com/saml"

                                                },

                                                "StringLike": {

                                                          "aws:RequestTag/access-project": [

                                                                    "peg",

                                                                    "uni"

                                                          ],

                                                          "aws:RequestTag/access-team": [

                                                                    "eng",

                                                                    "qas"

                                                          ]

                                                }

                                      }

                           }

                 ]

       }

       As per the preceding example, if any other value besides peg or uni is passed from RSA for the access-project attribute authorization will fail. Refer to AWS documentation for more details on session tags.
    5. Click Update Policy.

Notes

• To configure and use session tags properly, the Attribute Extension section of RSA Cloud Authentication Service also needs to be modified to have the appropriate tag keys and values as given in the RSA configuration section.
• Values of access-team, access-project ,eng ,qas, peg, and uni used in the configurations are for testing purposes. These need to be changed as per the requirement.
• Currently, only single-valued attributes are supported for both Principal Tags and TransitiveTagKeys.

The configuration is complete.

Return to Amazon Web Services - RSA Ready Implementation Guide.