4.2.12 Integrating Amazon Web Services with Access Manager

Access Manager now enables you to federate with the Amazon Web Services (AWS) with the help of a wizard. The wizard allows you to configure the required options and relies upon the default settings for the other federation options.

Integrating AWS with Access Manager includes the following steps:

Enabling Web Single Sign-On in the AWS Console

Before you integrate AWS in Access Manager, you must enable web single sign-on (SSO) in the AWS console. To enable web SSO, perform the following steps:

  1. Download the Access Manager SAML 2.0 metadata by accessing https://<www.idp.com:8443>/nidp/saml2/metadata. Save into local file and rename it as nam-saml2-metadata.xml.

  2. Log in to AWS.

  3. Click Security & Identity > Identity & Access Management.

  4. Click Identity Providers.

  5. Click Create Provider.

    1. Provider Type: Select SAML.

    2. Provider Name: Specify a name. For example, NAM-IDP.

    3. Metadata Document: Select the file that you saved in Step 1.

  6. Verify the provider information and click Create.

  7. On the dashboard, click Roles.

  8. Click Create New Role.

  9. Specify a role name.

  10. Click Next.

  11. Select Role for Identity Provider Access > Grant Web Single Sign-On (WebSSO) access to [SAML providers].

  12. Click Next Step.

  13. On the Attach Policy page, select the desired policies. Click Next Step.

  14. Review the role information. Make a note of the Role ARN and Trusted Entries.

  15. Click Create Role.

Configuring AWS as a Service Provider in Access Manager

  1. Click Devices > Identity Servers > Edit > SAML 2.0.

  2. Click New > Service Provider.

  3. Specify the following details:

    Provider Type: Select Amazon Web Services.

    By default, the Metadata Text source is selected and the Text field is pre-filled with the metadata XML.

    Name: Specify a name for the provider and click Next.

    Role ARN: Specify the role ARN. For example, specify arn:aws:iam:625143326143:role/MyAdmin.

    Trusted SAML Provider ARN: Specify the trusted SAML provider ARN. For example, specify arn:aws:iam:625143326143:saml-provider/idp1.

    To fetch ARN values, see Enabling Web Single Sign-On in the AWS Console.

    NOTE:The Role ARN and Trusted SAML Provider ARN parameters are used to create the attribute mapping. If you have configured multiple roles in AWS, you can add any Role ARN while creating a service provider. To modify the attribute set, see Re-Mapping Attribute Sets.

  4. Review the metadata certificates and click Finish.

  5. Click OK, then update Identity Server.

Re-Mapping Attribute Sets

By default, the AWS wizard creates an attribute set with the name AmazonWebServices. This attribute set has the following mappings:

  1. Constant Value: It is created using the Role ARN and trusted SAML provider. It is mapped to Role.

    For example: if Role ARN is arn:aws:iam::638116851885:role/NewRole and the Trusted SAML Provider ARN is arn:aws:iam::638116851885:saml-provider/NAM-IDP, then, the constant value is arn:aws:iam::638116851885:role/NewRole,arn:aws:iam::638116851885:saml-provider/NAM-IDP. This is mapped to the Role.

    NOTE:When multiple roles are configured in AWS, create a virtual attribute to change the Role ARN dynamically depending on the user. After creating the virtual attribute, create the corresponding attribute mapping. For more information, see use case 3 in Sample JavaScripts with Examples.

  2. LDAP Attribute: It is the givenName mapped to the Remote Attribute RoleSessionName. You can also map any other attribute instead of the givenName.

If you want to use any other LDAP attribute to be mapped for RoleSessionName, perform the following steps:

  1. Click Devices > Identity Server > Shared Settings > Attribute Sets > AmazonWebServices > Mapping.

    In the attribute list, select the existing LDAP attribute set.

  2. Click Delete.

  3. Click Apply > OK.

  4. Click New.

  5. In Add Attribute Mapping, specify the following details:

    1. Local attribute: Select a local attribute from the available list.

    2. Remote Attribute: Specify RoleSessionName.

    3. Remote nameSpace: Specify http://aws.amazon.com/SAML/Attributes/

  6. Click OK > Finish.

  7. Click Devices > Identity Servers > Edit > SAML 2.0.

  8. Select AWS and click Attributes.

  9. Select the new attribute set from Available and move it to Send with authentication.

  10. Click OK, then update Identity Server.

Re-Importing The Metadata

The AWS metadata has a validity associated with it. You need to re-import the metadata before the license expires. To re-import the metadata, perform the following steps:

  1. Click Devices > Identity Servers > Edit > SAML 2.0.

  2. Under Trusted provider, click AWS service provider.

  3. In Metadata, click Reimport.

  4. Specify the following:

    1. Provider Type: Select General.

    2. Source: Select Metadata text.

    3. Name: Name for the service provider is displayed by default.

    4. Text: Fetch the metadata from: https://signin.aws.amazon.com/static/saml-metadata.xml. Remove the string content <KeyDescriptor use="signing"> .... </KeyDescriptor>. Copy this edited metadata and paste it in Text.

  5. Click Next.

  6. Confirm metadata certificates, then click Finish.

  7. Update Identity Server.

Integrating Amazon CloudTrail with Access Manager

Amazon CloudTrail logs the actions or events performed on an AWS account. You can use this service to monitor or audit the account events.

When AWS is federated with Access Manager using SAML, you can use CloudTrail to log the federated user activities. For example, you can see all the events created while auto scaling Access Manager in AWS or see the events when an Access Manager user uses an AWS service. CloudTrail dashboard displays the event details of the SAML federated users.

The following is an example event.

{
    "eventVersion": "1.05",
    "userIdentity": {
        "type": "AssumedRole",
        "principalId": "AROAYZOBGWAB24BWLFGFA:bob",
        "arn": "arn:aws:sts::604384964611:assumed-role/NAM-EC2User/bob",
        "accountId": "604384964611"
    },
    "eventTime": "2019-08-29T07:29:18Z",
    "eventSource": "signin.amazonaws.com",
    "eventName": "ConsoleLogin",
    "awsRegion": "us-east-1",
    "sourceIPAddress": "192.31.114.252",
    "userAgent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
    "requestParameters": null,
    "responseElements": {
        "ConsoleLogin": "Success"
    },
    "additionalEventData": {
        "LoginTo": "https://console.aws.amazon.com/console/home",
        "MobileVersion": "No",
        "MFAUsed": "No",
        "SamlProviderArn": "arn:aws:iam::604384964611:saml-provider/NAM-IDP"
    },
    "eventID": "5f4cb814-5c71-49f7-8ea6-7b17a114108f",
    "eventType": "AwsConsoleSignIn",
    "recipientAccountId": "604384964611"
}

For more information on CloudTrail, see AWS CloudTrail.