Help Center Help Articles Professional Support Community RMA & Warranty Downloads Tech Specs

UniFi Identity Enterprise - Add Amazon Web Services (AWS) as an SSO App

Once you add Amazon Web Services (AWS) as an SSO App, your users can sign in to Amazon Web Services with their Identity Enterprise credentials, and you can securely manage their access and lifecycle in Identity Enterprise.

Requirements

To get started, ensure that you have an AWS IAM IdP-enabled subscription.

Add Amazon Web Services App to Identity Enterprise

  1. Go to your Identity Enterprise Manager > SSO Apps.
  2. Click the Add icon on the upper right corner and select Amazon Web Services.
  3. Click Add. The Sign-On URL, Issuer, Fingerprint, and Public Certificate will be displayed. Do not close the page as you’ll need to copy and paste them in AWS when configuring SSO in AWS

Configure SSO in AWS

  1. Sign in to your AWS company site as an admin.
  2. On the AWS home page, search for IAM and click it.
  3. Go to Access management > Identity providers and click Add provider.
  4. On the Add an Identity provider page, perform the following steps:
    1. Select SAML in the Provider type field.
    2. In the Provider name field, type a name, for example, Identity Enterprise.
    3. In the Metadata Documentation field, click Choose file, and upload the Public Certificate downloaded from Identity Enterprise.
  5. Click Add provider.
  6. Locate the Identity Provider you just created in the list of Identity Providers and copy its Provider ARN value. You will need it in the next section.

Add Identity Enterprise Identity Provider as Trusted Source in your AWS Roles

Grant SSO Access to Existing Roles

  1. Under the Access management menu, click Roles.
  2. Select the role that you would like to grant Identity Enterprise SSO access to.
  3. Under the Trust relationships tab, click Edit trust relationship.

  1. Modify the IAM trust relationship policy to authorize SSO into Identity Enterprise using the SAML Identity Provider you configured in the previous step:
    • If you already have a trust relationship set up, you might need to update your current policy document to add Identity Enterprise SSO access. At a minimum, you should include all the elements within the Statement code block.
    • If your policy is currently empty, you can copy and paste the policy listed below and replace Provider ARN with the ARN value you copied when configuring SSO in AWS.
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "<Provider ARN>"
},
"Action": "sts:AssumeRoleWithSAML",
"Condition": {
"StringEquals": {
"SAML:aud": "https://signin.aws.amazon.com/saml"
}
}
}
]

Grant SSO Access to a New Role

  1. Under the Access management menu, click Roles.
  2. Click Create role and perform the following actions:
    1. In the Trusted entity type field, select SAML 2.0 federation.
    2. Under SAML 2.0 based provider, select the provider name you previously entered.
    3. Tick the Allow programmatic and AWS Management Console access checkbox.
    4. Select Next.
  3. Select permission policies as needed and click Next.
  4. On the "Name, review, and create" page, perform the following actions:
    1. In the Role name field, enter your role name.
    2. In the Description field, enter the role description.
    3. Click Create role.

Configure the AWS in Identity Enterprise

  1. Navigate back to the "Add Amazon Web Services" page and scroll down to the Settings section.

.

  1. Name the app, for example: Amazon Web Services.
  2. Fill in the SAML default relay state as needed. It is the destination to which the user will be redirected after they have completed the authentication process at the Identity Provider (IdP).
  3. Paste the Identity Provider ARN you copied when configuring SSO in AWS.
  4. Specify the amount of time a user can be inactive before a session ends.
  5. The ACS URL is an endpoint on the service provider that the identity provider will redirect to with its authentication response. You can fill in it as needed.
  6. Click Add.

Generate the AWS API Access Key

  1. Go to your AWS Console > IAM > Users and click Add user.
  2. Enter a user name and select Programmatic access as the Access type.

  1. Under Set permissions, select Attach existing policies directly and click Create policy.

  1. Select the JSON tab and replace the content with the following:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:ListRoles",
"iam:ListAccountAliases"
],
"Resource": "*"
}
]
}
  1. Click Review policy.

  1. On the Review policy page, enter the name and description and click Create policy.
  2. Navigate back to the IAM User page and attach your newly created policy.
    1. Refresh the list.
    2. Search for the policy you've just created and select it.

  1. A Secret Key and Access Key will be displayed. Make a copy of these values as you will need these in the next section.

Enable API Integration

The Amazon Web Services app integration does not support provisioning. To address this, follow the steps below to enable API integration. This will allow Identity Enterprise to download a list of AWS roles for user assignment, enabling the assignment of multiple roles to users and the passing of these roles in the SAML assertion.

  1. Go to the Provisioning tab of your Amazon Web Services app in your Identity Enterprise Manager > SSO Apps.
  2. Enable API Integration and paste the Access Key and Secret Key you obtain in Step 8 of generating the AWS API Access Key
  3. Click Test API Credential to verify that API credentials work.
  4. Click Save Changes.








Was this article helpful?