Log in to the AWS console Using WSO2 Identity Server 7.0.0.
WSO2 released Identity Server 7.0.0 which is the latest release of Identity Server as of the time this article is written. It consists of a whole lot of new features including the new developer console which has a rich experience in terms of developer experience. This article will guide you to integrate the AWS console with the WSO2 Identity Server so that your users can log in to the AWS console through the WSO2 Identity Server.
Before we start let’s think of a practical scenario in which this may be useful. You may have your enterprise Identity Provider if you are a large-scale enterprise. All your workforce applications will rely on this identity provider as the single source of identity. This is a huge advantage when it comes to managing users as user identities are not scattered across multiple systems.
If you use AWS as an IPaaS platform, probably your SRE / DevOps team will need access to the AWS console for their daily operations. If you can configure your enterprise IDP as the Identity provider for the AWS console, you can let your organization users login to the AWS console using enterprise IDP.
With this article, I am going to discuss how you can integrate the WSO2 Identity Server as the Identity Provider for AWS Console using SAML2 Web SSO.
First things first
Download the WSO2 IS 7 which has our brand-new developer console from here
To start it, unzip the distribution folder and navigate to /bin directory inside the distribution. Execute ./wso2server.sh to start the product. More information on getting the server started can be found here
There is a configuration change that needs to be done in the configuration files before you move on. For now, all we need to do is to change the respective configuration !!. If you have any questions about the requirements of this config changes post me a comment.
Step 1
Open the deployment.toml inside <IS_HOME>/repository/conf and add the following entry under [user_store]
multi_attribute_separator = “,,”
Here’s what it looks like once you are done!
[user_store]
type = "database_unique_id"
multi_attribute_separator = ",,"
Let’s move on
Step 2
We need a claim (attribute) to store the AWS user role in the Identity Server side. This role is used to authorize the user to the AWS console.
- To do that log into the Identity Server developer console / Admin console [https://localhost:9443/console] and go to the Attributes section under “User Attributes and Stores” from the left menu
- Click on Attributes
- Search for the attribute name “entitlements” and click on the edit option
- Tick on “Display this attribute on the users profile” and update to save changes.
Step 3
Create a user who can log into the AWS console
- Click on “Users” under “User Management” from the left menu of the Identity Server Admin console
- Click on the “Add user” button
- Fill out the Add User wizard and save
Step 4
You need to create a SAML-based application in the Identity Server so that IS can act as an IDP for that application (AWS Console).
- To do that click on the Applications tab from the left menu and click on New Application. Out of the templates available pick “Standard-Based Application” to start creating the application. (Alternatively, you can pick “standard-based application” template from the home screen as well)
- Fill out the application creation wizard
Name: AWS-Console
Protocol : SAML
Issuer : urn:amazon:webservices
Assertion Consumer URL : https://signin.aws.amazon.com/saml
“Allow sharing with sub-organizations” is not required if you don’t intend your sub org users to be using AWS console. Let’s not tick it to make it simple
Click on create button.
3. Once created you can go to the protocol tab of the created application. Enable “SAML Response Signing” from the protocol tab. Please note that this is the only additional change you need to do under the “protocol” tab
4. Navigate to the User Attributes tab of the created application
5. Click on Add new user attribute button
6. From the wizard select “Email” and “Entitlements” as required attributes and save
7. Once saved, toggle the “Enable attribute claim mapping” and do the below attribute mappings.
http://wso2.org/claims/entitlements → https://aws.amazon.com/SAML/Attributes/Role
http://wso2.org/claims/emailaddress → https://aws.amazon.com/SAML/Attributes/RoleSessionName
Note: Why do you need this mapping? AWS expects user information (username and the role as specific claims in their dialects (formats). So we need to map WSO2 claims to AWS claims before sending them in the assertion.
8. Select the email address as the subject claim and save.
9. Enable IDP-initiated SSO for this application and save
Step 5
Now we need to create an Identity provider in the AWS side so that AWS knows who the trusted IDP is.
- Go to the “Info” section of the created Appllication in the Identity Server.
- You can find a link to download IDP metadata file. Download it into your computer. We will be using this file to create the IDP in AWS.
3. Go to the AWS console and login as an administrator who has IAM service rights.
4. Got to IAM (Identity and Access Management) Service and click on Identity Providers from the left pane.
5. Click on Add Provider button from the next page.
6. Fill out the Add IDP wizard.
Choose SAML as the Provider Type
Give a name (Any name would work and I am giving WSO2IS as the name)
Click on Choose File under Metadata document and give the metadata file downloaded from Identity Server. (SAML-Metadata.xml)
Finish creating the provider by clicking Add Provider button
Note that the ARN of the created IDP is required in one of the next steps. You can get this from the view you get when you click on the newly created IDP.(arn:aws:iam::<aws-account-id>:saml-provider/WSO2IS)
Step 6
Now we need a role on the AWS side to attach to this Identity Provider. In simple terms what happens here is, that this role is figured out along with the IDP name to figure out which AWS organization / account the user who is trying to log in belongs to. Also, we will be saying that the people who have this role have access to the AWS management console as well.
- In order to do that click on the Roles under Access Management from the left menu of the AWS IAM service.
- Fill out the role creation wizard
Trusted entity type : SAML 2.0 federation
SAML 2.0–based provider : WSO2IS (the Identity Provider name you created in previous step)Tick on “Allow programmatic and AWS Management Console access”
Click Next
3. From the next wizard select AdministratorAccess as permission policies as we are allowing these users to log into AWS console. Click next
4. From the next view give a name to the role (idpRole) and save. Keep the rest as it is
.
Note that the ARN of the cretated role is required in one of the next steps. You can get from the view you get when click on the newly created role. (eg : arn:aws:iam::<aws_account_num>:role/idpRole)
Step 7
Create IAM user in AWS console
- Go to Users under Access Management in the AWS console IAM resource.
- Add a user and fill out the user creation wizard
Name: john@wso2.com (Same username I used for Identity Server user)
Tick on “Provide user access to the AWS Management Console — optional”
Tick on “I want to create an IAM user”
I used a custom password and also unticked “Users must create a new password at next sign-in” so that I don’t need to reset passwords.
Click next and create the user from the next view.
3. Tick on Add user to group and Click next to move on
4. You won’t get any groups as you haven’t added any groups. That’s fine !
5. Finally click on Create User.
Step 8
We need to configure the created Identity provider ARN and Role ARN as under the user entitlements in the WSO2 identity server
- Get the ARNs of both IDP and role as described in the above steps.
- Make it in the format of <role-arn>,<idp-arn>
Eg : arn:aws:iam::533267247250:role/idpRole,arn:aws:iam::533267247250:saml-provider/wso2is
3. Access the WSO2 Identity Server admin console and go to the user profile of the previously created user john@wso2.com (User Management > Users > Click on john@wso2.com)
5. Add the aforementioned value which you created by combining two under entitlement attribute and save.
Finally, It’s time to test what we have done so far !!
We will be initiating an IDP-initiated login flow ..Well, what is an IDP-initiated flow? Here you hit a URL of the IDP and say that I need to login to the AWS console. If it was SP united, you would have gone to the AWS console and tried to log in.
Hit the below URL on your browser to initiate an IDP-initiated SSO flow.
https://identity.wso2.com:9443/samlsso?spEntityID=urn:amazon:webservices
Boom !!! You get the login page of the WSO2 Identity Server
Give the username and password of the user we created (john@wso2.com) and proceed. You can now access the AWS console !!
Congratulations !!! You have achieved what you wanted !!
Appendix :
I am attaching the SAML response which is sent to AWS from WSO2 Identity Server. In case if you face with issues, you can compare the SAML response and get an idea of what’s going on. here’s the response.
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="https://signin.aws.amazon.com/saml"
ID="_5211c529571ac757c851c3b2ef5b949b"
IssueInstant="2024-04-11T17:51:48.727Z"
Version="2.0"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
>
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
>localhost</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_5211c529571ac757c851c3b2ef5b949b">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList="xsd"
/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>6hCO/WovAdFLkTctvf8DKZzbdYlSlEJaE9hkxSTjQn8=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>Sym0gOGqON6VspAU9cCI41dzvU8s4SlrR+bU6OEuc8IAgDMb2K51NofQ5ihicnHUoDZOBXZ/6VSXY8HngG1F5x4pyVYFHKOWTj/HmqOlSKSEaWpwzRotQBizDHUe1n3q6esZgqG90d5gFU3LQ2FhVH5Hd9wSQ36pYh4+vFgOdlGOBqp2W/Il/wj7GmYIY34vtXaNAyhHAG+IbdeZ4JsI49JE7sB6SAcSW0KDJkacFOFDolKks/JrD4nA2fC3JWJ9XLMn0JitzQORYWuuGEud5g3BbObj5q8eSnHu7dV3HNoL/m8tVszNwVCV2f30SejELCs4IaDzXoSIHHHhD8lzcw==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDqDCCApCgAwIBAgIEZXBGCTANBgkqhkiG9w0BAQsFADBiMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExFDASBgNVBAcMC1NhbnRhIENsYXJhMQ0wCwYDVQQKDARXU08yMQ0wCwYDVQQLDARXU08yMRIwEAYDVQQDDAlsb2NhbGhvc3QwHhcNMjMxMjA2MDk1OTM3WhcNMjUwMTA3MDk1OTM3WjBiMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExFDASBgNVBAcMC1NhbnRhIENsYXJhMQ0wCwYDVQQKDARXU08yMQ0wCwYDVQQLDARXU08yMRIwEAYDVQQDDAlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCa4jlw8KrXs396SvKfTQ02IeRoaZquekoJSiw0l9e9BI2EavnTG8Jyop8z2rOr6C6jjdgUytz5jBhopbgfxrP2i0NGujJFLNnSU8rchD2TJ9Qo8tWvfjAKC/UlRxSoErOTdz7XS1CcPf6oQfNzMZ6By29zfISuC+rWnjLqT3M6z0F0b3+moiiZfQ05F00hwzSE9WBlL+GRxwpyQQYwsbGfZ+viI3EGv7sRv+xqpLPhW5SLzhGzsZi9C0M0G1jbvV1d+PY0MThE60rkavjM++RRBesoi5JknZksAt9hOqxY3A1IMdDANpdKqhdF1aAyDX+vTZFrHfLsuEBec5Pp3tIXAgMBAAGjZjBkMA4GA1UdDwEB/wQEAwIE8DAUBgNVHREEDTALgglsb2NhbGhvc3QwHQYDVR0OBBYEFHXXV2nlofhi8Wwjw0EoaFSYnWbSMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEARe8DI8n72eUlQy9GSpiyxv8QUHFdiQa1nBW9nVTZdyJoSX0qh6N3xVNJXR3/zLvL8MBVMvjkt0OQqvEiyjwnEWO6DbxTRr3vdf+rv5VwdkYn4McMKx4xF8Zag8xhyaYqUQzQXng51rV1+c4uzXugEhE5SzdDHYEXzX6joZIg1yN+hEPc77RZJJHmwIQrTd3bnZpytB6RdBjnjSyh0BeHlJQGmPxomxYAS1hVszRdfWtrxDABflIJimJiHh3dykcyNlrwBu903pMdUGQGqsUyEjhFd7s4AzuqYHJr5rYy950df9IbYShu2YflVEsWZqJR62CibWBcJKyHPYmtC0cSRQ==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</saml2p:Status>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_6762a3b17a222c58c3298c49e5e1933b"
IssueInstant="2024-04-11T17:51:48.727Z"
Version="2.0"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
>
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">localhost</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_6762a3b17a222c58c3298c49e5e1933b">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList="xsd"
/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>plTSqJ/VjUeUVCUVdn5Jb4BUuoXdIP+Px6VbR4gfYhY=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>YYK157BsR95Zr3pN0U2yxX9o2r3bvnXCKI38MNDGhS478wcWJIxeslrmJghY5mEjpQftdPpqwvIknQtmi+y+ChtGg4VJblBcUfWfivoFuudUsLm+TJx6bvZsH/viWwApyJZ56JkXLb7rLSP3KdaU+Wbr8mnW0DTFZtJm34WaATEh5ZUktz2tKvtAayVm8mJG+6Qd1iapgzKEyjzahJ3eJWUBwcQuls9g8464SpcT0Y1KHVUckUD8eRiUxk5Lya7ouTMdQw/C998A3xZ7HfsEgpBi/rmYTicwgU7SGPEaom1DCglobCRT5Xwrw1RzijQ6xFpiVYuS5KXM2g0kTArRYw==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDqDCCApCgAwIBAgIEZXBGCTANBgkqhkiG9w0BAQsFADBiMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExFDASBgNVBAcMC1NhbnRhIENsYXJhMQ0wCwYDVQQKDARXU08yMQ0wCwYDVQQLDARXU08yMRIwEAYDVQQDDAlsb2NhbGhvc3QwHhcNMjMxMjA2MDk1OTM3WhcNMjUwMTA3MDk1OTM3WjBiMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExFDASBgNVBAcMC1NhbnRhIENsYXJhMQ0wCwYDVQQKDARXU08yMQ0wCwYDVQQLDARXU08yMRIwEAYDVQQDDAlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCa4jlw8KrXs396SvKfTQ02IeRoaZquekoJSiw0l9e9BI2EavnTG8Jyop8z2rOr6C6jjdgUytz5jBhopbgfxrP2i0NGujJFLNnSU8rchD2TJ9Qo8tWvfjAKC/UlRxSoErOTdz7XS1CcPf6oQfNzMZ6By29zfISuC+rWnjLqT3M6z0F0b3+moiiZfQ05F00hwzSE9WBlL+GRxwpyQQYwsbGfZ+viI3EGv7sRv+xqpLPhW5SLzhGzsZi9C0M0G1jbvV1d+PY0MThE60rkavjM++RRBesoi5JknZksAt9hOqxY3A1IMdDANpdKqhdF1aAyDX+vTZFrHfLsuEBec5Pp3tIXAgMBAAGjZjBkMA4GA1UdDwEB/wQEAwIE8DAUBgNVHREEDTALgglsb2NhbGhvc3QwHQYDVR0OBBYEFHXXV2nlofhi8Wwjw0EoaFSYnWbSMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEARe8DI8n72eUlQy9GSpiyxv8QUHFdiQa1nBW9nVTZdyJoSX0qh6N3xVNJXR3/zLvL8MBVMvjkt0OQqvEiyjwnEWO6DbxTRr3vdf+rv5VwdkYn4McMKx4xF8Zag8xhyaYqUQzQXng51rV1+c4uzXugEhE5SzdDHYEXzX6joZIg1yN+hEPc77RZJJHmwIQrTd3bnZpytB6RdBjnjSyh0BeHlJQGmPxomxYAS1hVszRdfWtrxDABflIJimJiHh3dykcyNlrwBu903pMdUGQGqsUyEjhFd7s4AzuqYHJr5rYy950df9IbYShu2YflVEsWZqJR62CibWBcJKyHPYmtC0cSRQ==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">john@wso2.com</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData NotOnOrAfter="2024-04-11T17:56:48.727Z"
Recipient="https://signin.aws.amazon.com/saml"
/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2024-04-11T17:51:48.727Z"
NotOnOrAfter="2024-04-11T17:56:48.727Z"
>
<saml2:AudienceRestriction>
<saml2:Audience>urn:amazon:webservices</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2024-04-11T17:51:48.482Z">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute Name="isk"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
>
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xsd:string"
>e8d072036dca3880c9fef468918d686957fdaeb29a6ad767f7f49616669650ab</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="https://aws.amazon.com/SAML/Attributes/RoleSessionName"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
>
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xsd:string"
>john@wso2.com</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="https://aws.amazon.com/SAML/Attributes/Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
>
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xsd:string"
>arn:aws:iam::533267247250:role/idpRole,arn:aws:iam::533267247250:saml-provider/WSO2IS</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2p:Response>