Post

AWS - IdenAccessManage - Setup the GSuite for AWS SSO

Posted
By Grace L
11 min read

[toc]

G Suite for AWS SSO

use G Suite as an external identity provider for AWS SSO

connect AWS SSO to G Suite, allowing users to access AWS accounts with their G Suite credentials.

1_6oXNkTw5nxNT2rWCnx-sXg

grant access by assigning G Suite users to accounts governed by AWS Organizations. The user’s permissions in an account are determined by permission sets defined in AWS SSO.

  • to define and grant permissions based on the user’s job function (such as administrator, data scientist, or developer).
  • should follow the least privilege principle, granting only permissions that are necessary to perform the job.
  • This way, centrally manage user accounts for your employees in the Google Admin console and have fine-grained control over the access permissions of individual users to AWS resources.

AWS SSO authenticates G Suite users by using Security Assertion Markup Language (SAML) 2.0 authentication.

  • open standard for secure exchange of authentication and authorization data between IdPs and service providers without exposing users’ credentials.

use AWS as a service provider and G Suite as an external IdP, the login process:

G-Suite-AWS-SSO-Figure-1

Figure 1: AWS SSO authentication flow

  1. user with a G Suite account opens the link to the AWS SSO user portal of your AWS Organizations.
  2. If the user isn’t already authenticated, they will be redirected to the G Suite account login. The user will log in using their G Suite credentials.
  3. If the login is successful, a response is created and sent to AWS SSO.
  4. It contains three different types of SAML assertions:
  5. authentication, authorization, and user attributes.
  6. When AWS SSO receives the response, the user’s access to the AWS SSO user portal is determined. A successful login shows accessible AWS accounts.
  7. The user selects the account to access and is redirected to the AWS Management Console.
  8. The user journey starts at the AWS SSO user portal and ends with the access to the AWS Management Console.
  9. users experience a unified access to the AWS Cloud, and you don’t have to manage user accounts in AWS Identity and Access Management (IAM) or AWS Directory Service.

User permissions in an AWS account are controlled by permission sets and groups in AWS SSO.

  • A permission set is a collection of administrator-defined policies that determine a user’s effective permissions in an account.
  • They can contain AWS managed policies or custom policies that are stored in AWS SSO, and are ultimately created as IAM roles in a given AWS account.
  • users assume these roles when they access a given AWS account and get their effective permissions.
  • This obliges you to fine control the access to the accounts, following the shared-responsibility model established in the cloud.

to use G Suite to authenticate and manage users, it create user entity in AWS SSO.

  • The user entity is not user account, but a logical object.
  • It maps a G Suite user via its primary email address as the username to the user account in AWS SSO.
  • The user entity in AWS SSO allows you to grant a G Suite user access to AWS accounts and define its permissions in those accounts.

AWS SSO initial setup

The AWS SSO service has some prerequisites.

1. Set up AWS Organizations with All features set to enabled,

G-Suite-AWS-SSO-Figure-2

1.1. Beginning the process to enable all features

  1. use master account to sign in to the AWS Organizations console
  2. Settings tab -> Begin process to enable all features.

Note:

To enable all features in your organization, must have the following permission: organizations:EnableAllFeatures

cannot return to only consolidated billing features after you switch by choosing Begin process to enable all features.

  1. AWS Organizations sends a request to every invited (not created) account in the organization asking for approval to enable all features in the organization.
    1. If you have any accounts that were created using AWS Organizations and the member account administrator deleted the service-linked role named AWSServiceRoleForOrganizations, AWS Organizations sends that account a request to recreate the role.
  2. the status of the requests -> View all feature request approval status.
    1. shows the current request status for each account in the organization.
    2. Accounts that have agreed: green check mark and show the Acceptance date.
    3. Accounts that haven’t yet agreed: yellow exclamation point icon and show the date that the request was sent with a status of Open.

A countdown of 90 days begins when the request is sent to the member accounts.

  1. If an account doesn’t approve its request, select the account on this page and then choose Remove.
  2. This cancels the request for the selected account
    1. and removes that account from the organization,
    2. eliminating the blocker to enabling all features.

1.2. Approving the request to enable all features or to recreate the service-linked role

  1. Sign in to the AWS Organizations console
  2. Read what accepting the request for all features in the organization means for your account, and then choose Accept

Note:

the master account in the organization can apply policy-based controls on your member account.

These controls can restrict what users and even what you as the administrator can do in your account.

Such restrictions might prevent your account from leaving the organization.

  1. Minimum permissions to approve a request to enable all features for your member account, you must have the following permissions:
    1. organizations:AcceptHandshake
    2. iam:CreateServiceLinkedRole – Required only if the AWSServiceRoleForOrganizations role must be recreated in the member account

1.3. Finalizing the process to enable all features

  1. master account:
  2. After all accounts accept the request to enable all features, choose Finalize process to enable all features.
  3. When asked to confirm, choose Finalize process to enable all features again.
  4. The organization now has all features enabled.
  5. The next step is to enable the policy types that you want to use.

2. Set up an external identity provider in AWS SSO

  1. AWS SSO is enabled, connect an identity source, select Choose your identity source.

G-Suite-AWS-SSO-Figure-3

  1. Settings > Identity source > Change.

G-Suite-AWS-SSO-Figure-4

  1. switch to an external identity provider
    1. By default, AWS SSO uses its own directory as the identity provider.
    2. To use G Suite as your identity provider, switch to an external identity provider from the available identity sources.

G-Suite-AWS-SSO-Figure-5

  1. Choose Show individual metadata values to show the information need to configure a custom SAML application.

G-Suite-AWS-SSO-Figure-6

  1. don’t close the window, after next step: G Suite SAML application setup, it will provide a file for IdP SMAL metadata.

3. G Suite SAML application setup

witch to Google Admin console and use the service provider metadata information to configure AWS SSO as a custom SAML application.

3.0. add custom attributes to user

  1. G Suite administration page, add custom attributes to our users
  2. create a custom attribute class called “AWS SAML”

1_35L1hXbWuckFFIaTCnz7rQ

  1. create the attributes “IAM Role” and “SessionDuration”

1_e6HGhVF76OpnS_ZXFI938g

3.1 configure a custom SAML application in G Suite

  1. Admin console > Apps > SAML Apps > choose Add a service/App to your domain.

G-Suite-AWS-SSO-Figure-7

  1. In the modal dialog that opens, choose SETUP MY OWN CUSTOM APP.

G-Suite-AWS-SSO-Figure-8s

  1. Go to Option 2 and choose Download

G-Suite-AWS-SSO-Figure-9s

  1. it is Google IdP metadata, downloads an XML file named GoogleIDPMetadata-your_domain.xml
  2. will use it to configure G Suite as the IdP in AWS SSO.
  3. Choose Next.

WARNING!!! The contents of this file should not be released for any reason; the security of the entire solution relies on its remaining confidential!

  1. Configure the name and description of the application.
    1. application name: AWS SSO or any.
    2. Choose Next

G-Suite-AWS-SSO-Figure-10s

  1. Fill in the Service Provider Details using the metadata information from AWS SSO:
    1. AWS SSO Sign-in URL > Start URL
    2. AWS SSO ACS URL > ACS URL
    3. AWS SSO Issue URL > Entity ID
    4. choose Next to create your custom application.

G-Suite-AWS-SSO-Figure-11s

  1. Next is a confirmation screen. Choose OK to continue.

G-Suite-AWS-SSO-Figure-12

  1. The final steps enable the application for users.
    1. Select the application from the list
    2. choose EDIT SERVICE from the top corner.

G-Suite-AWS-SSO-Figure-13

  1. Change the service status to ON for everyone and choose SAVE.
    1. If you want to manage access for particular users
    2. do this via organizational units (for example, enable the AWS SSO application for your engineering department).

This doesn’t give access to any resources inside of your AWS accounts.

Permissions are granted in AWS SSO.

G-Suite-AWS-SSO-Figure-14

4. AWS SSO configuration

finish SSO setup by uploading Google IdP metadata in the AWS Management Console.

4.1. add identity provider metadata in AWS SSO

  1. When configured the custom application in G Suite, you downloaded the GoogleIDPMetadata-your_domain.xml file.
  2. Browse… > the file > Next: Review.

G-Suite-AWS-SSO-Figure-15

  1. Type CONFIRM at the bottom > choose Change identity source to complete the setup.
  2. message that your change to the configuration is complete.
  3. At this point, choose Return to settings and proceed to user provisioning.

5. Manage Users and Permissions

AWS SSO supports automatic user provisioning via the System for Cross-Identity Management (SCIM). However, this is not supported for G Suite custom SAML applications.

AWS and Google are collaborating in the Fast Federation (FastFed) Working Group to enable this.

In the meantime, either manually create users and groups or use the ssosync project from awslabs to automate the process.

  1. Manual provisioning
    1. the easiest option to get started with,
    2. but requires additional identity management processes to ensure that user attributes and group memberships stay up-to-date over time, which is not ideal.
  2. The ssosync option
    1. eliminates these processes,
    2. but is open source code that must be properly evaluated before using in production.

5.1 The manual option

add user to AWS SSO
  1. AWS SSO > Users > Add user
  2. Enter the user details
    1. use user’s primary email address as the username.
    2. Choose Next: Groups to add the user to a group.

G-Suite-AWS-SSO-Figure-19

  1. create user groups. Skip the Add user to groups step by choosing Add user. reach the user list page displaying your newly created user and status enabled.

  2. assign the user to a particular AWS account in your AWS Organization.

    1. This allows the user to access the assigned account.
    2. Select the account you want to assign your user to and choose Assign users.

G-Suite-AWS-SSO-Figure-21

  1. Select the user you just added, then choose Next: Permission sets to configure the effective permissions of the user in the assigned account.

G-Suite-AWS-SSO-Figure-22

  1. configure one permission > Create new permission set.

  2. AWS SSO has managed permission sets that are similar to the AWS managed policies.

    1. Make sure Use an existing job function policy is selected
    2. select PowerUserAccess from the list of existing job function policies
    3. choose Create.

G-Suite-AWS-SSO-Figure-24

  1. now select the created permission set from the list of available sets for the user.
    1. Select the PowerUserAccess permission set and choose Finish to assign the user to the account.

G-Suite-AWS-SSO-Figure-25

  1. message that the assignment has been successful.

G-Suite-AWS-SSO-Figure-26

5.2. Automatic creation of users and groups

The ssosync project from awslabs can automatically synchronize users and groups, eliminating the need for manual creation and upkeep.

  • It uses the Directory API in the G Suite Admin SDK to fetch users and groups and then creates them in AWS SSO.
  • To get started with ssosync, follow the directions provided on the project homepage.

The ssosync project is under active development. need regularly check for updates, consider contributing through pull requests, and provide feedback through GitHub.

6. Access AWS Account with G Suite

  1. After user login through AWS SSO user portal URL, users are redirected to the user portal.
    1. After select from the list of assigned accounts, user access the AWS Management Console of these accounts.

G-Suite-AWS-SSO-Figure-28

  1. successfully set up G Suite as an external identity provider for AWS SSO. users can access your AWS accounts using the credentials they already use.

ways for user get access to AWS SSO:

  1. provide user portal URL in the AWS SSO > settings, as shown in the following screenshot.
    1. https://d-12345.awsapps.com/start
    2. Unauthenticated users who use the link will be redirected to the Google account login page and use their G Suite credentials to log in.

G-Suite-AWS-SSO-Figure-27

  1. select AWS SSO from Google Apps to be redirected to the user portal

G-Suite-AWS-SSO-Figure-29

  1. Using AWS CLI with SSO
    1. AWS CLI v2 supports access via AWS SSO.
    2. automatically or manually configure a profile for the CLI to access resources in your AWS accounts.
    3. To authenticate your user, it opens the user portal in your default browser.
    4. If you aren’t authenticated, you’re redirected to the G Suite login page.
    5. After a successful login, select the AWS account you want to access from the terminal.
01AWS, IdenAccessManage
AWS SSO
This post is licensed under CC BY 4.0 by the author.

Comments powered by Disqus.