AWS Single Sign On Service

With the COVID-19 impact and increase in working from home nature, I have received more and more requests for Single Sign On integrations, specially in the education domain and workforce authentication. I will share the evaluation details of the available vendors we considered and their pros and cons in a separate post. In this post I am share the details of the Single Sign On option provided by AWS. This has been very convenient due to several reasons.
  • If you are thinking of installing an open source single sign on server for the purpose, this avoid all the installation efforts, maintenance etc. without much impact to the cost (of course might differ based on your resources and user base scales)
  • It has a quite a decent set of features. 
  • All the services under one roof. If your system is running on AWS already, this has the added advantage that your team is already familiar with dealing with AWS resources, logging facilities etc are integrated already.
Let's jump into the deep waters.
The configurations are pretty straight forward if you are familiar with the SAML protocol. We have the quick reach to define users, groups and application integrations as seen below.

As you can see there are 3 options to select from.
  1. If we have already maintained our user base in a separate identity source, in the 1st step you might want to configure the identity source. Otherwise, if we would depend on AWS SSO Identity Store, we can skip this step, rather we can directly go to 'Users' link in left menu and create the users and groups.
  2. This option is to be used if we are to use AWS SSO for AWS accounts itself, which is not the most common case when coming to businesses.
  3. This is the most important step. Here we do the configuration to inform AWS SSO service that there is an application that would use the service for user authentication and SSO functionality. Here we can get the AWS SSO service details that need to be used at the application side and let the AWS SSO service know what to send back to the application after user is authenticated.
 
With this 3rd option we can integrate with known third party service providers as ready-made integrations or add as a custom application in case it is an in-house developed application.
 
Once the application is configured with basic details, there configuration can be done secondarily to allow users to login to the applications via AWS SSO.
 
If the service provider/application is supporting to be configured for SAML SSO via an IDP Meta-data file, please download the below highlighted file in blue.

This is all we have to do in AWS side, to consume the SSO facilities. Once the application is also configured to have the SAML SSO flow honored for user authentication, we can test the end to end flow.

Cheers!

Comments

Popular posts from this blog

Sign into Dokuwiki with Google

Single Sign On Integrations - Intro

What is an API Gateway?