Better Living Through Narratology

AWS SSO from Commercial to GovCloud

AWS Single Sign-On (SSO) is integrated with AWS Organizations to allow quick and easy access to cross-account IAM roles to manage all of your AWS accounts with ease.  This simplifies cross-account management and relieves password fatigue for users, however this functionality hasn’t been extended from commercial accounts to GovCloud accounts.  GovCloud will allow you to assume a role with SAML, so with a little heavy lifting on the admin side, you can add GovCloud cross-account access from your commercial AWS SSO account.

My last post discussed how to add MFA to SSO and assumed that we were using an AWS AD Connector to connect to our AWS Managed Microsoft AD directory.  We’ll keep that same assumption for this scenario, although your AD Connector could be reaching out to virtually any identity store.  One caveat: You’ll need to create a custom application for each GovCloud account/role you’re trying to access, if you’re using AWS Managed Microsoft AD.  You could get a little creative if you’re connecting to a true Active Directory store, but for now, let’s not get too creative.

Let’s get building!

  • First, you’ll need to download the GovCloud SAML Metadata file: https://signin.amazonaws-us-gov.com/static/saml-metadata.xml
  • Now, go to your AWS SSO page and click on Applications.  Click Add a new application to get started and click on Add a custom SAML 2.0 application on the following page.
  • Provide a name for the application — it would be good to name it after your GovCloud account and the role being used.  At the bottom of the page, you’ll be asked to provide an Application SAML metadata file.  This should  be the file you downloaded in Step 1.  Click Save changes and you’ll be taken to your complete application.
  • Download the application metadata file by clicking the Download metadata file link.  Save this file and open it in a text editor.
  • You’ll see a line near the bottom that looks like <md:NameIDFormat>.  Let’s change that line to look like this: <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
  • Save your file and let’s head over to GovCloud.  Go to the IAM section of your GovCloud account and let’s click on Identity providers, where we will create a new provider (IdP).  Select SAML as your provider type, give it whatever name you prefer and provide the metadata document that you just edited that was created with your custom application.
  • Create an IAM Role while you’re here, if you need to.  Make sure that SAML is the trusted identity for the role and provide whatever permissions are necessary.
  • Now, we get to mapping attributes.  This part can differ depending on your directory, but however you map them, SSO can only support the ones listed here.  Make sure your directory has attributes mapped and let’s create some SAML attributes for the custom application we’ve created.
  • Click on the custom SAML application you’ve made and click on the Attribute mappings tab.  We want our attributes to look like this:
User attribute in the application Maps to this string value or user attribute in AWS SSO Format
Subject ${user:subject} unspecified
NameID ${user:subject} unspecified
https://aws.amazon.com/SAML/Attributes/RoleSessionName ${user:subject} unspecified
https://aws.amazon.com/SAML/Attributes/Role SEE NOTE uri
  • For the final entry, instead of SEE NOTE, you’ll want to add the ARN of the IdP you made in GovCloud followed by a comma and the ARN of the GovCloud role you want to assume.  So, the value of that field may look like:  arn:aws-us-gov:iam::12345678912:saml-provider/IdpSSO,arn:aws-us-gov:iam::12345678912:role/MySSORole
  • Now, go to the Assign users tab to provide access to this application to the users and groups necessary.

That should do it!  When you access your SSO page now, you’ll see a new icon named after your custom application.  Click to assume your new role.

Posted in AWS, GovCloud, SSO | No Comments