Amazon Web Services Feed
Enabling Single Sign-On Between OneLogin and AWS
By Cassia Martin, Sr. Security Solutions Architect at AWS
By Sunil Ramachandra, Technical Account Manager at AWS
By Roy Rodan, Sr. Partner Solutions Architect at AWS
AWS Single Sign-On (AWS SSO) allows customers to efficiently manage user identities at scale by establishing a single identity and access strategy across their own applications, third-party applications (SaaS), and Amazon Web Services (AWS) environments.
In this post, we will explore the integration of AWS SSO with OneLogin, an AWS Partner Network (APN) Advanced Technology Partner with the AWS Security Competency.
OneLogin’s authentication and role-based user provisioning engine enables organizations to implement least-privilege access controls and eliminate manual user management workflows for all AWS users and accounts.
AWS has also announced the integration of AWS SSO with Azure Active Directory and Okta.
The guide below describes the OneLogin and AWS SSO integration, which allows you to achieve three key benefits:
- Simple and centralized access to your AWS accounts using OneLogin identities.
- Automatic user synchronization between OneLogin and AWS.
- Familiar login experience when your OneLogin users sign into the AWS environment.
Setting Up the AWS Application in OneLogin
From your OneLogin page, go to the Application tab and find AWS Single Sign-On (https://[your_personal_account].OneLogin.com/apps/find).
In the Info section, give your new integration a Display name and Description and then click Save.
Next, click on More Actions on the top right side and choose SAML Metadata. This will download the OneLogin Metadata XML.
Setting Up Your AWS SSO
On the AWS console, go to the Single Sign-On page. If not already enabled, enable SSO.
Go to Settings and change the Identity source from the default AWS SSO by clicking Change.
Choose External identity provider.
Using the OneLogin Metadata XML you downloaded earlier, browse and upload IdP SAML metadata in the Identity provider metadata section.
Change the provisioning from Manual to SCIM by clicking the Enable automatic provisioning.
Make sure to copy the SCIM endpoint (also known as the SCIM Base URL) and the Access token (also known as a SCIM Bearer token).
Click on View details in the Authentication SAML 2.0 part and copy the AWS SSO ACS URL and AWS SSO issuer URL.
Having gathered these four pieces of information, it’s now time to go to OneLogin to finalize the integration.
Finishing OneLogin Configuration
Click on Configuration and enter the following details gathered from AWS SSO in the previous section:
- AWS SSO issuer URL
- AWS SSO ACS URL
- SCIM Base URL (SCIM endpoint) – If there is a trailing slash ‘/’ be sure to remove it
- SCIM Bearer Token (Access token)
Click Enable under API Connection, and then Save.
Next, click on Provisioning and select Enable Provisioning. Make sure the create, delete, and update user boxes are checked, and then Save the configuration.
In the Users tab, click on More Actions and select Sync logins. You will receive a message saying Synchronizing users with AWS Single Sign-on.
Finally, click More Actions and Reapply entitlement mappings. You will receive a message saying Mappings are being reapplied, check out in the logins in few moments.
In OneLogin, check the Activity tab and view the Events.
To verify if the user has successfully replicated on the AWS SSO, login to AWS SSO and click Users. Choose the user you want to verify, and you will see it has been updated by SCIM.
While still on AWS SSO, assign an account to this newly created user by navigating to AWS accounts.
Going back to the OneLogin administration page, select the recently created AWS Single Sign-On App.
You will be redirected to the AWS SSO sign-in page and logged into the account which is assigned to your user.
This new integration between OneLogin and AWS Single Sign-On using SCIM v2.0 standard will allow companies that use OneLogin as their identity store to leverage AWS SSO for managing access across multi-account and multi-role AWS environments. It also enables IT teams to centrally manage and automatically provision users and assign them to right permission sets, as defined by your business needs.
The OneLogin integration is now available to all users in all AWS Single Sign-On supported regions. Check the regional availability of AWS SSO.
OneLogin – APN Partner Spotlight
OneLogin is an AWS Competency Partner. Its authentication and role-based user provisioning engine enables organizations to implement least-privilege access controls and eliminate manual user management workflows for all AWS users and accounts.
Contact OneLogin | Solution Overview | AWS Marketplace
*Already worked with OneLogin? Rate this Partner
*To review an APN Partner, you must be an AWS customer that has worked with them directly on a project.