How to set up SSO for Amazon AWS using SAML and Keycloak

In this article we will share a guide on how to set up SSO authentification for Amazon AWS using SAML protocol and Keycloak as Identity Provider.

Keycloak is a Red Hat developed Identity and Access management solution, which supports multiple SSO protocols like SAML, OpenID and OAuth2.

So, lets begin.

PART 1: Keycloak Identity Provider setup

1) First step you need to do is — get saml-metadata.xml from Amazon AWS.

2) After you saved saml-metadata.xml file, go to your Keycloak server, go to “Clients” section and create new client:

3) Import Amazon AWS saml-metadata.xml:

4) After you import saml-metadata.xml, most fields in Client settings will be populated automatically, based on information from saml-metadata.xml:

your_realm_name — is the name of the keycloak realm, for which you configure SAML clientyour_realm_name — is the name of the keycloak realm, for which you configure SAML client

The only fields you need to fill are:

“Base URL” and “IDP Initiated SSO URL Name”

Set your “Base URL” to:

/auth/realms/your_realm_name/protocol/saml/clients/amazon-aws

and “IDP Initiated SSO URL Name” to

amazon-aws

5) Press “Save”

6) After you saved client settings, go to “Installation” tab, select “SAML Metadata IDPSSODescriptor” and press “Download”

Amazon AWS Service Provider setup

1) After you downloaded client-tailored-saml-idp-metadata.xml file, go to your Amazon AWS account.

2) Go to “IAM” section, select “Identity providers” and press “Create Provider” button.

3) Choose “SAML” as the provider type, set provider name and upload client-tailored-saml-idp-metadata.xml file downloaded from Keycloak.

4) Press “Next Step” and then “Create”.

5) After you created your SAML Identity Provider, you need to create IAM role for this provider.

6) Go to “IAM” section, select “Roles”.

7) Press “Create New Role”, set role name.

For “Select Role Type” choose

“Role for Identity Provider Access”

and

“Grant Web Single Sign-On (WebSSO) access to SAML providers”:

8) Establish trust between IAM role and SAML provider:

If you don’t need to set any optional conditions, you can just go to the next step and leave these settings at defaults.

9) Attach IAM Policy to SAML role:

Review role settings and press “Create Role”.

PART 2: Keycloak Identity Provider setup

1) After IAM SAML role in AWS has been created, go to role summary and copy Role ARN, it should look like this:

arn:aws:iam::aws_acct_id:role/aws_iam_saml_role,arn:aws:iam:aws_acct_id:saml-provider/aws_iam_saml_idp

Go back to your Keycloak server, go to your realm in which you created AWS SAML client, go to “Roles” tab and press “Add Role”:

aws_acct_id — your AWS account ID, aws_iam_saml_role — AWS IAM SAML role, aws_iam_saml_idp — AWS IAM SAML Identity Provider
aws_acct_id — your AWS account ID, aws_iam_saml_role — AWS IAM SAML role, aws_iam_saml_idp — AWS IAM SAML Identity Provider

2) After that, go to “Mappers” section and create mappers for “Session Role”, “Session Duration” and “Session Name”

“Session Role” mapper:

“Session Name” mapper:

“Session Duration” mapper:

These mappers are required as per Amazon AWS SAML documentation.

3) After “Mappers”, go to Keycloak realm “Manage” section, select “Users” or “Groups” and choose, which group or user will be assigned to AWS SAML role, and assign it:

aws_acct_id — your AWS account ID, aws_iam_saml_role — AWS IAM SAML role, aws_iam_saml_idp — AWS IAM SAML Identity Provideraws_acct_id — your AWS account ID, aws_iam_saml_role — AWS IAM SAML role, aws_iam_saml_idp — AWS IAM SAML Identity Provider

5) And, finally, go back to your defined AWS client, and press “Base URL” link:

your_realm_name — is the name of the keycloak realm, for which you configure SAML clientyour_realm_name — is the name of the keycloak realm, for which you configure SAML client

6) After you press “Base URL” link, it should redirect you to Keycloak login page, where you’ll need to enter user name and password for the user, who is member of a group, which has been assigned to AWS IAM SAML role, defined in Keycloak.

And after you enter your credentials, hopefully, you’ll be redirected to Amazon AWS console.

Let us help you:

Still having trouble setting SSO authentification for Amazon AWS? Maybe you have some additional questions? Or just looking for tech assistance? You’ve come to the right place. Scandiweb is the most certified Magento agency in the world with more than a hundred experienced coders and more than a decade of experience under its belt. We’re here to help, so if you have any questions – drop us a line at info@scandiweb.com or check out technologies we work with.

Related articles:

If you enjoyed this post, you may also like