How to Set Up SSO for Amazon AWS Using SAML and Keycloak

In this article, we will share a guide on how to set up SSO authentification for Amazon AWS using SAML protocol and Keycloak as Identity Provider.

This SSO implementation guide is split into 3 parts:

  1. Initial Keycloak Identity Provider setup
  2. Amazon AWS Service Provider setup
  3. Finalizing Keycloak Identity Provider setup

Note: The solution outlined in the current article was developed for Keycloak V.3. Please, feel free to contact us in case you have additional questions regarding the setup or require assistance with your AWS project.

What is single sign-on (SSO)?

Single sign-on (SSO) is an authentication method that allows users to safely authenticate into several websites and applications with a single set of login credentials, e.g., a name and a password.

Let’s begin our AWS SSO setup guide!

Part 1: Keycloak Identity Provider setup

Keycloak is a Red Hat developed Identity and Access management solution, which supports multiple SSO protocols like SAML, OpenID, and OAuth2.

  1. The First step you need to do is to get saml-metadata.xml from Amazon AWS.
  2. After you saved the saml-metadata.xml file, go to your Keycloak server, go to the Clients section and create a new client:
  1. Import Amazon AWS saml-metadata.xml:
  1. After you import saml-metadata.xml, most fields in Client settings will be populated automatically, based on information from saml-metadata.xml:
your_realm_name — is the name of the keycloak realm, for which you configure SAML client
your_realm_name is the name of the keycloak realm, for which you configure SAML client

The only fields you need to fill are the Base URL and IDP Initiated SSO URL Name.

  • Set your Base URL to:

/auth/realms/your_realm_name/protocol/saml/clients/amazon-aws

  • and IDP Initiated SSO URL Name to

amazon-aws

  1. Press Save
  2. After you have saved client settings, go to the Installation tab, select SAML Metadata IDPSSODescriptor, and press Download.

Part 2: Amazon AWS Service Provider setup

  1. When you have downloaded the client-tailored-saml-idp-metadata.xml file, go to your Amazon AWS account.
  2. Go to the IAM section, select Identity providers, and press the Create Provider button.
  3. Choose SAML as the provider type, set the provider name, and upload the client-tailored-saml-idp-metadata.xml file downloaded from Keycloak.
  1. Press Next Step and then Create.
  2. After you have created your SAML Identity Provider, you need to create an IAM role for this provider.
  3. Go to the IAM section and select Roles.
  4. Press Create New Role and set role name.
  • For Select Role Type choose

Role for Identity Provider Access

and

Grant Web Single Sign-On (WebSSO) access to SAML providers

  1. Establish trust between IAM role and SAML provider:

If you don’t need to set any optional conditions, you can just go to the next step and leave these settings at default.

  1. Attach IAM Policy to SAML role:
  1. Review role settings and press Create Role.

Part 3: Finalizing Keycloak Identity Provider setup

  1. After the IAM SAML role in AWS has been created, go to role summary and copy Role ARN, it should look like this:

arn:aws:iam::aws_acct_id:role/aws_iam_saml_role,arn:aws:iam:aws_acct_id:saml-provider/aws_iam_saml_idp

Go back to your Keycloak server, go to your realm in which you created the AWS SAML client, go to the Roles tab, and press Add Role:

aws_acct_id — your AWS account ID, aws_iam_saml_role — AWS IAM SAML role, aws_iam_saml_idp — AWS IAM SAML Identity Provider
aws_acct_id—your AWS account ID, aws_iam_saml_role—AWS IAM SAML role, aws_iam_saml_idp—AWS IAM SAML Identity Provider
  1. After that, go to the Mappers section and create mappers for Session Role, Session Duration, and Session Name
  • Session Role mapper:
  • Session Name mapper:
  • Session Duration mapper:

These mappers are required as per Amazon AWS SAML documentation.

  1. After Mappers, go to the Keycloak realm Manage section, select Users or Groups, choose which group or user will be assigned to the AWS SAML role, and assign it:
aws_acct_id — your AWS account ID, aws_iam_saml_role — AWS IAM SAML role, aws_iam_saml_idp — AWS IAM SAML Identity Provider
aws_acct_id—your AWS account ID, aws_iam_saml_role—AWS IAM SAML role, aws_iam_saml_idp—AWS IAM SAML Identity Provider
  1. Finally, go back to your defined AWS client, and press the Base URL link:
your_realm_name — is the name of the keycloak realm, for which you configure SAML client
your_realm_name is the name of the keycloak realm for which you configure the SAML client
  1. After you press the Base URL link, it should redirect you to the Keycloak login page, where you’ll need to enter the user name and password for the user, who is a member of a group that has been assigned to the AWS IAM SAML role defined in Keycloak.

And that’s ityour SSO configuration is complete! After you enter your credentials, hopefully, you’ll be redirected to the Amazon AWS console.

Still having trouble setting SSO authentification for Amazon AWS? Looking for tech assistance? You’ve come to the right place. Scandiweb is the most certified Magento agency in the world with more than a decade of experience under its belt. We’re here to help, so if you have any questions – drop us a line at [email protected] or check out the technologies we work with.

Related articles:

If you enjoyed this post, you may also like