AWS IAM Identity Center
A guide to setting up Single-Sign-On to Common Fate using AWS IAM Identity Center.
Create the SAML Application
To get started navigate to the Applications tab of the AWS IAM Identity Center console.
Click Add application, then select the Add custom SAML 2.0 application option. Click Next then Give your application a suitable name.
Configure the SAML Application
In Attributes & Claims set emailaddress to user.mail.
Scroll down to the Application properties section.
Set the Application start URL field to be your app_url parameter in the Terraform deployment.
Scroll down to the Application metadata section.
Set the Application ACS URL field to be first_time_setup_config.saml_sso_acs_url from the deployment outputs.
Set the Application SAML audience field to be first_time_setup_config.saml_sso_entity_id from the deployment outputs.
Click Next
Configure the SAML Attributes
Click the Actions menu then select the Edit attribute mappings option.
On the first entry for “Subject” set the field Maps to this string value or user attribute in IAM Identity Center to ${user:email}
Add a new attribute mapping.
- For User attribute in the application, enter:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress - For Maps to this string value or user attribute in IAM Identity Center, enter:
${user:email} - For Format select
basic
Click Save Changes
You’ll need to assign yourself and other users to the SAML application before you can login.
Setup the SAML SSO provider in your deployment
Copy the SAML metadata URL from AWS IAM Identity Center.
Add the following variables to your Terraform deployment
saml_provider_name = "AWS"
saml_metadata_is_file = false
saml_metadata_source = <The SAML metadata URL>
Now, run a deployment:
terraform apply