How to setup SSO (Single Sign-On) between AWS and Google Apps
In this blog, you’ll learn how to configure Single Sign-On between Google Apps and the Amazon Web Services console. When you have completed the steps in this guide, you can use your Google Apps account to sign in to the Amazon Web Service console.
By: Dennis van Bavel
1. Collect data from Google Apps account
First you need some data from your Google Apps account. For these steps you need to be an administrator of your Google Apps domain.
Step 1: Log in to the Google Admin console
Step 2: Go to security > set up single sign-on (SSO)
Step 3: Download the IDP-Metadata (Option 2)
2. Create an IAM IdP
Now we need the AWS Console to create an IAM IdP and some IAM Roles. First we start with the IAM IdP configuration:
Step 1: Go to IAM > Identity Providers
Step 2: Click on Create Provider
Step 3: Choose a provider type for Google Apps provider SAML. Click on Next Step.
Step 4: Give it a Name and upload the Google Apps metadata file. Click on Next Step and Create
Step 5: Now we have created a new Identity Provider
3. Create an IAM Role
AWS IAM IdP Configuration is now finished, but we need also an AWS IAM role:
Step 1: Go to IAM > Roles
Step 2: Click on Create New Role and give it a name
Step 3: On the Select Role Type page, choose for Role for Identity Provider Access and then select Grant Web Single Sign-On (WebSSO) access to SAML providers
Step 4: On the Establish trust page select your SAML provider. Click on Next Step, verify the trust policy
Step 5: On the next page give the IAM Role an access policy
Step 6: Review the configuration and click on Create Role
4. Configuring Google Apps
The configuration in Amazon Web Services is now ready. The next step is configuring Google Apps and making a trust with Amazon Web Services.
Step 1: You need to create some custom fields in the Google Apps user profiles. Firstly, you need to create a schema for SSO (Single Sign-On, which you can do by creating a JSON schema.
Note: You must create this JSON schema before creating the SAML app for your Google Apps account. If you create the JSON schema after creating the SAML app, the schema will not appear as a selectable option during configuration.
Step 2: Go to the Google developer webpage (Schemas: Insert). On this page you can run the API call for creating the schema.
On this page, enter the customer ID in the customerid field. Click inside the editing box for the request body, and select Freeform editor. Past the following text in the box:
Step 3: Click Authorize and execute. Next, also click Authorize and execute in the popup.
This request will create a schema called SSO (Single Sign-On) that allows you to add the names of one or more IAM roles to a Google Apps user profile, granting the user permission to assume those roles when signing in to the AWS account.
5. Add some SSO AWS roles
Having created the schema in Google Apps, you can now add some SSO (Single Sign-On) AWS roles to your Google Apps user profile.
Step 1: To do this, we have to use another Google API call (User:Patch).
Step 2: On this page, type your email address in the userKey field. Click inside the editing box for the request body, and select Freeform editor.
Step 3: From the AWS console you need the following information: role ARN, provider ARN.
Step 4: Create the body for this API call. Replace the following information “<role ARN>,<provider ARN>”
value: “<role ARN>,<provider ARN>“,
Step 5: Click Authorize and execute. Next, in the popup also click Authorize and execute.
6. Create a new SAML app in Google Apps
We will now create a new SAPL app in Google Apps.
Step 1: Go back to the Google Admin console apps > SAML apps
Step 2: Add a new app in this domain. Click on and then click Amazon Web Services
Step 3: Setup Google as your IdP. In the step before you have selected the default profile for Amazon Web Service. On the first screen choose next.You do not need to download the IdP metadata again.
Step 4: Give the SAML app a name and optional upload a custom logo for this app. We strongly recommend you to upload your own kickass logo for this.
Step 5: Check the name-ID settings (Basic-information / Primary Email).
Step 6: Configure the attribute mapping, set the following values to map the user profile fields to the service provider attributes. (See screenshot) click on finish.
7. Give access
Give users access to the new Google App.
Step 1: Select the new app and activate it for everyone or for some sub-organisation in your Google App account.
8. Run a test
Test the new Google App for access to Amazon Web Services.
Step 1: Log in to your Google account and go to the apps. Now, you’ll see your new app! If you click on this app it will open the Amazon Web Services Console.
So far I have explained how to set up a SSO Single Sign-On user access to a single AWS account. You probably will be setting this up for multiple AWS account. For example, you might have separate accounts for Development, QA and production environment.
9. How do you configure SSO (Single Sign-On) with multiple AWS accounts?
A lot of AWS customers are working with the function SwitchRole to switch between multiple accounts. With this Google SSO option (Single Sign-On) the regular AWS SwitchRole is no longer required for login. We like this option especially because the standard AWS SwitchRole only remembers the last 5 accounts you accessed.
Step 1: Create an IAM IdP to GoogleApps in all AWS accounts
Step 2: Create an IAM Role with different access policies in all AWS accounts. For example: roleAdmin, roleReadOnly, RoleDevOps
Step 3: Make a note of all the ARNs (IAM IdP, IAM Roles) because you will need those in the JSON later on.
Step 4: Create a new JSON format body document
value: “<role ARN>,<provider ARN [ account1 ]>“,
customType: ” roleAdmin ”
value: “<role ARN>,<provider ARN [ account2 ]>“,
customType: ” roleReadOnly ”
value: “<role ARN>,<provider ARN [ account3 ]>“,
customType: ” RoleDevOps ”
value: “<role ARN>,<provider ARN [account4]>“,
customType: ” roleAdmin ”
Step 5: Run the Google API tool (User:Patch)
Step 6: Set the new JSON as body and execute the API call. See the steps before in this blog
Step 7: Go to the new SAML App en check the login page. Now you will see multiple AWS account with different roles
Choose the role you want and click on Sign In