In this blog, you’ll learn how to configure Single Sign-On between Google Apps and the Amazon Web Services console. When you have completed the steps in this guide, you can use your Google Apps account to sign in to the Amazon Web Service console.

By: Dennis van Bavel

1. Collect data from Google Apps account

First you need some data from your Google Apps account. For these steps you need to be an administrator of your Google Apps domain.

Step 1: Log in to the Google Admin console

AWS admin Console

Step 2: Go to security > set up single sign-on (SSO)

SSO

Step 3: Download the IDP-Metadata (Option 2)

2. Create an IAM IdP

Now we need the AWS Console to create an IAM IdP and some IAM Roles. First we start with the IAM IdP configuration:
Step 1: Go to IAM > Identity Providers

SSO1

Step 2: Click on Create Provider

SSO2

Step 3: Choose a provider type for Google Apps provider SAML. Click on Next Step.

SSO3

Step 4: Give it a Name and upload the Google Apps metadata file. Click on Next Step and Create

SSO4
Step 5: Now we have created a new Identity Provider

SSO5

3. Create an IAM Role

AWS IAM IdP Configuration is now finished, but we need also an AWS IAM role:
Step 1: Go to IAM > Roles

IAM

Step 2: Click on Create New Role and give it a name

IAM2

Step 3: On the Select Role Type page, choose for Role for Identity Provider Access and then select Grant Web Single Sign-On (WebSSO) access to SAML providers

IAM3

Step 4: On the Establish trust page select your SAML provider. Click on Next Step, verify the trust policy

IAM4

Step 5: On the next page give the IAM Role an access policy

IAM5

Step 6: Review the configuration and click on Create Role

4. Configuring Google Apps

The configuration in Amazon Web Services is now ready. The next step is configuring Google Apps and making a trust with Amazon Web Services.

Step 1: You need to create some custom fields in the Google Apps user profiles. Firstly, you need to create a schema for SSO (Single Sign-On, which you can do by creating a JSON schema.
Note: You must create this JSON schema before creating the SAML app for your Google Apps account. If you create the JSON schema after creating the SAML app, the schema will not appear as a selectable option during configuration.

Step 2: Go to the Google developer webpage (Schemas: Insert). On this page you can run the API call for creating the schema.

Configure Google Apps

On this page, enter the customer ID in the customerid field. Click inside the editing box for the request body, and select Freeform editor. Past the following text in the box:
{
“fields”:
[
{
“fieldName”: “role”,
“fieldType”: “STRING”,
“readAccessType”: “ADMINS_AND_SELF”,
“multiValued”: true
}
],
“schemaName”: “SSO”

Step 3: Click Authorize and execute. Next, also click Authorize and execute in the popup.
This request will create a schema called SSO (Single Sign-On) that allows you to add the names of one or more IAM roles to a Google Apps user profile, granting the user permission to assume those roles when signing in to the AWS account.

5. Add some SSO AWS roles

Having created the schema in Google Apps, you can now add some SSO (Single Sign-On) AWS roles to your Google Apps user profile.

Step 1: To do this, we have to use another Google API call (User:Patch).

SSO AWS roles

Step 2: On this page, type your email address in the userKey field. Click inside the editing box for the request body, and select Freeform editor.

Step 3: From the AWS console you need the following information: role ARN, provider ARN.

Step 4: Create the body for this API call. Replace the following information “<role ARN>,<provider ARN>”
{
“customSchemas”:
{
“SSO”:
{
“role”: [
{
value: “<role ARN>,<provider ARN>“,
customType: “Developer”
}
]
}
}
}

Step 5: Click Authorize and execute. Next, in the popup also click Authorize and execute.

6. Create a new SAML app in Google Apps

We will now create a new SAPL app in Google Apps.

Step 1: Go back to the Google Admin console apps > SAML apps

SAML1

SAML2

SAML3

Step 2: Add a new app in this domain. Click on and then click Amazon Web Services

SAML4

SAML5

Step 3: Setup Google as your IdP. In the step before you have selected the default profile for Amazon Web Service. On the first screen choose next.You do not need to download the IdP metadata again.

SAML6

Step 4: Give the SAML app a name and optional upload a custom logo for this app. We strongly recommend you to upload your own kickass logo for this.

SAML7

Step 5: Check the name-ID settings (Basic-information / Primary Email).

SAML8

Step 6: Configure the attribute mapping, set the following values to map the user profile fields to the service provider attributes. (See screenshot) click on finish.

SAML9

7. Give access

Give users access to the new Google App.
Step 1: Select the new app and activate it for everyone or for some sub-organisation in your Google App account.

Access Google

8. Run a test

Test the new Google App for access to Amazon Web Services.
Step 1: Log in to your Google account and go to the apps. Now, you’ll see your new app! If you click on this app it will open the Amazon Web Services Console.

Result

So far I have explained how to set up a SSO Single Sign-On user access to a single AWS account. You probably will be setting this up for multiple AWS account. For example, you might have separate accounts for Development, QA and production environment.

9. How do you configure SSO (Single Sign-On) with multiple AWS accounts?

A lot of AWS customers are working with the function SwitchRole to switch between multiple accounts. With this Google SSO option (Single Sign-On) the regular AWS SwitchRole is no longer required for login. We like this option especially because the standard AWS SwitchRole only remembers the last 5 accounts you accessed.

Step 1: Create an IAM IdP to GoogleApps in all AWS accounts

Step 2: Create an IAM Role with different access policies in all AWS accounts. For example: roleAdmin, roleReadOnly, RoleDevOps

Step 3: Make a note of all the ARNs (IAM IdP, IAM Roles) because you will need those in the JSON later on.

Step 4: Create a new JSON format body document
For example:
{
“customSchemas”:
{
“SSO”:
{
“role”: [
{
value: “<role ARN>,<provider ARN [ account1 ]>“,
customType: ” roleAdmin ”
},
{
value: “<role ARN>,<provider ARN [ account2 ]>“,
customType: ” roleReadOnly ”
},
{
value: “<role ARN>,<provider ARN [ account3 ]>“,
customType: ” RoleDevOps ”
},
{
value: “<role ARN>,<provider ARN [account4]>“,
customType: ” roleAdmin ”
},

]
}
}
}

Step 5: Run the Google API tool (User:Patch)

Step 6: Set the new JSON as body and execute the API call. See the steps before in this blog

Step 7: Go to the new SAML App en check the login page. Now you will see multiple AWS account with different roles

SSO multiple accounts
Choose the role you want and click on Sign In

@Source: http://blogs.aws.amazon.com/security/post/TxT8XK9DVM0MGP/How-to-Set-Up-Federated-Single-Sign-On-to-AWS-Using-Google-Apps

Want to know more?
Moving fast using AWS can and will equal happy customers. To tell you all about it we have created several customer cases.
Get in touch if you want to know more about how we at inQdo Cloud can help you innovate using AWS.

iso 27001 & isae 3402 inQdo BV

simplifying cloud and integration together

inQdo Cloud B.V.

Coltbaan 1-19

3439 NG Nieuwegein

info@inqdo.com

+31 85 2011161

Send