Versions Compared

Old Version 5

changes.mady.by.user Joe Ferris (Unlicensed)

Saved on

compared with

New Version Current

changes.mady.by.user Jared Turner

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

  1. Configure your SSO identity store using the single sign-on guide.

  2. From the Single Sign-On configuration page, customize the start URL for your user portal so that it's easier to remember (Note, your start URL cannot be modified once it has been customized).

  3. Delegate IAM administration from the Management account to the Identity account following the delegated administration guide.

  4. Accept the invitation in your email to join AWS SSO.

  5. Sign out of the IAM management user and sign into the newly created SSO portal.

Google Sign In

You will need to be an administrator for the Google domain to follow these instructions. This may require setting up a screen sharing session with somebody else who has access.

If you’re using Google as a sign-in provider, you’ll also want to deploy the sso-sync Lambda to automatically provision user accounts in Identity Center. Otherwise, users will need to be manually added in both Google and AWS.

  1. Set Google as an external identity provider using the above guide.

  2. You should have a Identity account for managing SSO identities. This is created if you’re using the accounts.yaml file from the template.

  3. Deploy the sso-sync Lambda to the Identity account using the instructions below.

SSOSync Lambda

From the Google cloud console, create a new project for the Lambda’s credentials. Give it a name that makes it clear why the project exists, such as “aws-google-sso-sync.”

Follow the Google tutorial to create a service account:

  1. In the Google Cloud console, go to IAM & Admin > Service Accounts.

  2. Click Create service account.

  3. Give your service account a name and description, then click Create and continue.

  4. Click Continue.

  5. Click Done.

Create credentials for your service account:

  1. Click Keys > Add key > Create new key.

  2. Select JSON, then click Create.

  3. Make a note of the downloaded credentials file.

  4. Click Close.

  5. Expand Advanced Settings.

  6. Save the Client ID under Domain-wide Delegation.

Now enable the Admin SDK:

  1. In the Google Cloud console, go to APIs & Services > Enabled APIs & services.

  2. Click Enable APIs and Services.

  3. Search for Admin SDK API.

  4. Click the Enable button.

Now enable domain-wide delegation for your service account:

  1. From the Google admin console, go to Security > API Controls > Domain-wide Delegation.

  2. Click Add new.

  3. Fill in the Client ID for the service account you saved earlier.

  4. Under OAuth scopes, specify the following:
    https://www.googleapis.com/auth/admin.directory.group.readonly
    https://www.googleapis.com/auth/admin.directory.group.member.readonly
    https://www.googleapis.com/auth/admin.directory.user.readonly

  5. Click Authorize.

Enable SCIM for your Identity Center directory:

  1. Sign into the Identity account from your AWS landing zone.

  2. From AWS IAM Identity Center settings, within the Automatic provisioning information box, choose Enable.

  3. Save the displayed SCIM endpoint and Access token.

  4. Create a new Terraform module in the infrastructure repository under sso-sync/secrets to store the credentials:

    Code Block
    module "secret" {
  source = "github.com/thoughtbot/terraform-aws-secrets//secret?ref=v0.4.0"

  description = "Secrets for deploying the AWS/Google SSO Sync Lambda"
  name        = "aws-google-sso-sync"

  initial_value = jsonencode({
    GoogleCredentials       = ""
    SCIMEndpointAccessToken = ""
    SCIMEndpointUrl         = ""
  })
}

  5. Apply the Terraform module.

  6. From AWS Secrets Manager, find the created secret.

  7. Click Retrieve Secret Value and then click Edit.

  8. Copy the contents of the JSON credentials file you downloaded into the GoogleCredentials field.

  9. Fill in the SCIMEndpointAccessToken and SCIMEndpointUrl values you saved earlier.

  10. Click Save.

  11. Create a new Terraform module to deploy the SSOSync Lambda:

    Code Block
    module "lambda" {
  source = "github.com/thoughtbot/terraform-aws-google-sso?ref=v0.1.0"

  google_admin_email         = "google-admin@example.com"
  google_credentials         = local.secrets.GoogleCredentials
  google_group_match         = "email:aws-*"
  name                       = "aws-google-sso-sync"
  scim_endpoint_access_token = local.secrets.SCIMEndpointAccessToken
  scim_endpoint_url          = local.secrets.SCIMEndpointUrl
  semantic_version           = "2.0.2"
}

locals {
  secrets = jsondecode(
    data.aws_secretsmanager_secret_version.sso_sync.secret_string
  )
}

data "aws_secretsmanager_secret_version" "sso_sync" {
  secret_id = "aws-google-sso-sync"
}

  12. Apply the module.

...

Info

The AWS Platform Guide now lives at thoughtbot.com

Visit Configure Single Sign On to access this page's content