Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

  1. Configure your SSO identity store using the single sign-on guide.

  2. From the Single Sign-On configuration page, customize the start URL for your user portal so that it's easier to remember (Note, your start URL cannot be modified once it has been customized).

  3. Delegate IAM administration from the Management account to the Identity account following the delegated administration guide.

  4. Accept the invitation in your email to join AWS SSO.

  5. Sign out of the IAM management user and sign into the newly created SSO portal.

Google Sign In

You will need to be an administrator for the Google domain to follow these instructions. This may require setting up a screen sharing session with somebody else who has access.

If you’re using Google as a sign-in provider, you’ll also want to deploy the sso-sync Lambda to automatically provision user accounts in Identity Center. Otherwise, users will need to be manually added in both Google and AWS.

  1. Set Google as an external identity provider using the above guide.

  2. You should have a Identity account for managing SSO identities. This is created if you’re using the accounts.yaml file from the template.

  3. Deploy the sso-sync Lambda to the Identity account using the instructions below.

SSOSync Lambda

From the Google cloud console, create a new project for the Lambda’s credentials. Give it a name that makes it clear why the project exists, such as “aws-google-sso-sync.”

Follow the Google tutorial to create a service account:

  1. In the Google Cloud console, go to IAM & Admin > Service Accounts.

  2. Click Create service account.

  3. Give your service account a name and description, then click Create and continue.

  4. Click Continue.

  5. Click Done.

Create credentials for your service account:

  1. Click Keys > Add key > Create new key.

  2. Select JSON, then click Create.

  3. Make a note of the downloaded credentials file.

  4. Click Close.

  5. Expand Advanced Settings.

  6. Save the Client ID under Domain-wide Delegation.

Now enable the Admin SDK:

  1. In the Google Cloud console, go to APIs & Services > Enabled APIs & services.

  2. Click Enable APIs and Services.

  3. Search for Admin SDK API.

  4. Click the Enable button.

Now enable domain-wide delegation for your service account:

  1. From the Google admin console, go to Security > API Controls > Domain-wide Delegation.

  2. Click Add new.

  3. Fill in the Client ID for the service account you saved earlier.

  4. Under OAuth scopes, specify the following:
    https://www.googleapis.com/auth/admin.directory.group.readonly
    https://www.googleapis.com/auth/admin.directory.group.member.readonly
    https://www.googleapis.com/auth/admin.directory.user.readonly

  5. Click Authorize.

Enable SCIM for your Identity Center directory:

  1. From AWS IAM Identity Center settings, within the Automatic provisioning information box, choose Enable.

  2. Save the displayed SCIM endpoint and Access token.

Create a new Terraform module in the infrastructure repository under sso-sync/secrets to store the credentials:

module "secret" {
  source = "github.com/thoughtbot/terraform-aws-secrets//secret?ref=v0.4.0"

  description = "Secrets for deploying the AWS/Google SSO Sync Lambda"
  name        = "aws-google-sso-sync"

  initial_value = jsonencode({
    GoogleCredentials       = ""
    SCIMEndpointAccessToken = ""
    SCIMEndpointUrl         = ""
  })
}
  • No labels