AWS SAML

Introduction

This document explains how to configure and manage AWS SAML integration with the PureAUTH Identity Platform and make AWS authentication Passwordless.

Add AWS SAML application on PureAUTH

• Login to https://live.pureauth.io/organizations/login/
• Navigate to the Applications tab.
• Select “Add Application”.
• Select “AWS Console”.

• Enter Any Application Name.
• Select Primary (Corporate Email) in the Dataset for email field.

• In the “Saml Response Endpoint (ACS URL)” field, enter the given URL :

https://signin.aws.amazon.com/saml

• In “Audience (Entity ID)” field, enter the given URL :

urn:amazon:webservices

• In the “Role Entitlement (Role ARN)” field, enter “TEST” word for now (Value is generated after the integration is done).

• Click “Add“

Setup PureAUTH Identity Provider in IAM Identity Provider (console).

1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/
2. In the navigation pane, choose Identity providers and then choose Add provider.
3. For Configure provider, choose SAML.
4. Type a name for the identity provider (Ex. PureAUTH).
5. For Metadata document, follow the below steps to create metadata document.
   • Visit https://www.samltool.com/idp_metadata.php
   • Now, from the PureAUTH application detail page, copy relevant values and paste them into the idp metadata form.
   • You need to enter the following values:
     • Entity ID is used in EntityID.
     • Login URL in Single Sign On Service Endpoint (HTTP-REDIRECT).
     • Logout URL in Single Logout Service Endpoint (HTTP-REDIRECT).
     • X509 certificate in SP X.509 cert (same cert for sign/encrypt).
   • Now, click on Build IDP Metadata, It will generate an XML document.
   • Copy the Metadata and paste it into notepad > Save As > Save Type – select All Files > File name – AWSCert.xml
6. Upload the AWSCert.xml metadata using choose file button.
7. Verify the information that you have provided and click Add provider.
8. Click on “PureAUTH” Identity provider.
9. Copy the ARN value and paste into notepad for now.

Create SAML policy for new Roles

1. In the navigation pane, go to Roles.
2. Click button create role, In the Trusted entity type select SAML 2.0 federation.
3. In the SAML 2.0- based provider select PureAUTH.
4. Select “Allow programmatic and AWS Management Console access” and click Next.
5. Select one of the below policies of your choice and click Next.
6. Enter Role name and click create role.
7. Click on the role name that we have created in step 6.
8. Copy the ARN value and paste into notepad for now.

Add ARN value into the PureAUTH

• We have copied the ARN value in the Notepad.
  • First copy the Role ARN value and paste into “Role Entitlement (Role ARN)” field in PureAUTH.
  • Give coma ( , ) after Role ARN value and paste Identity provider ARN value after the com ( , ).
  • The “Role Entitlement (Role ARN)” looks below format.

arn:aws:iam::3096155:role/TESTROLE,arn:aws:iam::3096155:saml-provider/PureAUTH

• Congratulations! You are now using AWS passwordless.

Test the Authentication

• Login to https://live.pureauth.io/organizations/login/
• Go to Application > open AWS application.
• Copy the Issuer URL under SAML Settings and paste into the browser and try to authenticate.