I recently decided that I had need to set up some IAM federation as I wanted to use SSO from my Google Apps account. Previously, I've set this up with ADFS and it works a treat. Setting up the latter gives you really nice AD groups mapped into roles and generally a great experience. Setting this up for Google Apps was less trivial and it's not well documented.
For my scenario, I'm going to be setting up two roles to be used for my Google SSO. Lets call these GooglePowerUser and GoogleAdminUser. We'll come back to these later.
Note 1: I apologize in advance for the to-ing and fro-ing instructions but you'll need to flick between the Google Apps Admin console and the AWS Console/CLI a bit
Note 2: I'm also going to provide instructions for the CLI because it's easier for me but everything here is doable from the console and I've provided links to the real documentation for you
Set up a custom schema element to hold role information for your users
By default, when you map the attributes for your SAML App that pass the Role to AWS, you'll only be able to select from an existing attribute on your users. Examples include Job Title, Cost Center and Department. I've seen other articles mention putting a single role ARN in one of these but it's really not suitable for that information (especially if you use those fields already)
The solution is to set up a Custom attribute for your users.
- Open the Schema Insert Page in the Google Admin Console
- Enter
my_customerincustomerId - To the right of the Request Body, select the
Freeform Editorfrom the dropdown list and then paste the following:{ "fields": [ { "fieldName": "role", "fieldType": "STRING", "multiValued": true, "readAccessType": "ADMINS_AND_SELF" } ], "schemaName": "AWS_SAML", }
- Click
Authorize and Execute
- Click
Set up the Google Apps SAML App for AWS
You'll need to configure your Google Apps account as an identity provider (or IdP) for AWS to use.
Google have written some pretty good instructions for this here. Go check them out and run through them then come back here or follow my brief instructions below:
- Log into your Google Apps Admin Console
- Head to the
AppsSection, thenSAML apps - Click
Add a service/App to your domain - Select
Amazon Web Services - Click the
Downloadbutton next to theIDP metadataand save it somewhere for later - If you want to change the Application name, Description and Logo, otherwise continue on
- Set up the Service Provide Details
- Make sure the
ACS URLandEntity IDare set tohttps://signin.aws.amazon.com/saml. - Also make sure the
Start URLis blank and theSigned Responseis unchecked. - You'll want the
Name IDto be mapped toBasic Information: Primary Email - Set the Attribute mapping up with the following:
https://aws.amazon.com/SAML/RoleSessionName:Basic Information:Primary Emailhttps://aws.amazon.com/SAML/Role:AWS_SAML:Role- Click Finish
- Turn the App on, buy clicking on the settings button, then
Turn ON for everyone. Confirm the dialog when asked
Setting up the IdP in AWS
You'll need to tell AWS that you want to use the Google App you just set up as an identity provide.
You can do that with the command below:
# aws iam create-saml-provider --saml-metadata-document file://GoogleIDPMetadata-yourdomain.xml --name GoogleAppsProvider
{
"SAMLProviderArn": "arn:aws:iam::123456789012:saml-provider/GoogleAppsProvider"
}
Make sure you substitute GoogleIDPMetadata-yourdomain.xml with the path to the IDP metadata file you downloaded earlier.
This will spit out a response with the ARN of the identity provider you created, so make sure you note this down for later.
Create some roles
- You'll need to first craft a Trust policy document to be used with the Roles you'll create. Create a new file
GoogleApps_TrustPolicy.jsonwith the following contents:{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::123456789012:saml-provider/GoogleAppsProvider" }, "Action": "sts:AssumeRoleWithSAML", "Condition": { "StringEquals": { "SAML:aud": "https://signin.aws.amazon.com/saml" } } } ] }
Make sure you replace arn:aws:iam::123456789012:saml-provider/GoogleAppsProvider with the ARN of the identity provider you created earlier.
-
Run the following command to create the role. Note down the
Arnthat is returned as we'll need it later# aws iam create-role --role-name GoogleAppsAdminDemo --assume-role-policy-document file://GoogleApps_TrustPolicy.json { "Role": { "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Action": "sts:AssumeRoleWithSAML", "Effect": "Allow", "Condition": { "StringEquals": { "SAML:aud": "https://signin.aws.amazon.com/saml" } }, "Principal": { "Federated": "arn:aws:iam::123456789012:saml-provider/GoogleAppsProvider" } } ] }, "RoleId": "AROAIYGHGSVXXXXXXXXXX", "CreateDate": "2016-03-10T12:19:31.177Z", "RoleName": "GoogleAppsAdminDemo", "Path": "/", "Arn": "arn:aws:iam::123456789012:role/GoogleAppsAdminDemo" } }
-
At this stage, I've not attached any permissions to the role - you can read how to do that here
Add some roles to your Google Apps Users
- Open the Patch Users Page in the Google Admin console
- In the
userKeyput the email address of the user you want to update -
To the right of Request body, select
Freeform editorfrom the drop down list, and paste the following text, replacing, and with the appropriate values you've collected before { "customSchemas": { "SSO": { "role": [ { value: "<role ARN>,<provider ARN>", customType: "SSO" } ] } } }
Mine looked something like this (with two roles):
{ "customSchemas": { "SSO": { "role": [ { value: "arn:aws:iam::123456789012:role/GoogleAppsAdminDemo,arn:aws:iam::123456789012:saml-provider/GoogleAppsProvider, customType: "SSO" }, { value: "arn:aws:iam::123456789012:role/GoogleAppsUserDemo,arn:aws:iam::123456789012:saml-provider/GoogleAppsProvider, customType: "SSO" } ] } } }
-
Click
Authorize and Execute
Test it out
Open your Google Apps account and then select the Amazon Web Services app.
It should redirect you onto a page that lets you select a Role to log into with.
References
https://support.google.com/a/answer/6194963?hl=en