- Log in to your Amazon AWS Console] and click on Identity & Access Management.
- Select Identity Providers from the menu on the left.
- Click on Create Provider:
- Select SAML from the 'Provider Type' drop-down menu:
- Enter a Provider Name - e.g. Miracl.
- Upload the SAML metadata document – you should have downloaded this as an XML file (found under Global Settings > SAML Metadata in the M-Pin SSO web console)
- Click on Next Step.
- Click on Create.
The following message is displayed: "To use this provider, you must create an IAM role using this provider in the role's trust policy. Do this now."
- Click on Do this now.
- Click on Create New Role.
- Enter a Role Name - e.g. 'MPinSSO'.
- Select the Role for Identity Provider Access radio button.
- Click on 'Grant Web Single Sign-On (WebSSO) access to SAML providers'.
- On the next page, ensure that the provider created in step 3 above is selected in the 'SAML Provider' drop-down menu.
- Click on Next Step followed by Next Step.
- Choose an appropriate permissions policy template.
- Click on Next Step followed by Create Role.
Now, in the M-Pin SSO admin console, create an AWS profile using the newly declared Identity Provider and Role. To do this:
- Under Integration, click on the + button next to AWS profiles.
The Add AWS profile page is displayed.
- Complete the required fields and save the profile. Settings:
- Name: (required) – Name of the profile, e.g. 'AWS dev account 1'
- AWS Role: (required) – the name (not the ARN) of the Role you created in step 11 above.
- AWS Account Number: (required) – the unique account number of your AWS account
- AWS Provider: (required) – the name (not the ARN) of the Identity Provider you created in step 5 above
- LDAP Profile: – if you have LDAP profiles configured, they will be available in this drop-down
After saving, the profile will display on the AWS profiles page.
From this point on, when your users visit the AWS service and enter an email address belonging to the profile, AWS will detect that single sign-on is enabled and a password will no longer be necessary.
This should be set up with your existing customer directory. In order to set it up, you must have the following:
- At least one server with Active Directory, where the accounts are stored.
- One SSO server configured with LDAP connector that points to the Active Directory Server configured in point 1.
- AWS directory service type (AD Connector) which is integrated with the Active Directory Server from point 1.
- The AWS directory should be configured with multi-factor authentication, using radius, where the radius server is the node from point 2.
- The Workspaces station should be configured with the directory from point 3.