Single Sign On (SSO) for Amazon Web Services (AWS)
miniOrange provides a ready to use solution for Amazon Web Services (AWS). This solution ensures that you are ready to roll out secure access to Amazon Web Services (AWS) to your employees within minutes.

Note : The information contained on this page does not create a joint venture, partnership, agency or other form of association, or an express or implied license grant by either party to the other under any patent, trademark, copyright, trade secret or other intellectual property right.

Amazon Web Services

miniOrange provides secure access to Amazon Web Services (AWS) for enterprises and full control over access of AWS applications. Single Sign On (SSO) into your Amazon Web Services (AWS) account with one set of login credentials.

  • Amazon Web Services (AWS) supports only IdP(Identity Provider) initiated Single Sign On(SSO)

      In IdP Initiated Login, SAML request is initiated from miniOrange IdP.

      • Enduser first authenticates through miniOrange Idp by login to miniOrange Self Service Console.
      • On User Dashboard , there is a Amazon Web Services (AWS) icon, when the enduser clicks on the icon he will be redirected to his Amazon Web Services (AWS) Account - there is no need to login again.

    Follow the Step-by-Step Guide given below for Amazon Web Services (AWS) Single Sign On (SSO).

    Step 1: Configure AWS in miniOrange

    1. Login to miniOrange Admin Console.
    2. Go to Apps >> Manage Apps . Click Configure Apps button.
    3. Click on SAML tab. Select AWS and click Add App button.


    4. Get the SP Entity ID or Issuer from the metadata (https://signin.aws.amazon.com/static/saml-metadata.xml). You will find the value in the first line against entityID. It is set to urn:amazon:webservices but may vary for non-US regions.
    5. Make sure the ACS URL is: https://signin.aws.amazon.com/saml . This might vary for non-US regions in which case you would find it in metadata ( https://signin.aws.amazon.com/static/saml-metadata.xml) as Location attribute of AssertionConsumerService.
    6. Click on Show Advanced Settings. Against Relay State select Custom Attribute Value & enter https://console.aws.amazon.com.
    7. Enable Override RelayState.
    8. You can set another value for relay state depending on where you want to redirect user after SSO.
    9. Add a new policy for AWS.
      1. Select a Group Name from dropdown - the group for which you want to add AWS policy.
      2. Give a policy name for AWS in Policy Name field.
      3. Select the First Factor Type for authentication.
      4. Enable Second Factor for authentication if required.
      5. Click on Save button to add policy for AWS Single Sign On (SSO).


    10. Click on Save to configure AWS.

    Step 2: Setting SAML in Amazon Web Services (AWS)

    • Login to your Amazon Web Services (AWS) Console as an admin.
    • Click on Services Tab. Under Security, Identity & Compliances click on IAM (Identity and Access Management).


    • Go to Identity Providers tab and click on Create Provider.


    Step 3: Configure Provider in Amazon Web Services (AWS)

    • In the Configure Provider Step, enter the details as shown :
      • Provider Type : SAML
      • Provider Name : Enter any name (e.g. miniOrange)
      • Metadata Document: To get metadata follow following steps :
          I. Login to the miniOrange Admin Console.
          II. Go to Apps >> Manage Apps.
          III. Click on Metadata for the Apps that you created into Step 1.



          IV. Click on Download Metadata.
          V. Again Login to your AWS Console and attached this downloaded metadata.


    • Click on Next Step and in the Verify Provider Information step, click on Create. The SAML Provider is created and it should be listed in the Provider table.
    • Now, go to Role tab and click on Create Role.


    • Select the services that will use this Role and click on Next Permissions.
    • Select one or more policy that you want assign to the role. Otherwise you can create your own policy for specific role.


    • In the steps that follows, enter the following information:
      Role NameEnter any name (e.g. myRole)
      Role DescriptionEnter the description for role.
      Attach PolicySelect any policies according to your needs.
    • Select the Role ARN and paste it in a text file. Also select the Provider ARN from the Trusted Entities and paste it in the same text file separated by a comma. The text file should look something like this:


    • Click on Create Role to create a new role.
    • Step 4: Add attributes for AWS

    • Login to the miniOrange Admin Console.
    • Click on Edit to add the attributes.


    • In the Attributes section,enter the value https://aws.amazon.com/SAML/Attributes/RoleSessionName in the Attribute Name field and select E-Mail Address from the Attribute Value list.
    • Click on the '+' icon besides Add Attributes to add another set of attributes and enter the value https://aws.amazon.com/SAML/Attributes/Role in the Attribute Name field, select Custom Attribute Value from the Attribute Value list and in the Custom Attribute Value textbox that opens up, paste the content of the text file created in the last step of Step 1.
    • If you have configured more than one role, you can enter additional attributes for them.

    Step 5: Onboard users into our system.

    1. Download sample csv format from our console and create a CSV file containing your users in this format.


    2. Upload your CSV in our console via Bulk Upload.
    3. After uploading the CSV file successfully, you will see a success message.
    4. From Users/Groups menu, select Manage Users/Groups and go to On Boarding Status. Select users to send activation mail and click on send activation mail. An activation mail will be sent to the selected users.



    Step 6: Register users into our system (End Users)

    1. Sign In to your mail and click on registration link that is valid only for 5 days. You will be redirected to our registration page.
    2. Configure your basic details.


    3. Configure any strong authentication method.


    4. Configure KBA (Security Questions) as your fallback method, in case you lost your phone this will get invoked and save your details.


    5. After successful registration, you will see a registration successful message.

    Step 7: Login to Amazon Web Services (AWS) using miniOrange

    • Login to your miniOrange Self Service Console as an End User and click on the Amazon Web Services (AWS) icon on your Dashboard to login to your Account.


    Using Two Factor Authentication for Amazon Web Services(AWS)

    The most practical way to strengthen authentication is to require a second factor after the username/password stage. Since a password is something that a user knows, ensuring that the user also has something or using biometrics thwarts attackers that steal or gain access to passwords.

    Traditional two-factor authentication solutions use hardware tokens (or "fobs") that users carry on their keychains. These tokens generate one-time passwords for the second stage of the login process. However, hardware tokens can cost up to $40 each. It takes time and effort to distribute them, track who has which one, and replace them when they break. They're easy to lose, hard to use, and users consistently report high levels of frustration with token-based systems.


    Your choice of second factor

    miniOrange authentication service has 15+ authentication methods.

    You can choose from any of the above authentication methods to augment your password based authentication. miniOrange authentication service works with all phone types, from landlines to smart-phone platforms. In the simplest case, users just answer a phone call and press a button to authenticate. miniOrange authentication service works internationally, and has customers authenticating from many countries around the world.



    For further details refer :
    http://docs.aws.amazon.com/IAM/latest/UserGuide/identity-providers-saml.html

    Business trial for free

    If you don't find what you are looking for, please contact us at info@miniorange.com or call us at +1 978 658 9387 to find an answer to your question about Amazon Web Services (AWS) Single Sign On (SSO).


  • Watch the videos to learn more. Watch Demo