miniOrange provides secure access to Amazon Web Services (AWS) for enterprises and full control over access of AWS applications. Single Sign On (SSO) into your Amazon Web Services (AWS) account with one set of login credentials.
Single Sign On
miniOrange Single Sign On (SSO) Solution provides easy and seamless access to all enterprise resources with one set of credentials. miniOrange provides Single Sign On (SSO) to any type of devices or applications whether they are in the cloud or on-premise.
Secure your Amazon Web Services (AWS) app from password thefts using multi factor authentication methods with 15+ authentication types provided by miniOrange. Our multi factor authentication methods prevent unauthorized users from accessing information and resources having password alone as authentication factor. Enabling second factor authentication for Amazon Web Services (AWS) protects you against password thefts.
miniOrange prevents frauds with its dynamic risk engine in conjunction with enterprise specific security policy. We support a combination of the Device Id, Location and Time of access as multi-factor authentication that can detect and block fraud in real-time, without any interaction with the user.
Amazon Web Services (AWS) supports only IdP(Identity Provider) initiated Single Sign On(SSO)
In IdP Initiated Login, SAML request is initiated from miniOrange IdP.
- Enduser first authenticates through miniOrange Idp by login to miniOrange Self Service Console.
- On User Dashboard , there is a Amazon Web Services (AWS) icon, when the enduser clicks on the icon he will be redirected to his Amazon Web Services (AWS) Account - there is no need to login again.
Follow the Step-by-Step Guide given below for Amazon Web Services (AWS) Single Sign On (SSO).
Step 1: Configure AWS in miniOrange
- Login to miniOrange Admin Console.
- Go to Apps >> Manage Apps. Click Configure Apps button.
- Click on SAML tab. Select AWS.
- Get the SP Entity ID or Issuer from the metadata (https://signin.aws.amazon.com/static/saml-metadata.xml). You will find the value in the first line against entityID. It is set to urn:amazon:webservices but may vary for non-US regions.
- Make sure the ACS URL is: https://signin.aws.amazon.com/saml . This might vary for non-US regions in which case you would find it in metadata ( https://signin.aws.amazon.com/static/saml-metadata.xml) as Location attribute of AssertionConsumerService.
- Click on Show Advanced Settings. Against Relay State select Custom Attribute Value & enter
- Enable Override RelayState.
- You can set another value for relay state depending on where you want to redirect user after SSO.
- Go to the Add Policy and select DEFAULT from the Group Name dropdown.
- Now enter the AWS in the Policy Name field.
- Select PASSWORD from the First Factor Type dropdown.
- Click on Save button to configure AWS.
- Click on Save to configure AWS.
- Once the App is added, click on the Metadata link, download metadata file and keep with you which you will require later.
Step 2: Setting SAML in Amazon Web Services (AWS)
- Login to your Amazon Web Services (AWS) Console as an admin.
- Click on Services Tab. Under Security, Identity & Compliances click on IAM (Identity and Access Management).
- From the left-hand side list, click on Identity Providers and then click on Create Provider button in the right section.
Step 3: Configure Provider in Amazon Web Services (AWS)
- In the Configure Provider, select SAML as Provider type from the drop-down list.
- Enter any Provider Name (e.g miniOrange).
- Click on Choose File button and choose a metadata file that you have already downloaded in Step 1, then click on Next Step.
- In the next screen, you will be shown your entered provider information. Verify it and click on the Create button. The SAML Provider is created and it should be listed in the Provider table.
- Now click on Roles from the left-hand side list and then click on Create role button.
- In the Create Role section, click on SAML 2.0 federation tab.
- Under Choose SAML 2.0 Provider, select the SAML Provider that you have created previously i.e miniOrange.
- After that, choose Allow programmatic access only radio option.
- Select SAML:aud option from the Attribute drop-down list.
- Enter the value as https://signin.aws.amazon.com/saml.
- Then, click on Next: Permissions button.
- Check the Policy Name AmazonEC2ReadOnlyAccess and click on Next: Tags button.
- Then, skip Step Add Tags (Optional) by clicking on Next:Preview button.
- In the next step, enter Role name and click on Create Role button.
- Click on your created role name.
- In the Summary section, click on the Trusted relationship tab and copy Role ARN and Trusted Entities value.
- Keep the values with you in comma separated format. For example- [arn:aws:iam::656620318436:role/SSORole,arn:aws:iam::656620318436:saml-provider/miniOrange]
Step 4: Add attributes for AWS
- Login to the miniOrange Admin Console.
- Then, Navigate to Apps >> Manage Apps.
- Configure the application that you have added.
- Scroll down to the Attributes section, enter the value https://aws.amazon.com/SAML/Attributes/RoleSessionName in the Attribute Name field and select E-Mail Address from the Attribute Value list.
- Click on the '+' icon besides Add Attributes to add another set of attributes and enter the value https://aws.amazon.com/SAML/Attributes/Role in the Attribute Name field, select Custom Attribute Value from the Attribute Value list and in the Custom Attribute Value, enter comma separated value that created in step 3 e.g. [arn:aws:iam::656620318436:role/SSORole,arn:aws:iam::656620318436:saml-provider/miniOrange].
- If you have configured more than one role, you can enter additional attributes for them.
Step 5: Onboard users into our system.
- Click on Users >> Add User.
- Here, fill the user details without the password and then click on the Create User button.
- Click on On Boarding Status tab. Check the email, with the registered e-mail id and select action Send Activation Mail with Password Reset Link from Select Action dropdown list and then click on Apply button.
- Now, Open your email id. Open the mail you get from miniOrange and then click on the link to set your account password.
- On the next screen, enter the password and confirm password and then click on the Reset Password button.
- Now, you can login into miniOrange account by entering your credentials.
Step 6: Login to AWS using miniOrange
- Go to miniOrange dashboard and select the User Dashboard from the right side menu.
- Click on AWS application which you added, to verify your SSO configuration.
Using Two Factor Authentication for Amazon Web Services(AWS)
The most practical way to strengthen authentication is to require a second factor after the username/password stage. Since a password is something that a user knows, ensuring that the user also has something or using biometrics thwarts attackers that steal or gain access to passwords.
Traditional two-factor authentication solutions use hardware tokens (or "fobs") that users carry on their keychains. These tokens generate one-time passwords for the second stage of the login process. However, hardware tokens can cost up to $40 each. It takes time and effort to distribute them, tracks who has which one, and replace them when they break. They're easy to lose, hard to use, and users consistently report high levels of frustration with token-based systems.
Your choice of second factor
miniOrange authentication service has 15+ authentication methods.
You can choose from any of the above authentication methods to augment your password based authentication. miniOrange authentication service works with all phone types, from landlines to smart-phone platforms. In the simplest case, users just answer a phone call and press a button to authenticate. miniOrange authentication service works internationally, and has customers authenticating from many countries around the world.
For Further Details:
AWS AppStream Single Sign On (SSO)