Hello there!

Need Help? We are right here!

support
miniOrange Support

Thanks for your inquiry.
One of our representatives will get in touch with you shortly via email.

Single Sign On (SSO) for Amazon Web Services (AWS)
miniOrange provides a ready to use solution for Amazon Web Services (AWS). This solution ensures that you are ready to roll out secure access to Amazon Web Services (AWS) to your employees within minutes.

Amazon Web Services

miniOrange provides secure access to Amazon Web Services (AWS) for enterprises and full control over access of AWS applications. Single Sign On (SSO) into your Amazon Web Services (AWS) account with one set of login credentials.

  • Amazon Web Services (AWS) supports only IdP(Identity Provider) initiated Single Sign On(SSO)

      In IdP Initiated Login, SAML request is initiated from miniOrange IdP.

      • Enduser first authenticates through miniOrange Idp by login to miniOrange Self Service Console.
      • On User Dashboard , there is a Amazon Web Services (AWS) icon, when the enduser clicks on the icon he will be redirected to his Amazon Web Services (AWS) Account - there is no need to login again.

    Follow the Step-by-Step Guide given below for Amazon Web Services (AWS) Single Sign On (SSO).

    Step 1: Configure AWS in miniOrange

    1. Login to miniOrange Admin Console.
    2. Go to Apps >> Manage Apps. Click Configure Apps button.
    3. Click on SAML tab. Select AWS.
    4. Get the SP Entity ID or Issuer from the metadata (https://signin.aws.amazon.com/static/saml-metadata.xml). You will find the value in the first line against entityID. It is set to urn:amazon:webservices but may vary for non-US regions.
    5. Make sure the ACS URL is: https://signin.aws.amazon.com/saml . This might vary for non-US regions in which case you would find it in metadata ( https://signin.aws.amazon.com/static/saml-metadata.xml) as Location attribute of AssertionConsumerService.
    6. Click on Show Advanced Settings. Against Relay State select Custom Attribute Value & enter https://console.aws.amazon.com.
    7. Enable Override RelayState.
    8. aws sso configuration steps

    9. You can set another value for relay state depending on where you want to redirect user after SSO.
    10. Go to the Add Policy and select DEFAULT from the Group Name dropdown.
    11. Now enter the AWS in the Policy Name field.
    12. Select PASSWORD from the First Factor Type dropdown.
    13. Click on Save button to configure AWS.
    14. aws configure sso

    15. Click on Save to configure AWS.
    16. Once the App is added, click on the Metadata link, download metadata file and keep with you which you will require later.
    17. aws sso click metadata link

    Step 2: Setting SAML in Amazon Web Services (AWS)

    • Login to your Amazon Web Services (AWS) Console as an admin.
    • Click on Services Tab. Under Security, Identity & Compliances click on IAM (Identity and Access Management).
    • aws sso click on services tab

    • From the left-hand side list, click on Identity Providers and then click on Create Provider button in the right section.
    aws sso click on create provider button

    Step 3: Configure Provider in Amazon Web Services (AWS)

    • In the Configure Provider, select SAML as Provider type from the drop-down list.
    • Enter any Provider Name (e.g miniOrange).
    • Click on Choose File button and choose a metadata file that you have already downloaded in Step 1, then click on Next Step.
    • aws sso metadata file

    • In the next screen, you will be shown your entered provider information. Verify it and click on the Create button. The SAML Provider is created and it should be listed in the Provider table.
    • aws saml sso information

    • Now click on Roles from the left-hand side list and then click on Create role button.
    • In the Create Role section, click on SAML 2.0 federation tab.
    • Under Choose SAML 2.0 Provider, select the SAML Provider that you have created previously i.e miniOrange.
    • aws sso choose saml provider

    • After that, choose Allow programmatic access only radio option.
    • Select SAML:aud option from the Attribute drop-down list.
    • Enter the value as https://signin.aws.amazon.com/saml.
    • Then, click on Next: Permissions button.
    • Check the Policy Name AmazonEC2ReadOnlyAccess and click on Next: Tags button.
    • aws sso check policy name

    • Then, skip Step Add Tags (Optional) by clicking on Next:Preview button.
    • In the next step, enter Role name and click on Create Role button.
    • aws configure sso

    • Click on your created role name.
    • In the Summary section, click on the Trusted relationship tab and copy Role ARN and Trusted Entities value.
    • Keep the values with you in comma separated format. For example- [arn:aws:iam::656620318436:role/SSORole,arn:aws:iam::656620318436:saml-provider/miniOrange]
    • aws sso comma separated format

      Step 4: Add attributes for AWS

    • Login to the miniOrange Admin Console.
    • Then, Navigate to Apps >> Manage Apps.
    • Configure the application that you have added.
    • Scroll down to the Attributes section, enter the value https://aws.amazon.com/SAML/Attributes/RoleSessionName in the Attribute Name field and select E-Mail Address from the Attribute Value list.
    • Click on the '+' icon besides Add Attributes to add another set of attributes and enter the value https://aws.amazon.com/SAML/Attributes/Role in the Attribute Name field, select Custom Attribute Value from the Attribute Value list and in the Custom Attribute Value, enter comma separated value that created in step 3 e.g. [arn:aws:iam::656620318436:role/SSORole,arn:aws:iam::656620318436:saml-provider/miniOrange].
    • aws sso add attributes

    • If you have configured more than one role, you can enter additional attributes for them.

    Step 5: Onboard users into our system.

    1. Click on Users >> Add User.
    2. aws sso add user

    3. Here, fill the user details without the password and then click on the Create User button.
    4. aws sso add user details

    5. Click on On Boarding Status tab. Check the email, with the registered e-mail id and select action Send Activation Mail with Password Reset Link from Select Action dropdown list and then click on Apply button.
    6. aws sso click on email link

    7. Now, Open your email id. Open the mail you get from miniOrange and then click on the link to set your account password.
    8. On the next screen, enter the password and confirm password and then click on the Reset Password button.
    9. aws sso reset password

    10. Now, you can login into miniOrange account by entering your credentials.

    Step 6: Login to AWS using miniOrange

    • Go to miniOrange dashboard and select the User Dashboard from the right side menu.
    • aws sso single sign on user dashboard

    • Click on AWS application which you added, to verify your SSO configuration.
    • aws sso configuration

    Using Two Factor Authentication for Amazon Web Services(AWS)

    The most practical way to strengthen authentication is to require a second factor after the username/password stage. Since a password is something that a user knows, ensuring that the user also has something or using biometrics thwarts attackers that steal or gain access to passwords.

    Traditional two-factor authentication solutions use hardware tokens (or "fobs") that users carry on their keychains. These tokens generate one-time passwords for the second stage of the login process. However, hardware tokens can cost up to $40 each. It takes time and effort to distribute them, tracks who has which one, and replace them when they break. They're easy to lose, hard to use, and users consistently report high levels of frustration with token-based systems.


    Your choice of second factor

    miniOrange authentication service has 15+ authentication methods.

    You can choose from any of the above authentication methods to augment your password based authentication. miniOrange authentication service works with all phone types, from landlines to smart-phone platforms. In the simplest case, users just answer a phone call and press a button to authenticate. miniOrange authentication service works internationally, and has customers authenticating from many countries around the world.


    For Further Details:

    http://docs.aws.amazon.com/IAM/latest/UserGuide/identity-providers-saml.html
    AWS AppStream Single Sign On (SSO)

  • We offer Security Solutions of Single Sign-On, Two Factor Authentication, Fraud Prevention and much more.
    Please call us at +1978 658 9387 or email us at info@miniorange.com