Tutorial 1: How to federate G Suite and AWS

Let’s start with G Suite & AWS federation:

1- Log in to your Google Admin Console:

The very first step you'll need to take is to open your Google Admin Console. Click onApp and choose "Console"



2 - Create a new category of custom attributes

It's time to add a new Custom Attributes category


a) Click “Manage Custom Attributes” 

In the G Suite directory browse to “Users” and select “More” from the top menu. Then select “Manage Custom Attributes”


b) Choose “Add Custom Attribute”

In the top-right corner of the page click on “Add Custom Attribute”.


c) Fill the Form

Fill the form as shown below:

1. Fill the “Category” field with “AWS SAML”
2. Fill the first Custom field row with “IAM_role” as “Name” and “Visible to user and admin” as “Visibility”
3. Fill the second Custom field row with “SessionDuration” as “Name” and “Visible to user and admin” as “Visibility” and “Single value” as “No. of values”

3 - Create a SAML-Based application

In order to set up a SAML-Based Single Sign-On, we first need to create a custom application representing AWS:


a) Browse to the “Apps” section. 


b) Add a new SAML application.

Click on the “SAML apps” card and then click on the icon located in the bottom-right corner of the page.


c) Select AWS template

Select “Amazon Web Services” from the list of the available services.


d) Download the IDP Metadata 

In the “Option 2” section, click on “Download” to download the Idp metadata*.
Notice: Remember to set metadata file aside for later use. 


*The IDP Metadata is a .xml file containing configuration parameters and the X509 certificate, the certificate the trust relationship between IdP and Service Provider is based on.


WARNING! The metadata file should not be released for any reason; the security of the entire solution relies on its secrecy!



e) Step 3 of the G Suite tutorial

No action is required, just click on "next" 🙂  

f) Choose the Service Provider’s details id 

Fill the “Name ID” field with “Primary Email”, then select “EMAIL” choosing from the “Name ID Format” drop-down.


g) Add the attribute Mapping

In this step the attributes are associated and mapped to the SAML assertion.

1. In the first row select “Basic Information” as the “Category” and “Primary Email” as the “User field”
2. In the first row select “AWS_SAML” as the “Category” and “IAM_Role” as the “User field”
3. Click
“Add New Mapping”


h) Add the attribute Mapping

In the third row type https://aws.amazon.com/SAML/Attributes/SessionDuration as “Application Attribute”, “AWS SAML” as “Category” and “SessionDuration” as “User field”

4 - Enable the SAML App

The last step to complete G Suite - AWS federation is enabling the SAML App. 


a) Turn on the App

Go back to the SAML app menu (from the Admin Panel, select “Apps”) and select "ON for everyone".

    


By doing so, you’ve added the Amazon Web Service application to your App Google menu ( App).


b) Get the SAML App link

Before you can log into your AWS console from your App Google menu (App), you first need to copy the application link to LookAuth.

Right-click on the Amazon Web Services application and choose “Copy Link Address” then go back to LookAuth setup tutorial and paste the copied link. 


The federation is completed.