Enabling Single Sign-On Between OneLogin and AWS
By Cassia Martin, Sr. Security Solutions Architect at AWS
By Sunil Ramachandra, Technical Account Manager at AWS
By Roy Rodan, Sr. Partner Solutions Architect at AWS
AWS Single Sign-On (AWS SSO) allows customers to efficiently manage user identities at scale by establishing a single identity and access strategy across their own applications, third-party applications (SaaS), and Amazon Web Services (AWS) environments.
OneLogin’s authentication and role-based user provisioning engine enables organizations to implement least-privilege access controls and eliminate manual user management workflows for all AWS users and accounts.
The guide below describes the OneLogin and AWS SSO integration, which allows you to achieve three key benefits:
- Simple and centralized access to your AWS accounts using OneLogin identities.
- Automatic user synchronization between OneLogin and AWS.
- Familiar login experience when your OneLogin users sign into the AWS environment.
Setting Up the AWS Application in OneLogin
From your OneLogin page, go to the Application tab and find AWS Single Sign-On (https://[your_personal_account].OneLogin.com/apps/find).
In the Info section, give your new integration a Display name and Description and then click Save.
Next, click on More Actions on the top right side and choose SAML Metadata. This will download the OneLogin Metadata XML.
Setting Up Your AWS SSO
On the AWS console, go to the Single Sign-On page. If not already enabled, enable SSO.
Go to Settings and change the Identity source from the default AWS SSO by clicking Change.
Choose External identity provider.
Using the OneLogin Metadata XML you downloaded earlier, browse and upload IdP SAML metadata in the Identity provider metadata section.
Change the provisioning from Manual to SCIM by clicking the Enable automatic provisioning.
Make sure to copy the SCIM endpoint (also known as the SCIM Base URL) and the Access token (also known as a SCIM Bearer token).
Click on View details in the Authentication SAML 2.0 part and copy the AWS SSO ACS URL and AWS SSO issuer URL.
Having gathered these four pieces of information, it’s now time to go to OneLogin to finalize the integration.
Finishing OneLogin Configuration
Click on Configuration and enter the following details gathered from AWS SSO in the previous section:
- AWS SSO issuer URL
- AWS SSO ACS URL
- SCIM Base URL (SCIM endpoint) – If there is a trailing slash ‘/’ be sure to remove it
- SCIM Bearer Token (Access token)
Click Enable under API Connection, and then Save.
Next, click on Provisioning and select Enable Provisioning. Make sure the create, delete, and update user boxes are checked, and then Save the configuration.
In the Users tab, click on More Actions and select Sync logins. You will receive a message saying Synchronizing users with AWS Single Sign-on.
Finally, click More Actions and Reapply entitlement mappings. You will receive a message saying Mappings are being reapplied, check out in the logins in few moments.
In OneLogin, check the Activity tab and view the Events.
To verify if the user has successfully replicated on the AWS SSO, login to AWS SSO and click Users. Choose the user you want to verify, and you will see it has been updated by SCIM.
While still on AWS SSO, assign an account to this newly created user by navigating to AWS accounts.
Going back to the OneLogin administration page, select the recently created AWS Single Sign-On App.
You will be redirected to the AWS SSO sign-in page and logged into the account which is assigned to your user.
Ensure that you’ve enabled group provisioning for your AWS SSO application in OneLogin. To do this, sign in to the OneLogin admin console, and check to make sure the Include in User Provisioning option is selected under the properties of the AWS SSO application (AWS SSO application > Parameters > Groups).
For more details, please visit the AWS documentation page.
Customers can now connect their OneLogin Identity Management Platform (OneLogin) to AWS Single Sign-On once, manage access to AWS centrally in AWS SSO, and enable end users to sign in using OneLogin to access all of their assigned AWS accounts.
The integration helps customers simplify AWS access management across multiple accounts while maintaining familiar OneLogin experiences for administrators who manage identities, and for end users as they sign in.
AWS SSO and OneLogin use the System for Cross-domain Identity Management (SCIM) standard to automate the process of provisioning users and groups into AWS SSO, saving administration time and increasing security.
OneLogin – APN Partner Spotlight
OneLogin is an AWS Competency Partner. Its authentication and role-based user provisioning engine enables organizations to implement least-privilege access controls and eliminate manual user management workflows for all AWS users and accounts.
*Already worked with OneLogin? Rate this Partner
*To review an APN Partner, you must be an AWS customer that has worked with them directly on a project.