Simplifying Sign-In for AWS Managed Services with OneLogin, AWS Single Sign-On, and AWS IAM
By Claudine Morales, Partner Solutions Architect – AWS
By Sunil Ramachandra – Technical Account Manager – AWS
By Roy Rodan, Partner Solutions Architect – AWS
OneLogin’s authentication and role-based user provisioning engine enables you to implement least-privilege access controls and eliminate manual user management workflows for all Amazon Web Services (AWS) users and accounts.
In this post, we recap all of the integrations available between OneLogin and AWS. Through these integrations, OneLogin enables you to seamlessly authenticate into AWS managed services across various domains, including analytics, compute, serverless, security, management and governance, and more.
Single Sign-On Using OneLogin and AWS SSO
AWS Single Sign-On (AWS SSO) lets you efficiently manage user identities at scale by establishing a single identity and access strategy across your own applications, third-party software-as-a-service (SaaS) applications, and AWS environments.
Federating access between AWS SSO and OneLogin allows you to sign in to AWS SSO with a single click. Once access federation is set up from OneLogin, end users are able to sign in with OneLogin to gain access to all assigned AWS accounts.
AWS SSO and OneLogin utilizes System for Cross-domain Identity Management (SCIM), which enables automated user provisioning. This blog post walks you through how to connect OneLogin to AWS SSO.
OneLogin also supports session tags with AWS SSO. Using session tags you can pass user attributes into AWS.
Federated Access to Amazon Redshift
Amazon Redshift is a fully managed, petabyte-scale data warehouse service in the cloud that allows you to easily gain new insight from all of your data.
Setting up Amazon Redshift user federation from OneLogin allows you to manage access to Amazon Redshift resources centrally. This eliminates the need for separate database users and passwords and improves enterprise security.
Amazon Redshift supports SAML 2.0, and can be easily configured to integrate with OneLogin. This blog post illustrates the necessary steps for setting up Amazon Redshift user federation from OneLogin. It also explains how to pass along group membership from OneLogin into AWS, which enables you to manage user access to Amazon Redshift resources from within your identity provider (IdP).
Federated Access to Amazon Managed Service for Grafana
With Amazon Managed Service for Grafana (AMG), you can visualize and analyze your operational data at scale without having to provision, configure, and update servers.
AMG is a fully managed service based on Grafana, a popular open source tool that allows you to query, visualize, alert on, and understand your metrics no matter where they are stored.
Integrating OneLogin to single sign-on into AMG using AWS SSO lets users without access to the AWS Management Console access an AMG environment. It gives users a unique login URL they can use for direct access into AMG dashboards, where they can monitor and query data from various sources, including Amazon CloudWatch, Amazon OpenSearch Service (successor to Amazon Elasticsearch Service), and Amazon Timestream.
After a one-time setup to establish the SAML 2.0 trust, you can continue to manage users and groups using your existing IdP, which can be seamlessly synchronized with AWS SSO by using SCIM. This blog post demonstrates how to implement this integration.
Federated Access to Amazon OpenSearch Service
Amazon OpenSearch Service is a fully managed service that lets you deploy and run Elasticsearch at scale.
Amazon OpenSearch Service offers native support for SAML authentication, so you can integrate directly with third-party IdPs like OneLogin to SSO into Kibana. This allows you to leverage existing user credentials and privileges for Kibana access and manage them directly from your IdP.
Management and Governance
Identity Federation with AWS Control Tower and OneLogin
AWS Control Tower allows organizations with multiple AWS accounts to more easily set up and govern their multi-account AWS environment using AWS best practices.
OneLogin connectors allows you to centrally manage identity and access federation using various user stores, such as Active Directory, LDAP, and Google, as you build and scale your multi-account environment on AWS with Control Tower.
You can integrate OneLogin and Control Tower with either AWS SSO or SAML. This implementation guide walks you through how to set up the integration with AWS SSO using a sample AWS CloudFormation template.
Federated Access Between AWS Client VPN and OneLogin
AWS Client VPN enables remote users to securely connect to your resources on AWS and in your on-premises network. With the launch of Federated Authentication via SAML 2.0, AWS Client VPN can now be configured as a service provider in your existing IdP.
SAML-based federated authentication becomes a third authentication option for Client VPN, in addition to Active Directory and certificate-based mutual authentication.
OneLogin integrates with AWS Client VPN, enabling remote users connecting to Client VPN to authenticate with the same credentials they are using for any other service already integrated with OneLogin. This implementation guide provides instructions for setting up the connection between your SAML-based IdP and Client VPN.
Sending OneLogin Events to Amazon EventBridge
OneLogin for Amazon EventBridge integration allows organizations to stream events data from OneLogin to an event bus and build custom identity workflows that combine OneLogin and AWS events and actions.
You can add OneLogin as a partner event source using the AWS console and complete the setup following instructions provided in the partner’s website.
EventBridge allows you to easily create rules that trigger on events received from OneLogin. For rules that you create, you can define targets, which are services that respond to events.
EventBridge supports many target types. This documentation has the instructions for setting up EventBridge to receive events from OneLogin.
AWS Lambda Authorizers with OneLogin to Control Amazon API Gateway Access
Amazon API Gateway is a fully managed service that makes it easy to create, publish, maintain, monitor, and secure APIs at any scale. It supports various mechanisms for API access control, including AWS Lambda authorizers, which are Lambda functions that use bearer token authentication to control who can invoke REST API methods.
If your organization already uses OneLogin as an IdP, you can build Lambda authorizers by using your OneLogin credentials without having to set up additional services. This OneLogin Developer post illustrates how to create and use a OneLogin Lambda authorizer to control access to your APIs.
Enabling Federation with AWS SSO and Amazon Connect
Amazon Connect is an omni-channel cloud contact center that helps you improve customer experiences. Designed from the ground up to be omni-channel, Amazon Connect provides a seamless experience across voice and chat for your customers and agents.
OneLogin’s integration with Amazon Connect allows you to enable SAML-based single sign-on into Amazon Connect with RelayState.
RelayState is a parameter in the SAML assertion that’s used to redirect authenticated users to a particular destination. This OneLogin page has more details about this integration and its benefits.
Onboarding Amazon SageMaker Studio with AWS SSO and OneLogin
Amazon SageMaker Studio is a fully managed service that provides a web-based integrated development environment (IDE) that contains all of the tools needed to build, train, and deploy machine learning solutions. It supports single sign-on with AWS SSO, which you can integrate with OneLogin.
This allows you to manage Amazon SageMaker Studio end user authentication from one central place, and your end users can use their existing OneLogin credentials for Amazon SageMaker Studio access.
Setting Up OneLogin as a SAML IdP with an Amazon Cognito User Pool
Amazon Cognito provides solutions to control access to AWS resources from your app. It lets you add user sign up, sign in, and access control to your web and mobile apps quickly and easily.
Introducing OIDC IdP Authentication for Amazon EKS
Amazon Elastic Kubernetes Service (Amazon EKS) gives you the flexibility to start, run, and scale Kubernetes applications in the AWS cloud or on-premises.
This blog post demonstrates how customers can integrate an OIDC identity provider like OneLogin with a new or existing EKS cluster running Kubernetes version 1.16 or later.
With this feature, you can manage user access to your cluster by leveraging existing identity management life cycle through your OIDC identity provider like OneLogin.
Customers can connect their OneLogin Identity Management Platform (OneLogin) with various AWS managed services to manage access to AWS centrally, and also enable end users to sign in using OneLogin to access all of their assigned AWS applications on AWS.
These integrations helps customers simplify their access management to across multiple AWS services while maintaining familiar OneLogin experiences for administrators who manage identities, and for end users as they sign in.
OneLogin – AWS Partner Spotlight
OneLogin is an AWS Security Competency Partner and identity platform for secure, scalable, and smart experiences that connect people to technology.
*Already worked with OneLogin? Rate the Partner
*To review an AWS Partner, you must be a customer that has worked with them directly on a project.