AWS Security Blog

Enable Single Sign-On to the AWS Management Console via Shibboleth

<Repost from AWS Blog, here in its entirety>

One of the most powerful features of AWS Identity and Access Management (IAM) is its ability to issue temporary security credentials and grant controlled access to people in a network without having to define individual identities for each user (i.e., identity federation). This enables customers to extend their existing authentication systems and allow users to Single Sign-On (SSO) to the AWS Management Console.

Last November, we released sample code that will allow customers to create a federation proxy server that uses IAM roles to create temporary security credentials which can be used by Windows Active Directory users to Single Sign-On (SSO) to the AWS Management Console. Thousands of universities and government institutions currently use Shibboleth as their SSO authentication system across many disparate systems. We’ve received feedback from these customers who want a sample demonstrating how to leverage existing Shibboleth systems to easily enable SSO to the AWS Management Console.

Today, we are excited to release additional sample code that extends the functionality of the federation proxy to support Shibboleth using the Security Assertion Markup Language (SAML). The sample code empowers system architects and admins to configure Shibboleth and IAM so users can leverage AWS services while still managing the user’s credentials in their local directory. The sample allows federated users to log into the AWS Management Console without having to create individual IAM users. This approach of federating the use of AWS is a great way to expand and extend your organization’s ability to securely access AWS resources. 

Consider the following example. If a professor of a university would like to have her students use AWS for a class assignment, instead of creating an IAM user for every student, she can leverage the sample proxy to grant students access via their Shibboleth credentials. Implementing SSO with Shibboleth means that students continue to use the same set of credentials they commonly access other university systems with, while ensuring the username and password is never shared with untrusted systems.

Here’s how it works:

1. User A browses to the proxy URL and is prompted to login with Shibboleth credentials.

Screenshot of Shibboleth login page

2. After the user’s credentials are validated, all IAM roles that match assertions are listed in a drop-down box.

Screenshot showing all IAM roles that match assertions

3. The user selects the IAM role that he would like to use, and then clicks “Sign in to the AWS Console.”

Screenshot of choosing a role before signing in

4. The proxy then retrieves the necessary information from the SAML token and then calls the AssumeRoleRequest API. Using the     temporary security credentials received in the AssumeRoleResponse, the proxy server is able to construct a temporary sign-in URL, which is used to redirect the user to the AWS Management Console.

Screenshot of the AWS Management Console

Getting Started

The Step-by-Step instructions in the article will help you get started quickly and walks through the process of installing the sample code, creating the federation partnership, configuring roles in AWS IAM, and deploying the sample proxy.
We would love to get your feedback on whether this sample code is useful to you or not and how we can improve the federation proxy functionality even further. We can’t wait to hear from you. Please provide your comments below.

– Ben