OpenAM as a SAMLv2 IdP for the AWS Administration console.
Why integrating AWS with OpenAM as an IdP?
To define OpenAM as the IdP we need to define trust between AWS and OpenAM. Let’s first work on a configuration that uses SAML2. In a later entry I will describe how to use OpenID Connect.
Step 1. First you need your OpenAM to provide SAML2 IdP Services.
Step 2. Export your Identity Provider metadata
$ wget -O idp.forgerocklabs.org.xml https://idp.forgerocklabs.org/openam/saml2/jsp/exportmetadata.jsp?role=idp&realm=/&entityid=idp.forgerocklabs.org Resolving idp.forgerocklabs.org… xx.xxx.xxx.xxx.xxx Connecting to idp.forgerocklabs.org|xxx.xxx.xxx.xxx|:yyy... connected. HTTP request sent, awaiting response... 200 OK Length: 4743 (4.6K) [text/xml] Saving to: 'idp.forgerocklabs.org.xml' idp.forgerocklabs.o 100%[=====================>] 4.63K --.-KB/s in 0.002s 2016-02-01 12:06:12 (2.38 MB/s) - 'idp.forgerocklabs.org.xml' saved [4743/4743] $ ls idp.forgerocklabs.org.xml
Step 3. Configure AWS to use a third party SAMLv2 IdP
Step 4. Create the Roles that will be associated with the users that will use the OpenAM
Step 5. Configuring the AWS SAMLv2 SP into OpenAM
Step 6. Test the configuration
- metaAlias: The metaAlias of your Identity Provider. In this example is /idp1, but this can be something different (like /idp). You can verify it from your IdP Configuration in your console or from your metadata.
- spEntityID: This is the name of the entity describing the AWS Service Provider, for AWS this is “urn:amazon:webservices” though Amazon can decide to change this, it might be that this will remain fixed for a long time.