Home Configuring AWS SSO with JumpCloud SAML Integration
Post
Cancel

Configuring AWS SSO with JumpCloud SAML Integration

Posted Sep 9, 2022 Updated Sep 10, 2022
By Esten Rye
3 min read

Prerequisites

  • Sign up for a free JumpCloud Account
  • Sign up for a free AWS Account
  • After signing up for AWS, note your AWS Account Number.
  • Define a Naming Convention for custom user attributes that will be used to grant AWS Role Permissions in JumpCloud. The resulting values should be unique across AWS Accounts and Roles.
    • Example Naming Convention: AWS<<AWS_Account_Number>><<AWS_Role_Name>>
    • Example Attribute Name: AWS673127022430ADM

Configuring JumpCloud SSO Application

  1. Browse to the JumpCloud Admin Console and authenticate with Administrator credentials.
  2. Click SSO
  3. Click the Plus button to configure a New SSO Application.
  4. Search for AWS
  5. Click Configure next to Amazon Web Services (IAM).
  6. On the General Info tab, provide a Display Label.
  7. On the SSO tab, click add attribute under the USER ATTRIBUTE MAPPING section for each Account/Role custom user attribute.
    • For all attributes added, use https://aws.amazon.com/SAML/Attributes/Role for the Service Provider Attribute Name and the Account/Role custom user attribute as the JumpCloud Attribute Name.
    • Example:
    • Service Provider Attribute Name: https://aws.amazon.com/SAML/Attributes/Role
    • JumpCloud Attribute Name: AWS673127022430ADM
  8. On the SSO tab, under the CONSTANT ATTRIBUTES section:
  9. Delete the default https://aws.amazon.com/SAML/Attributes/Role attribute.
  10. Change the https://aws.amazon.com/SAML/Attributes/SessionDuration attribute to 43200 seconds (12 hours)
  11. Click Activate to create the JumpCloud SSO Application
  12. Select the newly created JumpCloud SSO Application and click export metadata to download the Identity Provider Metadata XML file.

Configure a new Identity Provider in AWS Identity and Access Management (IAM)

  1. Browse to the AWS Admin Console.
  2. Log in with Administrative Credentials.
  3. Under Services, select IAM.
  4. In the Identity and Access Management (IAM) dashboard, click Identity providers.
  5. Click Add provider.
  6. Choose SAML for the Provider type.
  7. Choose a meaningful Provider name.
  8. Click Choose file to browse to the downloaded Identity Provider Metadata XML file.
  9. Add tags to facilitate searching and identification.
    • Example:
      • Tag Name: IdentityProvider
      • Tag Value: JumpCloud
  10. Click Add Provider.
  11. Click the newly created Identity Provider.
  12. Copy the Identity Provider’s ARN.

Configure a new IAM Role to be assumed by SAML Identities in AWS Identity and Access Management (IAM)

  1. Browse to the AWS Admin Console.
  2. Log in with Administrative Credentials.
  3. Under Services, select IAM.
  4. In the Identity and Access Management (IAM) dashboard, click Roles.
  5. Click Create role.
  6. Select AWS account for the Trusted entity type.
  7. Specify the AWS Account Number.
  8. Click Next.
  9. Add required permissions to the role.
    • To create an Administrator role:
      • Search for the AdministratorAccess policy.
      • Click the checkbox next to the AdministratorAccess policy.
  10. Click Next.
  11. Provide a meaningful Role name.
  12. Click Edit on Step 1: Select trusted entities.
  13. For Trusted entity type choose SAML 2.0 federation.
  14. For SAML 2.0-based provider select the Identity Provider you created in the previous section.
  15. Select Allow programmatic and AWS Management Console Access.
  16. Click Next.
  17. Click Next.
  18. Add tags to facilitate searching and identification.
    • Example:
      • Tag Name: IdentityProvider
      • Tag Value: JumpCloud
  19. Click Create role.
  20. Click View role on the green notification bar.
  21. Copy the Role’s ARN.

Configure JumpCloud Group custom user attributes.

  1. Browse to the JumpCloud Admin Console and authenticate with Administrator credentials.
  2. Click User Groups
  3. Click the Plus button to create a new group.
  4. On the Details tab:
    1. Provide a meaningful name.
    2. Click add new custom attribute in the Custom Attributes section and select String
    3. Add Custom Attributes for each AWS IAM Role being granted to the Group.
      1. For Attribute Name provide an AWS Account/Role custom attribute value.
        • Example: AWS673127022430ADM
      2. For Attribute Value provide a comma delimited list containing both the AWS Role ARN and the AWS Identity Provider ARN.
        • Example: arn:aws:iam::673127022430:role/JumpCloud-SSO-Administrator-Access,arn:aws:iam::673127022430:saml-provider/JumpCloud
      3. Repeate for each AWS IAM Role.
  5. On the Users tab, select which users should be granted AWS access.
  6. On the Applications tab, grant the group access to the AWS SSO application.
  7. Click Save

Test your work by logging into the AWS Dashboard using JumpCloud SSO.

  1. Browse to the JumpCloud User Console
  2. Click the AWS tile.
  3. Select the Role you want to assume.

Configure saml2aws for command line access.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

brew install saml2aws
saml2aws configure \
  --idp-account=ryezone-com \
  --url=https://sso.jumpcloud.com/saml2/aws-rzlbs \
  --idp-provider=JumpCloud \
  --mfa=WEBAUTHN \
  --profile=ryezone-com

saml2aws login \
  --idp-account=ryezone-com \
  --profile=ryezone-com \
  --region=us-east-2 \
  --role=arn:aws:iam::673127022430:role/JumpCloud-SSO-Administrator-Access \
  --cache-saml \
  --skip-prompt \
  --force
homelab, aws, saml, jumpcloud, SSO
cd-homelab automate-someday
This post is licensed under CC BY 4.0 by the author.
Recently Updated