This guide explains how to integrate Assertiv with AWS using SAML. When this set up is complete, users will be able to log into AWS using their Assertiv account.
Note: The screenshots used are for demonstrative purposes only and are accurate at time of writing. These screens can change over time. Please let us know if this document no longer reflects the application.
Prerequisites
In order to configure AWS for SAML SSO, you will need the following:
- An AWS account and sufficient permissions to set up SAML Identity Providers and Roles in IAM
Create AWS App in Assertiv
Log into your Assertiv Organization (https://<your-org>.assertiv.com) as an Admin user and select the App Config dashboard tile.
Select the plus (
) button to create a new App config.
Search for the AWS/Amazon Web Services application and select the AWS icon.
You will be prompted for some information on the following page.
AWS Service Name: The name entered here will be used when displaying this app to end users from their Applications page and in administrative app configuration pages.
Signing Certificate: The certificate is used to create a trust between Assertiv and your AWS account. For advanced users, if you have created a certificate you wish to use, select it here. Otherwise (or if you are unsure) you can select "-- Generate New Signing Certificate --".
Save the configuration. When the save completes, you will be taken to the Edit Service page. At the bottom of this page a Metadata file will be generated (this can take several seconds to finish). Download the metadata file by clicking Download Metadata.
Open your AWS Console and log in as an Administrative user.
Navigate to the Identity Providers section (IAM > Identity Providers) and click the Create Provider button.
Select SAML as the Provider Type, enter a name of your choosing for the Provider Name, then browse and select the metadata file you downloaded in the previous steps. Then click Next Step.
Verify and confirm the details and click Create.
From within the IAM section, navigate to Roles and create a new role.
Select SAML 2.0 Federation.
Select Allow programmatic and AWS Management Console access
Optional: additional conditions can be added. For the purpose of this demonstration, no more conditions are required.
Click the Next: Permissions button.
On the following page, select the permission policies which will be granted to a user who logs in with this role.
Click Next: Tags
Optionally add any tags you require to this role. This is not mandatory for an Assertiv configuration. Click Next: Review.
Enter a Role name and Role Description.
Click the Create button to create the role.
On the following page, select the link with your role name (or search for your role).
Navigate to the Trust Relationships tab. Copy the Role ARN and Trusted Entities (Identity Provider) to their respective configuration fields in the Assertiv AWS application page. The fields have been mapped below.
Optional: The default timeout for a SAML authenticated session in AWS is 1 hour. This can be adjusted using the AWS Session Duration field if you wish to extend this.
Click Save in Assertiv to complete the configuration for AWS.
Configure Roles
In order for your users to access your application from their Assertiv apps page, you must set up a role, assign users to the role, and give that role permission to access the application. This is required for testing the integration as well.
More details on roles can be found in the following articles
Accessing AWS
When you have completed the creation of the AWS application and configured a role (and granted the role to users), the application should be available from the Apps page in Assertiv.
