Skip to main content

AWS

This procedure describes how to integrate Amazon Web Services (AWS) for user provisioning.

Step 1: Complete the prerequisites

If required, complete the following prerequisites:

  1. The provisioner template contains the IDaaS user attributes that must be mapped to the attributes required for provisioning. If you use custom attributes you need to create custom IDaaS user attributes that are mapped to the custom attributes to AWS. Create any required custom user attributes. See Create and manage user attributes.
  2. Identify the IDaaS users that need to be provisioned. In IDaaS, you select the users for provisioning using the Group option. If necessary, create the required groups and add the users to those groups. By default, provisioning selects all IDaaS users if no groups are selected. See Create and manage groups and Import groups.

Step 2: Download the SAML metadata from AWS

  1. Log in to the AWS root console and open IAM Identity Center.
  2. In the IAM Identity Center pane, click Settings. The Settings page appears.
  3. Click the Identity Source tab.
  4. From the Actions drop-down list, select Change Identity source. The Configure external identity provider page appears.
  5. Click Download metadata file.
  6. Leave this page open.

Step 3: Add AWS SAML to IDaaS

  1. Log into your Identity as a Service administrator account.
  2. Click > Security > Applications. The Applications Lists page appears.
  3. Click Add. The Select an Application Template page appears.
  4. Do one of the following:
    • Select SAML Cloud Integrations from the search drop-down list and scroll to find the application you want to add to IDaaS.
    • In the Search bar, enter a search option to filter for the application you want to add to IDaaS.
  5. Click AWS. The Add AWS page appears.
  6. Enter an Application Name.
  7. Enter an Application Description.
  8. Under SAML Settings, click to Upload Metadata XML file you downloaded from AWS IAM Identity Center.
  9. Select the SAML Signing Certificate.
  10. Click Save.
  11. Add a resource rule. See Create resource rules.

Step 4: Download the metadata from Identity as a Service

  1. In Identity as a Service, click > Security > Applications. The Applications List page appears.
  2. Do one of the following:
    • Click next to the application you are integrating with Identity as a Service.
    • Click next to the application you are integrating with Identity as a Service and select SAML IDP Metadata.
  3. The SAML Application Metadata dialog box appears.
  4. Select the certificate to include in the SAML IDP Metadata file from the drop-down list.
  5. If applicable, Select the domain to include in the SAML IDP Metadata file from the drop-down list.
  6. Enter the Lifetime, in days, for the SAML IDP Metadata file. The value must be between 2 and 730.
  7. Do one of the following, as required:
  8. Copy the Public Endpoint to paste into your SAML application being used Identity Provider authentication.
  9. Click Download.
note

If you are using multiple domains, you must download each domain's metadata file separately because the values in the metadata file vary for each domain.

Step 5: Add the SAML metadata to AWS

  1. Return to the Configure external identity provider page you left open in Step 2: Download the metadata file from AWS.
  2. Under IdP SAML metadata, click Choose File and browse to upload the SAML metadata you downloaded in Step 4: Download the metadata from Identity as a Service.
  3. Click Next to return to the Settings page.
  4. On the Settings page, go to the Details section.
  5. Click Enable next to Automatic provisioning. The Inbound automatic provisioning dialog box appears.
  6. Open a text editor, such as Notepad and copy and save the SCIM endpoint and Token.
  7. Close the dialog box.

Step 6: Add the provisioner to IDaaS

  1. Click > Provisioners. The Provisioners page appears.

  2. Click and select Generic Integrations from the drop-down list.

  3. Enter a Name for the provisioner.

  4. Select Enable to automatically enable the provisioner when it is created. By default, this setting is deselected.

  5. Select the Groups to provision all users from the selected groups. You can select more than one group.

  6. Open the text file you created in Step 5: Add the SAML metadata to AWS.

  7. In the SCIM Server Endpoints field, enter the SCIM endpoints copied in the text file.

    warning

    SCIM Server Endpoints cannot be edited after the provisioner has been added to IDaaS.

  8. If you need to map AWS user attributes to IDaaS, do the following:

    1. Under User Attribute Mapping, click . The SCIM Attribute dialog box appears.
    2. Select [displayName] from the User Attribute Name drop-down list.
    3. In the User Attribute to map to drop-down list, select <User ID> the user attribute value.
    4. Click Add.
      • Repeat these steps to map the following additional user attributes:
      • [name.GivenName] mapped to <First Name>
      • [name.familyName] mapped to <last Name>
      • [active] mapped to <State>

  9. Click Save. The provisioner appears on the Provisioner List page with an authorize () icon.

Step 7: Authorize and enable the provisioner

  1. Click next to the Provisioner. The General Settings page appears.

  2. Click Authorize to acquire OAuth access and refresh tokens.

  3. Follow the prompts that appear from AWS to allow access. An Authorized message appears on the General Settings page to confirm authorization.

  4. Click API Key.

  5. In the API Key field enter the token value you copied in Step 5: Add the SAML metadata to AWS.

  6. Click Send Test SCIM to do a SCIM call to AWS. A message appears to confirm a successful SCIM call to AWS.

  7. Click Save. To return to the Provisioners List page.

    info

    If the Save fails, you may need to reauthorize and send a test SCIM again to save new refresh and access tokens.

  8. On the Provisioners List page, enable the provisioner as follows:

    1. Under Actions for the new provisioner, click . The Enable Provisioner prompt appears.
    2. Click Enable.

Step 8: Synchronize your users

  1. In IDaaS, click > Resources > Provisioners. The Provisioners List page appears.

  2. Click next to the provisioner and then select . The Synchronize Provisioner dialog box appears.

  3. Click Synchronize.

    info

    Check the Audit Logs for errors after synchronizing your users for provisioning.

    warning

    Once a refresh token expires, you must re-authorize and repeat this step.

  4. Verify the results in IDaaS, as follows:

    1. In IDaaS, click > Bulk Operations. The Bulk Operations page appears.
    2. Confirm the SCIM Provisioning operation displays as Completed.

  5. Confirm the provisioned users in AWS in the IAM Identity Center.

Step 9: Check the provisioned users in AWS

  1. Return to your AWS IAM Identity Center console.
  2. Click the People tab. The People page appears.
  3. Click Members. A list of Members appears.

Step 10: If required, edit a provisioner

  1. In IDaaS, click > Resources > Provisioners. The Provisioners List page appears.
  2. Click the name of the provisioner. The Edit Provisioner page appears.
  3. Make your required changes and then click Save.
Attention

If you need to make edits to the provisioner, changing a group or attribute mapping triggers many SCIM calls. Entrust recommends disabling the provisioner until you have completed all the required changes. When disabled, the only SCIM calls made are to are delete users or provisioners, as applicable. In addition, you may need to reauthorize the provisioner if an authentication configuration has changed.