Purpose

This page describes how an AWS (Amazon Web Services) account owner can configure single sign-on (SSO) to AWS Management Console, including SAML configuration for signing in with UW NetID and management of UW groups to map group memberships to AWS roles in your AWS account.

Instructions

An AWS account owner can configure federated sign-in using these steps:

  1. Send UW-IT your Amazon Account ID

    1. Account ID is on the "My Account" AWS Console page

    2. Email iam-support@uw.edu your Account ID

    3. UW-IT will create a UW group stem for you to manage your AWS roles

      1. u_weblogin_aws_(accountid)
  2. Add the UW IdP as an Identity Provider
    1. "AWS Console" → "IAM" →  "Identity Providers" → "Create Provider"
      1. Provider Type: "SAML"
      2. Provider Name: "UW"
      3. Metadata Document:
        1. Attach the IdP's metadata as a file
      4. Next Step
        1. "Create"
  3. Create an AWS role for SAML login
    1. "IAM" Service -> "Roles" -> "Create New Role"
    2. Select "SAML 2.0 federation"
      1. SAML provider: select what you created from step #2
      2. Attribute: "SAML:aud"
      3. Value: "https://signin.aws.amazon.com/saml"
    3. Click "Next Permissions"
      1. Choose the AWS Policies that you want to grant to this role
    4. Click "Next Review"
      1. Role Name
        1. Must consists of: lowercase letters, digits, dashes, dots only!
        2. The role name will/must match the corresponding UW group ID (see step 4c below)
      2. Click "Create Role"
  4. Create a UW group that will be granted your AWS role
    1. Sign in to the UW groups service (https://groups.uw.edu)
    2. Create a new group under the group stem created for you (in step 1c)
    3. The last part of the Group ID (after the final "_") must match your AWS Role Name (rolename):
      1. u_weblogin_aws_(accountid)_(rolename)
    4. Add the UW NetIDs of people who can sign in and assume the role as members of this new group
      1. Users must be added as members of the group (direct or effective). Adding a user as an admin (or another non-member role) will not permit SSO.
  5. Sign in to the AWS Console
    1. Amazon uses IdP-initiated SSO. This is also known as "unsolicited" SSO since the it isn't initiated by the service provider.
    2. A static link is used to initiate sign-in from the UW IdP.
      1. Either click this link: Sign in to the AWS Console with UW NetID
      2. Or copy and use this location: https://idp.u.washington.edu/idp/profile/SAML2/Unsolicited/SSO?providerId=urn:amazon:webservices 
    3. Clicking the link above initiates sign-in from the UW IdP to Amazon.
    4. The maximum session duration defaults to one hour.  You can edit the AWS role itself to have a longer session duration.
    5. After the AWS session duration ends, the session with the AWS Console will expire.
    6. Use the IdP-initiated SSO link again to establish a new session.
  6.  Note: 2FA is enabled for all users by default.
    1. To learn more about 2FA options and eligibility, refer to two-factor authentication in IT Connect.

Notes

If you use AWS CloudTrail, refer to this blog on "How to Easily Identify Your Federated Users by Using AWS CloudTrail".
https://aws.amazon.com/blogs/security/how-to-easily-identify-your-federated-users-by-using-aws-cloudtrail/