Re: [keycloak-user] SSO to the AWS Management Console via SAML
Hi!
Yes it is possible.
Here are the steps you need to do to:
1. Get saml-metadata.xml from Amazon AWS -
https://signin.aws.amazon.com/static/saml-metadata.xml
2. Go to Keycloak realm, go to "Clients"
3. Create new SAML client, import Amazon AWS saml-metadata.xml
4. In Client settings, set "Base URL" to "/auth/realms/*your realm
name*/protocol/saml/clients/amazon-aws
5. In Client settings, set "IDP Initiated SSO URL Name" to amazon-aws
6. Save
7. Go to "Installation" tab in Client settings
8. Select "SAML Metadata IDPSSO Descriptor" format
9. Create SAML Identity provider in Amazon AWS IAM, import "SAML
Metadata IDPSSO Descriptor" xml file in Amazon AWS
10. Create SAML IAM roles in Amazon AWS, to be used by users logging in
from Keycloak.
11. Recreate these IAM roles in Keycloak, in this format
"arn:aws:iam::*AWS account name*:role/*IAM role*,arn:aws:iam::*AWS
account name*:saml-provider/*Keycloak server FQDN*", and assign them to
users or groups
12. Also, set Mappers for "Session Name", "Session Duration" and
"Session Role" in Keycloak Amazon AWS client settings.
On 2016.12.07. 22:10, Patrick Ruhkopf wrote:
Hi,
Is it possible to use Keycloak SAML for SSO to AWS, as described here:
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_
providers_enable-console-saml.html
If so, is there documentation regarding how to set this up? Perhaps similar
to the following guide which uses Shibboleth? https://aws.amazon.com/blogs/
security/how-to-use-shibboleth-for-single-sign-on-
to-the-aws-management-console/
Thanks,
--
<https://www.youtube.com/watch?v=bs0V2F06liw>