On 2016.12.08. 11:00, Sebastien Blanc wrote:
Thanks for these instructions, I think we could that to our docs.
On Thu, Dec 8, 2016 at 9:43 AM, Georgijs Radovs
<georgijsr(a)scandiweb.com <mailto:georgijsr@scandiweb.com>> wrote:
Hi!
Yes it is possible.
Here are the steps you need to do to:
1. Get saml-metadata.xml from Amazon AWS -
https://signin.aws.amazon.com/static/saml-metadata.xml
<
https://signin.aws.amazon.com/static/saml-metadata.xml>
2. Go to Keycloak realm, go to "Clients"
3. Create new SAML client, import Amazon AWS saml-metadata.xml
4. In Client settings, set "Base URL" to "/auth/realms/*your realm
name*/protocol/saml/clients/amazon-aws
5. In Client settings, set "IDP Initiated SSO URL Name" to amazon-aws
6. Save
7. Go to "Installation" tab in Client settings
8. Select "SAML Metadata IDPSSO Descriptor" format
9. Create SAML Identity provider in Amazon AWS IAM, import "SAML
Metadata IDPSSO Descriptor" xml file in Amazon AWS
10. Create SAML IAM roles in Amazon AWS, to be used by users
logging in
from Keycloak.
11. Recreate these IAM roles in Keycloak, in this format
"arn:aws:iam::*AWS account name*:role/*IAM role*,arn:aws:iam::*AWS
account name*:saml-provider/*Keycloak server FQDN*", and assign
them to
users or groups
12. Also, set Mappers for "Session Name", "Session Duration"
and
"Session Role" in Keycloak Amazon AWS client settings.
On 2016.12.07. 22 <tel:2016.12.07.%2022>:10, Patrick Ruhkopf wrote:
> Hi,
>
> Is it possible to use Keycloak SAML for SSO to AWS, as described
here:
>
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_
<
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_>
> providers_enable-console-saml.html
>
> If so, is there documentation regarding how to set this up?
Perhaps similar
> to the following guide which uses Shibboleth?
https://aws.amazon.com/blogs/
> security/how-to-use-shibboleth-for-single-sign-on-
> to-the-aws-management-console/
>
> Thanks,
>
--
<
https://www.youtube.com/watch?v=bs0V2F06liw
<
https://www.youtube.com/watch?v=bs0V2F06liw>>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
<
https://lists.jboss.org/mailman/listinfo/keycloak-user>