[keycloak-user] SSO to the AWS Management Console via SAML
Georgijs Radovs
georgijsr at scandiweb.com
Thu Dec 8 03:43:12 EST 2016
Hi!
Yes it is possible.
Here are the steps you need to do to:
1. Get saml-metadata.xml from Amazon AWS -
https://signin.aws.amazon.com/static/saml-metadata.xml
2. Go to Keycloak realm, go to "Clients"
3. Create new SAML client, import Amazon AWS saml-metadata.xml
4. In Client settings, set "Base URL" to "/auth/realms/*your realm
name*/protocol/saml/clients/amazon-aws
5. In Client settings, set "IDP Initiated SSO URL Name" to amazon-aws
6. Save
7. Go to "Installation" tab in Client settings
8. Select "SAML Metadata IDPSSO Descriptor" format
9. Create SAML Identity provider in Amazon AWS IAM, import "SAML
Metadata IDPSSO Descriptor" xml file in Amazon AWS
10. Create SAML IAM roles in Amazon AWS, to be used by users logging in
from Keycloak.
11. Recreate these IAM roles in Keycloak, in this format
"arn:aws:iam::*AWS account name*:role/*IAM role*,arn:aws:iam::*AWS
account name*:saml-provider/*Keycloak server FQDN*", and assign them to
users or groups
12. Also, set Mappers for "Session Name", "Session Duration" and
"Session Role" in Keycloak Amazon AWS client settings.
On 2016.12.07. 22:10, Patrick Ruhkopf wrote:
> Hi,
>
> Is it possible to use Keycloak SAML for SSO to AWS, as described here:
> http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_
> providers_enable-console-saml.html
>
> If so, is there documentation regarding how to set this up? Perhaps similar
> to the following guide which uses Shibboleth? https://aws.amazon.com/blogs/
> security/how-to-use-shibboleth-for-single-sign-on-
> to-the-aws-management-console/
>
> Thanks,
>
--
<https://www.youtube.com/watch?v=bs0V2F06liw>
More information about the keycloak-user
mailing list