[keycloak-user] SSO to the AWS Management Console via SAML
Sebastien Blanc
sblanc at redhat.com
Thu Dec 8 04:00:04 EST 2016
Thanks for these instructions, I think we could that to our docs.
On Thu, Dec 8, 2016 at 9:43 AM, Georgijs Radovs <georgijsr at scandiweb.com>
wrote:
> Hi!
>
> Yes it is possible.
>
> Here are the steps you need to do to:
>
> 1. Get saml-metadata.xml from Amazon AWS -
> https://signin.aws.amazon.com/static/saml-metadata.xml
>
> 2. Go to Keycloak realm, go to "Clients"
>
> 3. Create new SAML client, import Amazon AWS saml-metadata.xml
>
> 4. In Client settings, set "Base URL" to "/auth/realms/*your realm
> name*/protocol/saml/clients/amazon-aws
>
> 5. In Client settings, set "IDP Initiated SSO URL Name" to amazon-aws
>
> 6. Save
>
> 7. Go to "Installation" tab in Client settings
>
> 8. Select "SAML Metadata IDPSSO Descriptor" format
>
> 9. Create SAML Identity provider in Amazon AWS IAM, import "SAML
> Metadata IDPSSO Descriptor" xml file in Amazon AWS
>
> 10. Create SAML IAM roles in Amazon AWS, to be used by users logging in
> from Keycloak.
>
> 11. Recreate these IAM roles in Keycloak, in this format
> "arn:aws:iam::*AWS account name*:role/*IAM role*,arn:aws:iam::*AWS
> account name*:saml-provider/*Keycloak server FQDN*", and assign them to
> users or groups
>
> 12. Also, set Mappers for "Session Name", "Session Duration" and
> "Session Role" in Keycloak Amazon AWS client settings.
>
> On 2016.12.07. 22:10, Patrick Ruhkopf wrote:
> > Hi,
> >
> > Is it possible to use Keycloak SAML for SSO to AWS, as described here:
> > http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_
> > providers_enable-console-saml.html
> >
> > If so, is there documentation regarding how to set this up? Perhaps
> similar
> > to the following guide which uses Shibboleth?
> https://aws.amazon.com/blogs/
> > security/how-to-use-shibboleth-for-single-sign-on-
> > to-the-aws-management-console/
> >
> > Thanks,
> >
>
>
> --
> <https://www.youtube.com/watch?v=bs0V2F06liw>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list