[keycloak-user] SSO to the AWS Management Console via SAML

Georgijs Radovs georgijsr at scandiweb.com
Thu Dec 8 07:22:23 EST 2016 

Glad to be of some help )

Also, I've wrote a more detailed tutorial on this:

https://medium.com/@georgijsr/sign-in-to-amazon-aws-using-saml-protocol-and-keycloak-as-identity-provider-e3798387de99#.qph0zd3hb


On 2016.12.08. 11:00, Sebastien Blanc wrote:
> Thanks for these instructions, I think we could that to our docs.
>
> On Thu, Dec 8, 2016 at 9:43 AM, Georgijs Radovs 
> <georgijsr at scandiweb.com <mailto:georgijsr at scandiweb.com>> wrote:
>
>     Hi!
>
>     Yes it is possible.
>
>     Here are the steps you need to do to:
>
>     1. Get saml-metadata.xml from Amazon AWS -
>     https://signin.aws.amazon.com/static/saml-metadata.xml
>     <https://signin.aws.amazon.com/static/saml-metadata.xml>
>
>     2. Go to Keycloak realm, go to "Clients"
>
>     3. Create new SAML client, import Amazon AWS saml-metadata.xml
>
>     4. In Client settings, set "Base URL" to "/auth/realms/*your realm
>     name*/protocol/saml/clients/amazon-aws
>
>     5. In Client settings, set "IDP Initiated SSO URL Name" to amazon-aws
>
>     6. Save
>
>     7. Go to "Installation" tab in Client settings
>
>     8. Select "SAML Metadata IDPSSO Descriptor" format
>
>     9. Create SAML Identity provider in Amazon AWS IAM, import "SAML
>     Metadata IDPSSO Descriptor" xml file in Amazon AWS
>
>     10. Create SAML IAM roles in Amazon AWS, to be used by users
>     logging in
>     from Keycloak.
>
>     11. Recreate these IAM roles in Keycloak, in this format
>     "arn:aws:iam::*AWS account name*:role/*IAM role*,arn:aws:iam::*AWS
>     account name*:saml-provider/*Keycloak server FQDN*", and assign
>     them to
>     users or groups
>
>     12.  Also, set Mappers for "Session Name", "Session Duration" and
>     "Session Role" in Keycloak Amazon AWS client settings.
>
>     On 2016.12.07. 22 <tel:2016.12.07.%2022>:10, Patrick Ruhkopf wrote:
>     > Hi,
>     >
>     > Is it possible to use Keycloak SAML for SSO to AWS, as described
>     here:
>     > http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_
>     <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_>
>     > providers_enable-console-saml.html
>     >
>     > If so, is there documentation regarding how to set this up?
>     Perhaps similar
>     > to the following guide which uses Shibboleth?
>     https://aws.amazon.com/blogs/
>     > security/how-to-use-shibboleth-for-single-sign-on-
>     > to-the-aws-management-console/
>     >
>     > Thanks,
>     >
>
>
>     --
>      <https://www.youtube.com/watch?v=bs0V2F06liw
>     <https://www.youtube.com/watch?v=bs0V2F06liw>>
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>     <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>
>


-- 
 <https://www.youtube.com/watch?v=bs0V2F06liw>

More information about the keycloak-user mailing list