Configuring SAML for Amazon Web Services (AWS)
REQUIRED ACCOUNT/PERMISSION LEVEL
Bitium: All account levels; must be an admin to set up
AWS: All account levels
Go to “Manage Apps.”
Select “AWS” from the list of installed apps.
Select the “Single Sign-On” tab.
From the dropdown, select “SAML Authentication.”
Click “Download Metadata XML” and save the file for later.
Leave your Bitium window open.
Besides the steps below, additional support for turning on SAML in AWS can be found here - http://docs.aws.amazon.com/STS/latest/UsingSTS/STSMgmtConsole-SAML.html
Log into AWS and select the “Identity and Access Management” console.
On the side menu, select “Identity Providers” and then click the “Create Provider” button.
Under “Provider Type” choose SAML; under “Provider Name” type “Bitium;” for “Metadata Document” click “Choose File” and select the file downloaded in Step 5, above. When you’re done, click “Next Step” in the bottom right corner.
On the following page, select the newly-created Provider and click the link at the top that asks you to create the appropriate IAM role. This role will define the permissions that the authenticated user will have once inside of AWS.
On the next page, select “Create New Role”, then choose a name for the role and click “Next Step.”
On the “Select Role Type” screen, click the bubble next to “Role for Identity Provider Access,” then find the option “Grant Web Single Sign-On (WebSSO) access to SAML providers” and click “Select.” On the next screen, click “Next Step.”
Click “Next Step” on the “Verify Role Trust” screen.
The next step is to set up the actual permissions users in this role will have. You will need to select the policy that is appropriate for your users and company. Click “Select” next to your choice, and then on the next page choose “Next Step.”
You will then be taken to the “Review” screen, where you can verify your choices and select “Create Role.”
The final step is to copy the Role ARN and Provider ARN from AWS and insert them into the appropriate fields in Bitium. On the left-hand AWS menu, select the Role you just created, and copy the “Role ARN” at the top of the next page. Go back to Bitium and paste it into the corresponding field from Part 1, Step 3 above.
Select “Identity Providers” on the left-hand menu, select “Bitium” (or whatever you named it in Step 3, above) and copy the “Provider ARN”. Paste it into the corresponding field in Bitium just like you did with the Role ARN.
Go back to the Single Sign-On tab for AWS, confirm that you have pasted in all of the correct information from the steps above, and click the “Save Changes” button.
SAML Enabled will be illuminated in green once completed.