探花大神

Help Center Home > Identity Management (IdM) > Integrate with AWS IAM Identity Center

Integrate with AWS IAM Identity Center

Use 探花大神 SAML Single Sign On (SSO) to give your users convenient but secure access to all their web applications with a single set of credentials. Automate and centralize AWS IAM Identity Center user and group management through the full lifecycle by configuring an Identity Management integration between your 探花大神 account and AWS IAM Identity Center.

Read this article to learn how to configure the AWS IAM Identity Center Integration.

Prerequisites

  • A 探花大神 administrator account
  • 探花大神 SSO Package or higher or SSO add-on feature
  • AWS Admin account (AWS root user)
  • AWS organization

Important Considerations

  • Single sign-on for AWS IAM Identity Center is recommended, but not required, when creating an Identity Management integration with AWS IAM Identity Center
  • SAML is the recommended method for managing secure user authentication into AWS IAM Identity Center
  • For the connector to work, usernames in AWS IAM Identity Center need to match email addresses in 探花大神
  • If you need to renew your token, you must deactivate the Identity Management integration first, update your token and then reactivate the integration
  • If you deactivate Identity Management integration on an AWS IAM Identity Center application connector, you will need to generate a new access token if you want to activate it again
  • If you delete an integrated AWS IAM Identity Center application from your Applications list, the application is removed from 探花大神, but any previously bound users remain active in AWS IAM Identity Center. These users will be able to log in to AWS IAM Identity Center with the password they used prior to enablement of SSO to the AWS IAM Identity Center application from your 探花大神 account
  • When a user is deleted in 探花大神, the user is deleted from AWS IAM Identity Center
  • Once the Identity Source is changed to 鈥淓xternal Identity Provider鈥 and SCIM Provisioning is enabled in AWS IAM Identity Center, you can no longer create or update users and groups in AWS IAM Identity Center:
    • To manage AWS IAM Identity Center users who were created before SCIM provisioning was enabled, you need to add them in 探花大神 and add them to a User Group that is associated with the AWS IAM Identity Center application connector
    • To manage AWS IAM Identity Center groups that were created before SCIM provisioning  was enabled, in 探花大神, you have to select the Enable management of User Groups and Group Membership in this application. Then, create user groups with the same name as your existing AWS IAM Identity Center groups, and add those groups to the AWS IAM Identity Center application connector
  • AWS IAM Identity Center is only capable of returning 50 groups from their ListGroups API
  • Group names in 探花大神 cannot have a 鈥:鈥 character. Otherwise, they won't sync
  • The username in AWS IAM Identity Center must match the email address in 探花大神. If users were manually created in AWS IAM Identity Center before 探花大神 was configured as the external identity source, the username must be updated to the email address specified for that user in 探花大神. If the username is not a valid 探花大神 email, then the following will occur:
    • Jumpcloud won't be able to take over management of the user in AWS IAM Identity Center
    • The user won't be able to log in via SSO
    • The user encounters an invalid MFA credentials error

Attribute Considerations

  • A default set of attributes are managed for users. See the Attribute Mappings section for more details
  • If the display name is updated in 探花大神, AWS IAM Identity Center won't overwrite it
  • When you update a Group name in the 探花大神 administrator portal, it will update in AWS IAM Identity Center as well
  • When a new user is provisioned to AWS IAM Identity Center, the value of the displayName attribute is set to combine the firstName and lastName attributes.聽For example, the attribute displayName = firstName + lastName:
    • firstName = 鈥淛ohn鈥
    • lastName = 鈥淒oe鈥
    • displayName = 鈥淛ohn Doe鈥

Creating a new 探花大神 Application Integration

  1. Log in to the .
  2. Go to聽USER AUTHENTICATION聽&驳迟;听SSO Applications.
  3. Click + Add New Application.
  4. Type the name of the application in the Search field and select it.
  5. Click Next.
  6. In the Display Label, type your name for the application. Optionally, you can enter a Description, adjust the User Portal Image and choose to hide or Show in User Portal.

Note:

If this is a Bookmark Application, enter your sign-in URL in the Bookmark URL field.

  1. Optionally, expand Advanced Settings to specify a value for the SSO IdP URL. If no value is entered, it will default to https://sso.jumpcloud.com/saml2/<applicationname>.

Warning:

The SSO IdP URL is not editable after the application is created. You will have to delete and recreate the connector if you need to edit this field at a later time.

  1. Click Save Application.
  2. If successful, click:
    • Configure Application and go to the next section
    • Close to configure your new application at a later time

Configuring the SSO Integration

To configure AWS IAM Identity Center 1

  1. Log in to the AWS IAM Identity Center management console. 
  2. Under Enable IAM Identity Center, choose Enable.
  3. If there is not an existing AWS organization, click Create AWS organization to  one. 
  4. Under Recommended setup steps, select Choose your identity source.
  5. Next to Identity Source, click Change
  6. Select External identity provider.
  7. In the Service provider metadata section, click download metadata file
  8. Keep the AWS console open because you need to access it for To configure AWS IAM Identity Center 2

To configure 探花大神 

Important:

Do not select Amazon Web Services (IAM) for this connector.

  1. Create a new application or select it from the Configured Applications list.
  2. Select the SSO tab.
  3. Under Service Provider Metadata, click Upload Metadata.
  4. Browse to the location of the Service Provider Metadata downloaded from the previous section and click Open.
  5. Once this file is uploaded, all fields should populate automatically.
  6. Click Export Metadata under 探花大神 Metadata.
  1. Optionally, if you want to force SP Initiated Authentication, in the Login URL field, replace the value with your Login URL. 

Tip:

This is the URL provided by Amazon to log directly into your company-specific AWS access portal. 

  1. Click save

To configure AWS IAM Identity Center 2

  1. Go back to the AWS IAM Identity Center management console.
  2. In the Identity provider metadata section, click Choose file, and upload the 探花大神 metadata file. 
  3. Click Next: Review.
  4. In the text box, type ACCEPT to change your identity source. 
  5. Click Change identity source.

Authorizing User SSO Access

Users are implicitly denied access to applications. After you connect an application to 探花大神, you need to authorize user access to that application. You can authorize user access from the Application Configuration panel or from the Groups Configuration panel. 

To authorize user access from the Application Configuration panel

  1. Log in to the .
  2. Go to USER AUTHENTICATION > SSO Applications, then select the application to which you want to authorize user access.
  3. Select the User Groups tab. If you need to create a new group of users, see Get Started: User Groups.
  4. Select the check box next to the group of users you want to give access.
  5. Click save

To learn how to authorize user access from the Groups Configuration panel, see Authorize Users to an SSO Application.

Validating SSO user authentication workflow(s)

IdP-initiated user workflow

  • Access the
  • Go to聽Applications and click an application tile to launch it
  • 探花大神 asserts the user's identity to the SP and is authenticated without the user having to log in to the application

SP-initiated user workflow

  • Go聽to the SP application login - generally, there is either a special link or an adaptive username field that detects the user is authenticated through SSO

Note:

This varies by SP.

  • Login redirects the user to 探花大神 where the user enters their 探花大神 credentials
  • After the user is logged in successfully, they are redirected聽back to the SP and automatically logged in

Configuring the Identity Management Integration

  1. Create a new application or select it from the Configured Applications list.
  2. Select the Identity Management tab.
  3. Click configure, and keep the window available. 
  4. In a new window, log in to the AWS administrator console. 
  5. Go to All Services > Security, Identity & Compliance, and select AWS Single Sign-On.
  6. Under Recommended setup steps, select Choose your identity provider.
  7. In the Identity source section, select Enable automatic provisioning.
  8. Copy the SCIM Endpoint URL from the Inbound automatic provisioning modal.
  9. Go back to the AWS IAM Identity Center application connector in 探花大神.
    • Click Enable management of User Groups and Group Membership in this application if you want to provision, manage, and sync groups.
    • *SP Base URL: Paste the SCIM Endpoint URL you copied from AWS. 
  10. Go back to the AWS IAM Identity Center Inbound automatic provisioning modal. Click Show token, then copy the token. Important: When you click Show token, you have to keep the window open until you have copied and entered the token into 探花大神. After you close the Inbound automatic provisioning modal, it doesn鈥檛 show you this information again.
  11. Go back to the AWS IAM Identity Center application connector in 探花大神. *SP SPI Token: Paste the Access token you copied from AWS.
  12. Click Activate
  13. You receive a confirmation that the Identity Management integration has been successfully verified and a Public Certificate is created. You can download the certificate from here.
  14. Click save.
  15. After the application is saved, it appears in the SSO Applications list. You can now connect users to the application in 探花大神 to provision them in AWS IAM Identity Center. Learn how to Authorize Users to an SSO Application.

To configure Attribute Based Access Control (ABAC)

AWS IAM Identity Center supports the use of attributes to control access to your AWS resources across multiple AWS accounts. This authorization strategy is known as attribute-based access control (ABAC). Within the AWS IAM Identity Center console, you can define fine-grained permissions and policies based on attributes sent from 探花大神. Attributes used for ABAC are called tags in AWS. Using user attributes as tags in AWS helps you simplify the process of creating and managing permissions in AWS and allows you to extend your zero trust security model to your AWS resources. 

Configuring ABAC in AWS IAM Identity Center is done through the Attributes for access controls page in the AWS IAM Identity Center console. There are two ways to configure ABAC. You can use SCIM user attributes or SAML attributes. 

Important: In scenarios where the same attributes are sent to AWS IAM Identity Center through SAML and SCIM, the SAML attributes values take precedence in access control decisions.

To enable ABAC in AWS IAM Identity Center

To use attributed based access control (ABAC), you need to enable the Attributes for access control feature in AWS IAM Identity Center console. For more information about how to do this, see

  1. Log in to the AWS IAM Identity Center console. 
  2. Click Settings from the left hand navigation panel.
  3. On the Settings page, under Identity source, next to Attributes for access control, click Enable.

To configure ABAC Using SCIM User Attributes

You can select user attributes sent to AWS IAM Identity Center via the 探花大神 SCIM Identity Management integration to be used as attributes to manage access (ABAC) to your AWS resources. Then, you create a permission set in AWS IAM Identity Center to manage access based on the attributes you passed from 探花大神. For more information about which user attributes are passed from 探花大神, see Attribute Mappings, below. For more information about configuring attributes for access controls, see .

  1. Log in to the AWS IAM Identity Center console.
  2. Click Settings from the left hand navigation panel.
  3. On Settings > Identity source, next to Attributes for access control, click View details.
  4. Enter a Key value.
    • Note: You can provide any name you want. Key represents the name you are giving to the attribute for use in policies and is case sensitive. You need to specify that exact name in the policies you author for access control. The Key must also be named exactly the same in your aws:PrincipalTag condition key (i.e., "ec2:ResourceTag/CostCenter":  "${aws:PrincipalTag/CostCenter}")
  5. Select the Value.
  6. Click Save changes.

To configure ABAC using SAML Attributes

You can configure SAML attributes for AWS IAM Identity Center to manage access to your AWS resources. The attributes that you define in 探花大神 will be passed in a SAML assertion to AWS IAM Identity Center. You then create a permission set in AWS IAM Identity Center to manage access based on the attributes you passed from 探花大神. 

  1. Open the 探花大神 AWS Single Sign-On application that you installed as part of configuring SAML for 探花大神. Go to USER AUTHENTICATION > SSO.
  2. Click the AWS Single Sign-On application, and then click the second tab, SSO.
  3. At the bottom of this tab you have User Attribute Mapping, click Add new attribute. 
  4. To use one of the predefined 探花大神 Attribute values:
    1. In the Service Provide Attribute Name field, enter https://aws.amazon.com/SAML/Attributes/AccessControl:AttributeName replacing AttributeName with the name of the attribute you are expecting in AWS IAM Identity Center. For example, https://aws.amazon.com/SAML/Attributes/AccessControl:Region
    2. In the 探花大神 Attribute Name field, select user attributes from your 探花大神 directory. For example, addresses.region.
    3. Repeat steps 1-2 for each additional attribute you want to map.
    4. Click save.
  5. To use dynamic attributes from the user or group record:
    1. In the Service Provide Attribute Name field, enter https://aws.amazon.com/SAML/Attributes/AccessControl:AttributeName replacing AttributeName with the name of the attribute you are expecting in AWS IAM Identity Center. For example, https://aws.amazon.com/SAML/Attributes/AccessControl:CostCenter
    2. In the 探花大神 Attribute Name field, select Custom User or Group Attribute.
    3. Enter a name for the attribute. For example, AWS-ABAC-Project.
    4. Repeat steps 1-3 for each additional attribute you want to map.
    5. Click save.
    6. Open the user or group record for which you to pass the value for the attribute you created.
    7. In the Users or Group Details tab, go to the Custom Attributes section and click add new custom attributes.
    8. Select string.
    9. For Attribute Name, enter the name of one of the custom attributes that鈥檚 listed on the AWS IAM Identity Center configuration. For example AWS-ABAC-Project.
    10. For Attribute Value, enter the value you want to send for the attribute.
    11. Repeat steps 1-5 for each additional attribute you want to map.
    12. Click save.

To use ABAC in Permission Policies

Once you have configured attributes for use with ABAC, you can create permission policies that use those attributes for controlling access to AWS resources, services, and actions.

To apply a permission policy from the AWS IAM Identity Center console:

  1. Log in to the AWS IAM Identity Center console.
  2. Navigate to AWS Accounts > Permission Sets.
  3. Select the permission to which you want to add a permission set.
  4. Click Edit Permissions in the Permissions Policy.
  5. Enter the json for the permission policy you want to add or update.

For example, denying certain actions by Project or Region:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "iam:*",
                "organizations:DescribeAccount",
                "organizations:DescribeOrganization",
                "organizations:DescribeOrganizationalUnit",
                "organizations:DescribePolicy",
                "organizations:ListChildren",
                "organizations:ListParents",
                "organizations:ListPoliciesForTarget",
                "organizations:ListRoots",
                "organizations:ListPolicies",
                "organizations:ListTargetsForPolicy"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:PrincipalTag/Project": "Automation"
                }
            }
        }
    ]
}
OR
 {
 "Sid": "DenyAccessByRegion",
            "Effect": "Deny",
            "NotAction": [
                "cloudfront:*",
                "iam:*"         
            ],
            "Resource": "*",
            "Condition": {
                "StringNotEquals": {
                    "aws:RequestedRegion": "${aws:PrincipalTag/Region}"
                }
            }
        }

  1. Click Save Policy.
  2. *Optionally, select the accounts to which the permission has been applied, so the new or updated policy can be applied and click Reprovision. Otherwise, click Skip for now.
  3. If you don鈥檛 already have tags defined for your permission, click Add tags in the Tags section. Otherwise, click Edit Tags to add a new tag.
  4. Add all the attributes you will be using in your Permissions Policy.
    • For example, Project and Region.
    • *Optionally, enter a value for the Key.
      • Note: Key is case sensitive and must exactly match the attribute you defined in Attributes for access control interface in the AWS IAM Identity Center console and in the SAML attributes you pass from 探花大神.
  5. Click Save changes.

To update the AWS Token

AWS Tokens are generated with a validity of one year. When your token is set to expire in 90 days or less, AWS sends you reminders in the IAM Identity Center console and over the AWS Health Dashboard. 探花大神 will not send you any notifications. Your SCIM access token should be rotated before it expires to continually secure automatic provisioning of user and group information.

Important:

Ensure you have deactivated the Identity Management integration in 探花大神 before starting this section.

  1. Log in to the and click Go to Settings.
  2. Go to Identity Source > Actions dropdown > Manage provisioning.
  3. In the Access Token section, click Generate Token.
  4. Click Show token and copy the token.

Warning:

The Client ID and Secret (token) may only be shown once. Copy them to a secure location, like the 探花大神 Password Manager, for future reference.

  1. If it is not already open, log in to the .
  2. Go to USER AUTHENTICATION > SSO Applications.
  3. Search for and select AWS IAM Identity Center from the Configured Applications list.
  4. Select the Identity Management tab.
  5. In the Token Key field, paste the token generated above and click Activate.
  6. Click Save.

Attribute Mappings

The following table lists attributes that 探花大神 sends to the application. See Attribute Considerations for more information regarding attribute mapping considerations. 

Learn about 探花大神 Properties and how they work with system users in our . 

AWS IAM Identity Center User Attributes

探花大神 Property 探花大神 UI SCIM v2 Mapping AWS IAM Identity Center Value Notes
username Username userName userName
email Company Email emails.value emails.value
displayname Display Name displayName displayName
firstname First Name name.givenName name.givenName
lastname Last Name name.familyName name,familyName
user.state User State active active If User State is "Active", "active":true. If User State is "Suspended", "active":false
job Title Job Title jobTitle title
- - locale locale Set to a constant value "en-US".
addresses.streetAddress Work Street Address addresses.streetAddress addresses.streetAddress
addresses.locality Work City addresses.locality addresses.locality
addresses.region Work State addresses.region addresses.region
addresses.postalCode Work Postal Code addresses.postalCode addresses.postalCode
addresses.country Work Country addresses.country addresses.country
phoneNumbers.value Work Phone phoneNumbers.value phoneNumbers.value
employeeIdentifier Employee ID employeeNumber employeeNumber
company Company organization organization
department Department department department

Group Attributes

探花大神 Property 探花大神 UI Field Name SCIM v2 Mapping Application Value
name Name displayName Name

Group Management Considerations

Enabling Group Management

You must select the Enable management of User Groups and Group Membership in this application option to manage groups and group membership in the application from 探花大神.

Group Provisioning and Syncing 
  • Empty groups are not created
  • 探花大神 takes over management of existing groups in the application when the user group name in 探花大神 matches the name of the group in the application
  • All user groups associated with the application in 探花大神 are synced. Syncing occurs whenever there is a membership or group change event
  • Group renaming is supported
  • If a user group is disassociated from the application in 探花大神, syncing immediately stops and the group is left as-is in the application. All members of that user group are deactivated in the application unless they are associated with another active application group that is managed from 探花大神
Group Deletion
  • Managed groups deleted in 探花大神 are deleted in the application
  • All members of the deleted group are deactivated in the application, unless they are associated with another active application group that is managed from 探花大神
Disabling Group Management
  • You can disable group and group membership management by unchecking the聽Enable management of User Groups and Group Membership in this application听辞辫迟颈辞苍
  • The managed groups and group membership are left as-is in the application
  • 探花大神 stops sending group membership information for the user, but the user鈥檚 identity will continue to be managed from 探花大神

Removing the Integration

Important:

These are steps for removing the integration in 探花大神. Consult your SP's documentation for any additional steps needed to remove the integration in the SP. Failure to remove the integration successfully for both the SP and 探花大神 may result in users losing access to the application.

To deactivate the IdM Integration

  1. Log in to the .
  2. Go to USER AUTHENTICATION > SSO Applications.
  3. Search for the application that you鈥檇 like to deactivate and click to open its details panel. 
  4. Under the company name and logo on the left hand panel, click the Deactivate IdM connection link.
  5. Click confirm
  6. If successful, you will receive a confirmation message.

To deactivate the SSO Integration or Bookmark

  1. Log in to the .
  2. Go to USER AUTHENTICATION > SSO Applications.
  3. Search for the application that you鈥檇 like to deactivate and click to open its details panel. 
  4. Select the聽SSO or Bookmark聽tab.
  5. Scroll to the bottom of the configuration.
  6. Click Deactivate SSO or Deactivate Bookmark
  7. Click save
  8. If successful, you will receive a confirmation message.

To delete the application

  1. Log in to the .
  2. Go to USER AUTHENTICATION > SSO Applications.
  3. Search for the application that you鈥檇 like to delete.
  4. Check the box next to the application to select it.
  5. Click Delete.
  6. Enter the number of the applications you are deleting
  7. Click Delete Application.
  8. If successful, you will see an application deletion confirmation notification.
Back to Top

List IconIn this Article

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case