When you want to configure a SAML identity provider to enable SSO for AWS, you will find that CloudFormation does not provide support for this. In this blog we will present you with a custom provider which will allow you to configure the SAML identity provider in just a few lines!
How to use
To add a SAML identity provider using your AWS CloudFormation template, use a <Custom::SAMLProvider resource with reference
to the metadata URL:
SAMLProvider:
Type: Custom::SAMLProvider
Properties:
Name: auth0
URL: https://auth0.com/mytenant/providerurl
ServiceToken: !Sub 'arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:cfn-saml-provider'
When the provider is created, it will load the metadata of the identity provider from the specified URL. If you want a static approach, you can also specify the metadata itself:
SAMLProvider:
Type: Custom::SAMLProvider
Properties:
Name: auth0
Metadata: |
<EntityDescriptor entityID="urn:binxio.auth0.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
....
</EntityDescriptor>
ServiceToken: !Sub 'arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:cfn-saml-provider'
On completion, it will return the ARN of the SAML Provider. That is all there is to it. From there on, you can configure IAM roles based upon the established identities in this account.
Deploy the custom provider
To deploy the provider, type:
aws cloudformation deploy
--capabilities CAPABILITY_IAM
--stack-name cfn-saml-provider
--template-file ./cloudformation/cfn-saml-provider.json
This CloudFormation template will use our pre-packaged provider from s3://binxio-public-${AWS_REGION}/lambdas/cfn-saml-provider-latest.zip
.
Demo
To install the simple sample of the SAML provider, type:
aws cloudformation deploy --stack-name cfn-saml-provider-demo
--template-file ./cloudformation/demo-stack.json
to validate the result, type:
aws iam list-saml-providers
conclusion
With just a few lines of code you can configure the SAML provider required to implement SSO for your AWS accounts, infrastructure as code style. And that is the only way you want it, right?
You may also like How to get AWS credentials and access keys using the Auth0 SAML identity provider and How to limit access to AWS Resources based on SAML Attributes using CloudFormation.
Image by jacqueline macou from Pixabay