Federating AWS SSO with Google Apps

Posted by Elliot Segler on Thu 10 March 2016 Updated on Thu 10 March 2016

I recently decided that I had need to set up some IAM federation as I wanted to use SSO from my Google Apps account. Previously, I've set this up with ADFS and it works a treat. Setting up the latter gives you really nice AD groups mapped into roles and generally a great experience. Setting this up for Google Apps was less trivial and it's not well documented.

For my scenario, I'm going to be setting up two roles to be used for my Google SSO. Lets call these GooglePowerUser and GoogleAdminUser. We'll come back to these later.

Note 1: I apologize in advance for the to-ing and fro-ing instructions but you'll need to flick between the Google Apps Admin console and the AWS Console/CLI a bit

Note 2: I'm also going to provide instructions for the CLI because it's easier for me but everything here is doable from the console and I've provided links to the real documentation for you


Set up a custom schema element to hold role information for your users

By default, when you map the attributes for your SAML App that pass the Role to AWS, you'll only be able to select from an existing attribute on your users. Examples include Job Title, Cost Center and Department. I've seen other articles mention putting a single role ARN in one of these but it's really not suitable for that information (especially if you use those fields already)

The solution is to set up a Custom attribute for your users.

  1. Open the Schema Insert Page in the Google Admin Console
  2. Enter my_customer in customerId
  3. To the right of the Request Body, select the Freeform Editor from the dropdown list and then paste the following:
    {
      "fields":
      [
        {
          "fieldName": "role",
          "fieldType": "STRING",
          "multiValued": true,
          "readAccessType": "ADMINS_AND_SELF"
        }
      ],
      "schemaName": "AWS_SAML",
    }
    
    1. Click Authorize and Execute

Set up the Google Apps SAML App for AWS

You'll need to configure your Google Apps account as an identity provider (or IdP) for AWS to use.

Google have written some pretty good instructions for this here. Go check them out and run through them then come back here or follow my brief instructions below:

  1. Log into your Google Apps Admin Console
  2. Head to the Apps Section, then SAML apps
  3. Click Add a service/App to your domain
  4. Select Amazon Web Services
  5. Click the Download button next to the IDP metadata and save it somewhere for later
  6. If you want to change the Application name, Description and Logo, otherwise continue on
  7. Set up the Service Provide Details
  8. Make sure the ACS URL and Entity ID are set to https://signin.aws.amazon.com/saml.
  9. Also make sure the Start URL is blank and the Signed Response is unchecked.
  10. You'll want the Name ID to be mapped to Basic Information: Primary Email
  11. Set the Attribute mapping up with the following:
  12. https://aws.amazon.com/SAML/RoleSessionName : Basic Information : Primary Email
  13. https://aws.amazon.com/SAML/Role : AWS_SAML : Role
  14. Click Finish
  15. Turn the App on, buy clicking on the settings button, then Turn ON for everyone. Confirm the dialog when asked

Setting up the IdP in AWS

You'll need to tell AWS that you want to use the Google App you just set up as an identity provide.

You can do that with the command below:

# aws iam create-saml-provider --saml-metadata-document file://GoogleIDPMetadata-yourdomain.xml --name GoogleAppsProvider
{
    "SAMLProviderArn": "arn:aws:iam::123456789012:saml-provider/GoogleAppsProvider"
}

Make sure you substitute GoogleIDPMetadata-yourdomain.xml with the path to the IDP metadata file you downloaded earlier.

This will spit out a response with the ARN of the identity provider you created, so make sure you note this down for later.


Create some roles

  1. You'll need to first craft a Trust policy document to be used with the Roles you'll create. Create a new file GoogleApps_TrustPolicy.json with the following contents:
    {
      "Version": "2012-10-17",
      "Statement": [
      {
        "Effect": "Allow",
        "Principal": {
          "Federated": "arn:aws:iam::123456789012:saml-provider/GoogleAppsProvider"
        },
        "Action": "sts:AssumeRoleWithSAML",
        "Condition": {
          "StringEquals": {
            "SAML:aud": "https://signin.aws.amazon.com/saml"
          }
        }
      }
      ]
    }
    

Make sure you replace arn:aws:iam::123456789012:saml-provider/GoogleAppsProvider with the ARN of the identity provider you created earlier.

  1. Run the following command to create the role. Note down the Arn that is returned as we'll need it later

    # aws iam create-role --role-name GoogleAppsAdminDemo --assume-role-policy-document file://GoogleApps_TrustPolicy.json
    {
      "Role": {
      "AssumeRolePolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
              {
                  "Action": "sts:AssumeRoleWithSAML",
                  "Effect": "Allow",
                  "Condition": {
                      "StringEquals": {
                          "SAML:aud": "https://signin.aws.amazon.com/saml"
                      }
                  },
                  "Principal": {
                      "Federated": "arn:aws:iam::123456789012:saml-provider/GoogleAppsProvider"
                  }
              }
          ]
      },
      "RoleId": "AROAIYGHGSVXXXXXXXXXX",
      "CreateDate": "2016-03-10T12:19:31.177Z",
      "RoleName": "GoogleAppsAdminDemo",
      "Path": "/",
      "Arn": "arn:aws:iam::123456789012:role/GoogleAppsAdminDemo"
      }
    }
    
  2. At this stage, I've not attached any permissions to the role - you can read how to do that here


Add some roles to your Google Apps Users

  1. Open the Patch Users Page in the Google Admin console
  2. In the userKey put the email address of the user you want to update
  3. To the right of Request body, select Freeform editor from the drop down list, and paste the following text, replacing , and with the appropriate values you've collected before

    {
      "customSchemas":
      {
        "SSO":
        {
          "role": [
          {
           value: "<role ARN>,<provider ARN>",
           customType: "SSO"
          }
         ]
        }
      }
    }
    

    Mine looked something like this (with two roles):

    {
      "customSchemas":
      {
        "SSO":
        {
          "role": [
          {
           value: "arn:aws:iam::123456789012:role/GoogleAppsAdminDemo,arn:aws:iam::123456789012:saml-provider/GoogleAppsProvider,
           customType: "SSO"
          },
          {
           value: "arn:aws:iam::123456789012:role/GoogleAppsUserDemo,arn:aws:iam::123456789012:saml-provider/GoogleAppsProvider,
           customType: "SSO"
          }
         ]
        }
      }
    }
    
  4. Click Authorize and Execute


Test it out

Open your Google Apps account and then select the Amazon Web Services app.

It should redirect you onto a page that lets you select a Role to log into with.

References

https://support.google.com/a/answer/6194963?hl=en

tags: google, aws, iam, sso, saml