Identity Provider: AWS Single Sign-on (AWS SSO)
AWS User permission: AWSSSOMemberAccountAdministrator
Prerequisites
1. Appropriate roles/permissions in AWS can create applications and assign individuals to those applications.
2. Create an EDB Account if you don't have and log into EDB Postgres AI Console (Switch to the correct organization if needed)
3. Verify a domain. This may need to engage the customer's IT team to add a TXT record. Steps can refer to doc(have details steps): Add a domain
Steps
0. Log in EDB Postgres AI Console to Create an EDB Account via EDB Account, go to 'Settings' -> ' Identity Provider' by clicking Profile (right upper corner).
1. Go to AWS IAM Identity Center
2. You will be asked to enable AWS SSO or switch to the region that has enabled AWS SSO. AWS Organizations support AWS SSO in only one AWS Region at a time.
3. Go to Applications or Manage assignments to your cloud applications as below:
4. Add a new application
5. Add a custom SAML 2.0 application
6. Give a name to your application, and scroll down
7. Scroll down, click 'if you don't have a metadata file ....',
8. Copy 'Assertion Consumer Service URL' and 'Audience URI' from BigAnimal Identity Provider page
9. Save Changes
10. Switch to Attribute mappings
11. Add attributes as below and Save changes
${user:givenName}
${user:familyName}
${user:preferredUsername}
${user:name}
${user:email}
Attributes in BigAnimal
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
12. Switch to Assigned users, and assign this application to the users.
EDB Postgres AI Setup IDP
13. Go to EDB Postgres AI Console 'Identity Provider' page and scroll down to 3 SAML Settings
a. Single Sign-On URL could be copied from AWS SSO, Configuration, AWS SSO metadata, AWS SSO sign-in URL
b. Download the certificate from AWS SSO, Configuration, AWS SSO metadata, and upload to BigAnimal
c. Request Binding, choose 'HTTP POST'
d. Response Signature Algorithm, rsa-sha256 is recommended.
14. Test Connection and you will be prompted to the AWS login page. Login with the user who has access (Step 12)
15. If Test Connection is successful, then you can click 'Sign in' button to complete Sign Up process.
16. After the domain is verified(Add a domain), input your email address in the box shown in the screenshot below.
Good to know
IDP-initiated is not supported.
So you may get the error message if you try to access BigAnimal from AWS side
Screen recording: https://drive.google.com/file/d/1mydkNtD0bIJWMykO5OlZ2dAMoxLss9Hp/view?usp=sharing