Identity Provider: AWS Single Sign-on (AWS SSO)
AWS User permission: AWSSSOMemberAccountAdministrator
1. User who has the proper role/permission in Identity Provider to create applications and assign people to applications.
2. User who has completed the registration in https://www.enterprisedb.com/accounts/register/biganimal and can login BigAnimal portal (Switch to correct organization if applicable)
3. Verify a domain. This may need to engage the customer's IT team to add TXT record. Steps can refer doc(have details steps): Add a domain
Login to BigAnimal portal via EDB Account, go to 'Settings' -> ' Identity Provider' by clicking Profile (right upper corner) -- We will use this page later.
AWS Management Console
1. Go to AWS IAM Identity Center
2. You will be asked to enable AWS SSO or switch to the region that has enabled AWS SSO. AWS Organizations support AWS SSO in only one AWS Region at a time.
3. Go to Applications or Manage assignments to your cloud applications as below:
4. Add a new application
5. Add a custom SAML 2.0 application
6. Give a name to your application, and scroll down
7. Scroll down, click 'if you don't have a metadata file ....',
8. Copy 'Assertion Consumer Service URL' and 'Audience URI' from BigAnimal Identity Provider page
9. Save Changes
10. Switch to Attribute mappings
11. Add attributes as below and Save changes
Attributes in BigAnimal
12. Switch to Assigned users, and assign this application to the users.
BigAnimal Setup IDP
13. Go to BigAnimal 'Identity Provider' page and scroll down to 3 SAML Settings
a. Single Sign-On URL could be copied from AWS SSO, Configuration, AWS SSO metadata, AWS SSO sign-in URL
b. Download the certificate from AWS SSO, Configuration, AWS SSO metadata, and upload to BigAnimal
c. Request Binding, choose 'HTTP POST'
d. Response Signature Algorithm, rsa-sha256 is recommended.
14. Test Connection and you will be prompted to the AWS login page. Login with the user who has access (Step 12)
15. If Test Connection is successful, then you can click 'Sign in to BigAnimal' to complete Sign Up process.
16. After IDP is set, you need to change the login box. Fill in your email address as BigAnimal Account to log in to the portal instead of clicking EDB Account.
Good to know
IDP-initiated is not supported.
So you may get the below error message if you try to access BigAnimal from AWS side