Skip to main content

Steps to configure AWS SSO as your Identity Provider (IDP)

shanshan zhao
  • Updated

Prerequisites

Identity Provider: AWS Single Sign-on (AWS SSO)

AWS User permission:  AWSSSOMemberAccountAdministrator (we didn't fully test the permission required, but just FYI)

setup idp link: https://portal.biganimal.com/setup-idp/GdU3LZmDC9XrrbpKmuOpR2AX6oJBDkxb with the below configuration. (Please note, customers should use their own URLs which were generated before the meeting. The URL here is just for testing and sharing.)

description: this is for SS AWS SSO test
domainName: ss0525.com
organizationName: SS AWS
sfId: sfid_abcedfg_wersdnck

 

Steps

AWS Management Console

1. Go to AWS Single Sign-On

2. You will be asked to enable AWS SSO or switch to the region which has enabled AWS SSO.  AWS Organizations supports AWS SSO in only one AWS Region at a time. 

3. Go to Applications or Step 3 as below: mceclip1.png

4. Add a new application mceclip2.png

5. Add a custom SAML 2.0 application mceclip3.png

6. Give a name to your application, and scroll down mceclip4.png

7. Scroll down, click 'if you don't have a metadata file ....',  mceclip5.png

8. Copy 'Assertion Consumer Service URL' and 'Audience URI' from BigAnimal setup-idp link` mceclip6.png

9.  Save Changes

10. Switch to Attribute mappingsmceclip7.png

11. Add attributes as below and Save changes mceclip8.png

Supported AWS SSO attributes

${user:givenName}
${user:familyName}
${user:preferredUsername}
${user:name}
${user:email}

Attributes in BigAnimal

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

12. Switch to Assigned users, and assign this application to the users. mceclip10.png

BigAnimal Setup IDP 

13. Go to BigAnimal Setup-idp link - > Setup Config  https://portal.biganimal.com/setup-idp/GdU3LZmDC9XrrbpKmuOpR2AX6oJBDkxb
    13.1 Single Sign-On URL could be copied from AWS SSO , Configuration, AWS SSO metadata, AWS SSO sign-in URL

    13.2 Download the certificate from AWS SSO , Configuration, AWS SSO metadata,  and upload to BigAnimal

    13.3 Request Binding, choose 'HTTP POST'  

    13.4 Response Signature Algorithm, rsa-sha256 is recommended.

mceclip11.png

14. Test Connection and you will be prompted the AWS login page. Login with the user who has the access (Step 12) mceclip12.png

15. If Test Connection is successful, then you can click 'Sign in to BigAnimal' to complete Sign Up process.

mceclip13.png

Good to know

Please kindly login BigAnimal via Portal with your email addressmceclip14.png

IDP-initiated is not supported. mceclip15.png

So you may get the below error message if you try to access BigAnimal from AWS side

mceclip16.png

 

Screen recording: https://drive.google.com/file/d/1mydkNtD0bIJWMykO5OlZ2dAMoxLss9Hp/view?usp=sharing

Related Topic: Steps to configure Auth0 as your Identity Provider (IDP)

Related tickets: https://enterprisedb.zendesk.com/agent/tickets/654