PhenixID

Step by Step – AWS MFA with PhenixID Authentication Services

Summary

This document will guide you through the steps to enable multi-factor authentication for the AWS Management Console (https://aws.amazon.com/console/) using SAML2.

This will enable usage of federated logins.

System Requirements

  • PhenixID Authentication Server 3.0 or higher
  • AWS instance administration rights

Instruction

Overview

This document will guide you through the steps to enable multi-factor authentication for AWS.

The user will be logged in through an IdP-initiated request. When logged in the user will be assigned a Role with attached Policies.

Configure PhenixID Authentication Services as Identity Provider

  1. Login to Configuration Manager.
  2. Setup PhenixID Authentication Services as a SAML IdP using one of the Federation scenarios described here. (If the desired authentication method is not provided by a scenario, use the documentation for the SAML authenticator here) Set these properties during configuration.
    Change YOUR_PHENIXID_IDP_DOMAIN to the domain name of your PhenixID Authentication Services instance.
    – EntityID = https://YOUR_PHENIXID_IDP_DOMAIN/saml/idp/aws
    – Post SSO URL = https://YOUR_PHENIXID_IDP_DOMAIN/saml/authenticate/aws
  3. Save changes.
  4. Click IDENTITY PROVIDER->View SAML Metadata.
  5. Save the Metadata as a xml-file
  6. Set Post SLO URL = https://YOUR_PHENIXID_IDP_DOMAIN/saml/authenticate/logout/
  7. Save the changes.

Add trust to AWS on PhenixID Authentication Services

  1. Login to configuration manager
  2. Open Scenarios->Federation->SAML Metadata upload
  3. Click the plus sign
  4. Add URL= https://signin.aws.amazon.com/static/saml-metadata.xml
  5. Save the changes.

Configure AWS

  1. Login as a Amazon admin to your Amazon instance
  2. In the left-hand menu, select Services
  3. Locate “Security, Identity, & Compliance”
  4. Select “IAM”
  5. Following steps are found under “Access Management”

Add SAML Identity provider

  1. Select “Identity providers”
  2. Select “Add provider”
  3. Choose SAML as provider type
  4. Set a Provider name
  5. Upload the SAML Metadata (xml-file) for your IDP.
  6. Continue with “Add provider”

Setup Role with policy

  1. Select “Roles”
  2. Select “Create role”
  3. Select “SAML 2.0 federation”
  4. Choose your SAML provider and select “Allow programmatic and AWS Management Console access”
  5. Continue with “Next:Permission”
  6. Select the permissions policy/policies the user shall have.
  7. Continue with “Next:Tags”
  8. Continue with “Next:Review”
  9. Set a Role name
  10. Continue with “Create role”

Collect AWS attributes

  1. Select “Roles”
  2. Select your role
  3. Make a note of “Role ARN”: arn:aws:iam::YOUR_ACCOUNT:role/YOUR_ROLE
  4. Make a note of “Trusted entities”: arn:aws:iam::YOUR_ACCOUNT:saml-provider/YOUR_IDP

Configure PAS assertion

  1. Login to Configuration Manager.
  2. Locate the Scenario-Federation setup earlier for AWS.
  3. Select EXECUTION FLOW
  4. Add “PropertyAddValve” before  “AssertionProvider”.
    1. NAME=https://aws.amazon.com/SAML/Attributes/Role
    2. VALUE=Role ARN,Trusted entities (from your notes)
    3. SPLITTER to other than comma (eg %).
  5. Add “PropertyAddValve” before  “AssertionProvider”.
    1. NAME=https://aws.amazon.com/SAML/Attributes/RoleSessionName
    2. VALUE={{item.mail}}      (replace “mail” if other identifier is used)
  6. Add “PropertyAddValve” before  “AssertionProvider”.
    1. NAME=https://aws.amazon.com/SAML/Attributes/SessionDuration
    2. VALUE=1800
  7. Add information to  “AssertionProvider”:
    1. ADDITIONAL ATTRIBUTES=https://aws.amazon.com/SAML/Attributes/Role,https://aws.amazon.com/SAML/Attributes/RoleSessionName,https://aws.amazon.com/SAML/Attributes/SessionDuration
    2. SOURCE ID=urn:amazon:webservices
    3. Add fields to MISCELLANIOUS
      1. signAssertion        True
      2. nameID
      3. nameIdFormat      urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
    4. Save the changes.

Test

    1. Browse to https://YOUR_PHENIXID_IDP_DOMAIN/saml/authenticate/aws
    2. Authenticate
    3. You should now be redirected to AWS and be logged in

DISCLAIMER
Information provided in this document is for your information only. PhenixID makes no explicit or implied claims to the validity of this information. Any trademarks referenced in this document are the property of their respective owners.

The origin of this information may be internal or external to PhenixID. PhenixID makes all reasonable efforts to verify this information.

PhenixID - support.phenixid.se