Amazon Web Services

Before You Begin

Introduction

This document describes how to configure Oracle Identity Cloud Service to provide Single Sign-On (SSO) and user provisioning for Amazon Web Services.

About Amazon Web Services

Amazon Web Services, a subsidiary of Amazon.com, offers a suite of cloud-computing services that encompass an on-demand computing platform.

After integrating Amazon Web Services with Oracle Identity Cloud Service:

  • Users can access Amazon Web Services using their Oracle Identity Cloud Service login credentials.
  • Users can start Amazon Web Services using the Oracle Identity Cloud Service My Apps console.
  • Admins can assign and revoke user access to the Amazon Web Services app using the Oracle Identity Cloud Service administration console.

What Do You Need?

  • An Oracle Identity Cloud Service account with authorization rights to manage apps and users (Identity Domain Administrator or Application Administrator).
  • An Amazon Web Services account with authorization rights to configure federated authentication and user provisioning.
  • A downloaded identity provider metadata file. Use the following URL to access the metadata: https://<IDCS-Service-Instance>.identity.oraclecloud.com/fed/v1/metadata.

Configuring SSO for Amazon Web Services

Use this section to configure the identity provider and roles in Amazon Web Services.

Configuring the Identity Provider in Amazon Web Services

  1. Access Amazon Web Services as an administrator using the URL: https://<Account_Name>.signin.aws.amazon.com/console. The Amazon Web Services home page appears.

    Note: Use the account name that you specified while registering the account with Amazon Web Services.

  2. Under the All services menu, locate the Security, Identity, & Compliance section, and then click IAM. The IAM Dashboard page appears.

  3. In the left navigation menu, select Identity providers, and then click Create Provider. The Configure Provider page appears.

  4. Use the table to update the federated authentication attributes, and then click Next Step.

    Attribute Value
    Provider Type Select SAML from the drop-down list.
    Provider Name Enter your identity provider name.
    Metadata Document Click Choose File, and then upload the identity provider metadata that you previously downloaded. See the "What Do You Need?" section.
  5. On the Verify Provider Information page, verify the Provider Name, and then click Create. A success message is displayed stating that the identity provider is created.

  6. Click the recently created identity provider, and then make note of the Provider ARN value.

    Note: Use this Provider ARN value when creating groups in Oracle Identity Cloud Service in the "Creating Groups and Assigning Users to Groups" section.

Configuring Roles in Amazon Web Services for SSO and User Provisioning

  1. In the left navigation menu, click Roles, and then click Create role. The Create role page appears.

  2. Under the Select type of trusted entity section, click SAML 2.0 federation.

  3. Under the Choose a SAML 2.0 provider section, click the SAML provider drop-down list, and then select the identity provider that you created by performing the steps in the "Configuring the Identity Provider in Amazon Web Services" section.

  4. Select the Allow programmatic and AWS Management Console access option and then click Next: Permissions.

  5. Under the Attach permissions policies section, search and select the IAMFullAccess check box, and then click Next: Tags.

  6. Under the Add tags (optional) section, enter the Key and the Value (optional) if required, and then click Next: Review.

  7. Under the Review section, enter the Role name. For example, SAMLRole.

    Note: This role is referred as Role 1 in the following sections for better clarity.

  8. Click Create role. A success message is displayed on the Create role page stating that the role is created.

  9. Click Role 1, and then make note of the Role ARN value: arn:aws:iam::<Account_ID>:role/<Role1_Name>.

    Note: Use the Role ARN value to create and assign an STS policy to this role in the "Configuring a Policy in Amazon Web Services for User Provisioning" section. In addition, make note of the Role 1 name to use it later while creating groups for registering Amazon Web Services in the "Creating Groups and Assigning Users to Groups" section. Also, make note of the account ID value to create another role related to provisioning in the following steps.

  10. In the left navigation menu, click Roles, and then click Create role. The Create role page appears.

  11. Under the Select type of trusted entity section, click Another AWS account.

  12. Under the Specify accounts that can use this role section, enter the Account ID that you obtained from the previously created Role(Role 1) ARN value, and then click Next: Permissions.

  13. Under the Attach permissions policies section, search and select the IAMFullAccess check box, and then click Next: Tags.

  14. Under the Add tags (optional) section, enter the Key and the Value (optional) if required, and then click Next: Review.

  15. Under the Review section, enter the Role name. For example, ProvRole.

    Note: This role is referred as Role 2 in the following sections for better clarity.

  16. Click Create role. A success message is displayed on the Create role page stating that the role is created.

  17. Click Role 2, and then make note of the Role ARN value: arn:aws:iam::<Account_ID>:role/<Role2_Name>.

    Note: Use the Role ARN value to create and assign an STS policy to this role in the "Configuring a Policy in Amazon Web Services for User Provisioning" section. In addition, make note of the Role 2 name to use it later while enabling provisioning for Amazon Web Services in the "Enabling Provisioning" section.

Configuring a Policy in Amazon Web Services for User Provisioning

  1. In the left navigation menu, click Policies, and then click Create policy. The Create policy page appears.

  2. Under the Visual editor tab, click Choose a service next to Service, and then search and click STS.

  3. In the Actions section, under Access level, expand Write, and then select the AssumeRole check box.

  4. Hover over Resources, click the edit icon, click the Specific option, and then click Add ARN next to role. The Add ARN(s) dialog box appears.

  5. Click List ARNs manually and list both Role 1 and Role 2 ARN values in the Type or paste a list of ARNs (one per line) in two different lines.

    Note: These Role ARN values were obtained earlier after performing the steps to create Role 1 and Role 2 in the "Configuring Roles in Amazon Web Services for SSO and User Provisioning" section.

  6. Click Add, and then click Review policy.

  7. Under the Review policy section, enter a Name for the policy. For example, STSPROVPolicy.

  8. Click Create policy. A success message is displayed stating that the policy is created.

Configuring a User in Amazon Web Services

  1. In the left navigation menu, click Users, and then click Add user. The Add user page appears.

  2. Under the Set user details section, enter the User name.

  3. Under the Select AWS access type section, select the Programmatic access check box next to Access type field, and then click Next: Permissions.

  4. Under the Set permissions section, Click Attach existing policies directly, search and select the check box that has the recently created policy name, and then click Next: Tags. For example, STSPROVPolicy.

    Note: This is the policy that you created by performing the steps in the "Configuring a Policy in Amazon Web Services" section.

  5. Under the Add tags (optional) section, enter the Key and the Value (optional) if required, and then click Next: Review.

  6. Under the Review section, click Create user. A success message is displayed stating that the user is created.

  7. When the user is created, make note of the Access key ID and the Secret access key values, and then click Close.

    Tip: As the access key ID and secret access key values are generated only once, it is recommended to click Download.csv to make note of the Access key ID and the Secret access key values from the CSV file. You need these values later while enabling provisioning for Amazon Web Services in the "Enabling Provisioning" section.

Configuring the Amazon Web Services App in Oracle Identity Cloud Service

Use this section to assign users or groups to Amazon Web Services, register and activate the Amazon Web Services app, to enable provisioning and synchronization for Amazon Web Services.

Creating Groups and Assigning Users to Groups

  1. Access the Navigation Drawer in the Oracle Identity Cloud Service administration console, select Groups, and then click Add. The Add Group window appears.

  2. Enter the Amazon Web Services group name as the combination of the Role ARN value of Role 1, and the Provider ARN value in the Name field in the following format: arn:aws:iam::<Account_ID>:role/<Role1_Name>,arn:aws:iam::<Account_ID>:saml-provider/<Provider_Name>.

    Note: These are the ARN values obtained after creating Role 1 and configuring the identity provider in the "Configuring Roles in Amazon Web Services for SSO and User Provisioning" and "Configuring the Identity Provider for Amazon Web Services" sections respectively.

  3. Enter the Description, and then click Next.

  4. Under the Assign Users to Group (Optional) section, select the user(s) that you want to assign to the Amazon Web Services app, and then click Finish. Oracle Identity Cloud Service displays a confirmation message stating that the group has been successfully added.

Registering and Activating the Amazon Web Services App

  1. Access the Oracle Identity Cloud Service administration console, select Applications, and then click Add.

  2. Click App Catalog.

  3. Search for Amazon Web Services, click Add, and then click Next.

  4. Click Next. Oracle Identity Cloud Service displays the Provisioning page.

Enabling Provisioning and Synchronization for Amazon Web Services

Use this section to enable provisioning and synchronization for managing user accounts in Amazon Web Services through Oracle Identity Cloud Service.

Enabling Provisioning
  1. On the Provisioning page, select Enable Provisioning.

  2. Enter the Amazon Web Services Access key ID value of the user in the Access Key Id field.

    Note: This is the Access key ID that you obtained while performing the steps in the "Configuring a User in Amazon Web Services" section.

  3. Enter the Secret access key value of the user in the Secret Key field.

    Note: This is the secret access key value that you obtained while performing the steps in the "Configuring a User in Amazon Web Services" section.

  4. Enter the role ARN value of Role 2 in the Role ARN field.

    Note: This is the ARN value obtained after configuring Role 2 in the "Configuring a Role in Amazon Web Services" section.

  5. Click Test Connectivity. A success message is displayed stating that the connection is successful.

  6. To view predefined attribute mappings between the user account fields defined in Amazon Web Services and the corresponding fields defined in Oracle Identity Cloud Service, click Attribute Mapping, and then click OK.

    Note: To add a new attribute for provisioning, click Add Row, specify the attributes in the User and Account columns, and then click OK. For example, if you want to add the External ID field, enter $(user.externalId) in the User column, and then select the corresponding field from the drop-down list in the Account column.

  7. Specify the provisioning operations that you want to enable for Amazon Web Services:

    Note: By default, the Create Account, Update Account, and Delete Account check boxes are selected.

    Create Account: Automatically creates an Amazon Web Services account when Amazon Web Services access is granted to the corresponding user in Oracle Identity Cloud Service.

    Note: Ensure that the users created in Oracle Identity Cloud Service do not have a space in their User Name.

    Update Account: Automatically updates an Amazon Web Services account when the corresponding user account is edited in Oracle Identity Cloud Service.

    Delete Account: Automatically removes an account from Amazon Web Services when Amazon Web Services access is revoked from the corresponding user in Oracle Identity Cloud Service.

Enabling Synchronization
  1. On the Provisioning page, select Enable Synchronization.

  2. From the User Identifier drop-down list, define a matching rule that links a record fetched from Amazon Web Services with an existing record in Oracle Identity Cloud Service:

    Note: By default, the User Name check box is selected. It is recommended to leave this default attribute for accurate synchronization of user records.

    Primary Email Address: Primary email address of the Oracle Identity Cloud Service user.

    User Name: User name of the Oracle Identity Cloud Service user.

  3. To match an Amazon Web Services account attribute with the existing Oracle Identity Cloud Service user, select an attribute from the Application Identifier drop-down list.

    Note: By default, the name option is selected that represents the Email attribute of the Amazon Web Services account. It is recommended not to change this default option.    

  1. From the When exact match is found drop-down list, select one of the following actions to be performed when a matching Oracle Identity Cloud Service user is found for an account:

    Link and confirm: Automatically links and confirms the matched account to the corresponding Oracle Identity Cloud Service users based on the defined user identifier.

    Link but do not confirm: Automatically links all the matched accounts to the corresponding Oracle Identity Cloud Service users based on the defined user identifier. You need to manually confirm the linked accounts.

  2. In the Max. number of creates field, enter a number that is greater than or equal to 10. This value limits the number of accounts to be created during the synchronization run.

  3. In the Max. number of deletes field, enter a number that is greater than or equal to 10. This value limits the number of accounts to be deleted during the synchronization run.

    After enabling provisioning and synchronization for Amazon Web Services, you can synchronize the existing account details from Amazon Web Services and link them to the corresponding Oracle Identity Cloud Service users. For more information on performing synchronization tasks, see the Importing User Accounts from a Software as a Service Application section in Administering Oracle Identity Cloud Service.

    You can also manage Amazon Web Services accounts through Oracle Identity Cloud Service. For more information on performing provisioning tasks, see the Managing Oracle Identity Cloud Service Users and Managing Oracle Identity Cloud Service Groups sections in Administering Oracle Identity Cloud Service.

  4. Click Finish, and Activate, and then click Activate Application. Oracle Identity Cloud Service displays a confirmation message.

Verifying the Integration

Use this section to verify that SSO works when initiated from Oracle Identity Cloud Service (IdP Initiated SSO).

Verifying Identity Provider Initiated SSO from Oracle Identity Cloud Service

  1. Access the Oracle Identity Cloud Service My Profile console using the URL: https://<IDCS-Service-Instance>.identity.oraclecloud.com/ui/v1/myconsole.

  2. Log in using credentials for a user that is assigned to the Amazon Web Services app. Oracle Identity Cloud Service displays a shortcut to Amazon Web Services under My Apps.

  3. Click Amazon Web Services. The Amazon Web Services home page appears.

  4. In the upper-right corner of the Amazon Web Services home page, confirm that the user that is logged in is the same for both Amazon Web Services and Oracle Identity Cloud Service.

    This confirms that SSO that is initiated from Oracle Identity Cloud Service works.

Troubleshooting

Use this section to locate solutions to common integration issues.

Known Issues

Amazon Web Services displays the message, "Your request included an invalid SAML response."

Cause: When the user accounts are synchronized, the user account imported from Amazon Web Services is linked to an incorrect user account in Oracle Identity Cloud Service.

Solution: Ensure that the imported user account is linked to the correct user under the Amazon Web Services app in the Oracle Identity Cloud Service. For more information on activating the user account for Amazon Web Services, see the "Enabling Synchronization" section.

Oracle Identity Cloud Service displays the message, "You are not authorized to access the app. Contact your system administrator."

Cause 1: The SAML 2.0 integration between the Oracle Identity Cloud Service Amazon Web Services app and Amazon Web Services is deactivated.

Solution 1:

  • Access the Oracle Identity Cloud Service administration console, select Applications, and then select Amazon Web Services.
  • In the App Details section, click Activate, and then click Activate Application. Oracle Identity Cloud Service displays a confirmation message.

Cause 2: The administrator revokes access for the user at the same time that the user tries to access the Amazon Web Services app using Oracle Identity Cloud Service.

Solution 2:

  • Access the Oracle Identity Cloud Service administration console, select Applications, and then select Amazon Web Services.
  • In the App Details section, select Users, and then click Assign to re-assign the user.

Unknown Issues

For unknown issues, contact Oracle Support:

  1. Go to https://support.oracle.com.

  2. Select Cloud Support, and then sign in with your support credentials.

  3. In the Cloud Dashboard, confirm that there are no planned outages in Oracle Identity Cloud Service, and then click Create Service Request.

  4. Select Oracle Identity Cloud Service as the service type.

  5. Complete your service request.