- Print
- PDF
Configuring Britive Identity Provider in AWS
- Print
- PDF
An Identity Provider helps to manage your user identities outside of AWS, by granting permissions to the user identities to utilize the AWS resources in your account. In the AWS onboarding process, the Britive application (tenant) is added as the Identity Provider in the AWS account.
The following configurations help you to add the Identity Provider in AWS.
Britive uses the SAML protocol as the authentication mechanism to connect to AWS. So, before configuring the Identity Provider in AWS, you need to download the SAML metadata issued by your Britive tenant application.
1. Downloading SAML Metadata from Britive
Perform the following steps to download the SAML metadata from Britive:
- Login to Britive application with administrator privileges.
- Click Admin > Security.
- Select the SAML Configurations tab.
- Click DOWNLOAD SAML Metadata.
This downloads the SAML metadata needed to configure the Identity Provider in AWS, as an XML file to your computer.
2. Adding an Identity Provider in AWS
Perform the following steps to add an Identity Provider to an AWS account:
- Login to the AWS account with administrator privileges.
- Select IAM > Access management.
- Select Identity providers.
- Click Add provider.
- Enter the following in the Add an Identity provider page:
- Select the Provider type as SAML.
- Enter the Provider name. You can give an appropriate text (128 characters limit) that includes alphanumeric or underscore characters. Note that space is not allowed in the name.
- Using the Choose file option, upload the SAML metadata XML file that you have downloaded (as explained in the preceding sub-section on this page Downloading SAML Metadata from Britive).
- Click Add provider. The Britive Identity Provider is now added to the list of Identity Providers in the AWS account.
- Trust Relationship configuration in AWS for defining Source Identity:rust policy
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Principal":{ "Federated":"arn:aws:iam::<account>:saml-provider/Britive" }, "Action":[ "sts : AssumeRolewithSAML", "sts : SetSourceIdentity" ], "Condition":{ "StringEquals":{ "SAML: aud":"https://signin.aws.amazon.com/saml" } } } ] }
- (Optional) For session invalidation: To enable the session invalidation feature, each role that is marked for use by Britive (trusts the Britive identity provider) must have its trust policy updated to reflect an additional Action “sts:TagSession“. The final trust policy would look like the following:Trust policy
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Principal":{ "Federated":"arn:aws:iam::<account>:saml-provider/Britive" }, "Action":[ "sts:AssumeRolewithSAML", "sts:SetSourceIdentity", "sts:TagSession" ], "Condition":{ "StringEquals":{ "SAML: aud":"https://signin.aws.amazon.com/saml" } } } ] }
Next, you can configure the IAM Role(s) in AWS, as explained in the next section Configuring IAM Roles.
For more information about adding identity providers in AWS, see Creating IAM SAML identity providers.