Onboarding an AWS Identity Center Application in Britive

As mentioned earlier in the Introduction of this guide, you can choose to onboard an AWS Identity Center application when your AWS organization has both management account(s) and member accounts.

Steps for Onboarding an AWS Application

Perform the following steps for adding an AWS Identity Center tenant application to Britive:

1. Login to Britive application with administrator privileges.
2. Click Admin > Application and Access Profile Management.
3. From the Tenant Applications page, click CREATE APPLICATION.
4. On the Add Application page, click the Add (+) sign inline to the AWS Identity Center application. The Create Application page is displayed. On this page, you can see two tabs— Application and Settings.
5. In the Application tab, enter the following values:
   1. Enter the Application Name.
   2. Enter the Application Description (optional step).
   3. Under Account Mapping, select Email mapping, to map the user email with the AWS account.
6. Click Next. The Settings tab is displayed.
7. In the Settings tab, enter the following values:
   • Identity Center Management Account ID corresponds to the Account ID of the Management AWS Account of the user.
   • Identity Provider Name corresponds to the Provider name added while adding the identity provider to the AWS account. For more information, see Configuring an Identity Provider in AWS.
   • Integration Role Name corresponds to the name of the IAM role within the AWS account of the user. If the role is created with AWS Resource Path, you need to prefix the resource path without a leading slash symbol. For example: If the ARN of the role is arn:aws:iam::0000000000:role/Security/IAM/Britive_Integration_Role2, you need to enter Security/IAM/Britive_Integration_Role2 in the role name.
   • Duration of the backend AWS connection (in hours) corresponds to the Maximum Session Duration in an IAM role within the AWS account of the user. For more information, see Configuring IAM Roles.
   • Region corresponds to the AWS region to be used for STS to generate temporary AWS access keys.
   • Login URL 
   • Source Identity Attribute corresponds to the attribute value for setting Source Identity in CloudTrail logs.Under Advanced Settings, select an attribute from the dropdown list to be set in CloudTrail logs. Select None to not set any Source Identity.
     Note that all Britive managed roles used in profiles, need to have sts:SetSourceIdentity action in the Trust relationship. Roles that do not have this action will fail to checkout.

   • Profile Settings: Configure the maximum session duration for profiles. You can select the duration between 15 minutes to 7 calendar days. This allows to setup expiration duration for each profile while creating/updating the profile up to this configured value. If existing profiles are created with more than 12 hours and the above setting is changed, then it cannot be lowered until all profiles are updated with a lower expiration duration.

8. Click SAVE AND TEST. If the AWS application is configured with the correct values, then the success message is displayed.

Note: Trust Relationship configuration in AWS for defining Source IdentityError Message

Clicking the SAVE AND TEST button, after adding incorrect configuration value(s) in the Settings tab, while configuring an AWS application, displays the relevant error message.