On March 16, 2022, single sign-on (SSO) functionality was added to the YubiOn Portal, enabling users to log in to their services without being required to authenticate. Following this, this article will cover AWS's new SSO setting procedures.
【Prerequisite】
Must have an AWS account and be able to operate as an administrator.
Must have a YubiKey with Yubico OTP function.
The user must be registered in YubiOn Portal and have a YubiKey associated with the operator.
Initial registration for SSO must be completed.
Upon registering for the free YubiOn Portal, users will have access to the SSO.
【Using the SSO】
To briefly explain the flow, a relationship is established between YubiOn Portal (IdP) and AWS (SP) by exchanging metadata, etc., and then a single sign-on is performed from IdP to SP.
Create App (AWS) and download metadata
Provider setting (IdP metadata import), Role setting, AWS (SP) metadata download.
AWS metadata import, AWS role and provider ARN settings, session name settings, and accessible members settings.
【SSO Setup Procedure】
Login to YubiOn Portal and access "SSO App Settings" from the sidebar.
Click the "Select the App and Add" button.
Click "AWS Management Console" in the Application Registration modal to register.
After registration, "AWS Management Console" will appear in the App list.
Then click "AWS Management Console."
Click "Download Metadata" to download the YubiOn Portal metadata used on the AWS side for SSO configuration.
Save the metadata on the YubiOn Portal side to an arbitrary location for use in the following "AWS Settings."
In order to use single sign-on, configure ID provider and role settings, first access the AWS management console to configure the YubiOn Portal provider.
Type "IAM" in the search box at the top of the screen and select "IAM" from the list of services.
Click on "Identity providers" on the left side of the screen.
Click the "Add provider" button.
Set the following in the Provider Settings
Provider Type: Select SAML.
Provider Name: Set a descriptive name (in the example, YubiOnPortal)
Metadata Document: Upload metadata downloaded from YubiOn Portal.
Finally, add providers by clicking the "Add provider" button.
Click on the provider added, which in this case is the YubiOnPortal.
Copy and paste the provider's ARN information into a text editor.
※This information will be used later in the configuration on the YubiOn Portal side.
Next, set up a role to log in to AWS.
※In SSO using AWS SAML, specify a role with certain log-in privileges instead of preparing each user.
Click "Roles" on the left side of the screen.
Click on the "Create role" button.
Set the following
Trusted Entity Type: SAML2.0 Federation
SAML2.0 Provider: Select the provider that was created (in this case, YubiOn Portal)
Access Level
Select "Allow programmatic and AWS Management Console access" to set SSO for management console access here.
※Conditions
Add conditions as necessary. No special settings are made here.
Finally, click the "Next" button.
On the last screen, configure the following settings.
Role Name: Enter a descriptive role name.
Description: Enter a description of the role.
Select Trusted Entities: Modify if necessary.
Add Permissions: Add if necessary.
Add Tags: Add tags if desired.
Finally, click the "Create Role" button.
Select the role that was created.
Copy and paste the role's ARN information into a text editor.
※This information will be used later in the configuration on the YubiOn Portal side.
Finally, download the AWS (SP) side metadata from the following URL
This concludes the setup on the AWS side.
Next, move on to the setting of YubiOn Portal.
Return to the "SSO App Settings" page of YubiOn Portal and import AWS (SP) metadata.
Click "SP Metadata Upload" tab.
Upload AWS (SP) side metadata from SP Metadata Upload.
When a confirmation modal appears, click the "Upload" button to upload.
Next, set the minimum required attributes for the AWS SSO configuration.
The required fields are as follows.
Role: Specify the Role ARN and Provider ARN, separated by commas.
RoleSessionName: Name, email address, or other information representing the account logged in.
Click the "Attribute Settings" tab in the lower-left corner of the screen.
Set the "Role" attribute to specify the AWS role.
Click the "Edit" icon on the right side of the "Role" template attribute.
Set the following for the attribute value.
Setting method: Select "Direct input."
Value: Enter the ARN of the role and the ARN of the provider that was reserved in the AWS side settings, separated by commas.
E.g., "ARN of role, ARN of the provider."
Finally, click the "Update" button to update the information.
Next, configure the "RoleSessionName" attribute that appears after AWS login.
Click the "Edit" icon on the right side of "RoleSessionName"
Set the following attribute values.
Setting method: Select "Member Information."
Value: Select "Member Name."
Finally, click the "Update" button to update the information.
This concludes the setup of the attributes.
Continue to set the members who can access AWS.
Although there is a way to assign members belonging to a group in a batch using the group function, as it is a paid feature, this article will explore individual member creation.
Click on "Assign member" in the lower right corner of the screen.
Select the member to be assigned and click the "Register" button to register.
This completes the SSO setup.
Click the "SSO" icon on the side menu and access "SSO App Login."
Click "AWS Management Console.”
Congratulations! AWS log-in was successful.
Conclusion
To switch to or purchase the paid SSO version, please leave an inquiry through the Contact Form.