Google as an Identity Provider for AWS
Step-by-step guide for configuring Google Workspace as a SAML 2.0 Identity Provider (IdP) for AWS Single Sign-On
Create custom attributes in Google
You need Super Admin privileges in Google Workspace for this step.
Navigate to
Directory -> Users in the UIIn the More options menu item, navigate to Manage custom attributes and then click ADD CUSTOM ATTRIBUTE
Configure the custom attribute as follows:
Click save in the modal.
Set up AWS as a SAML 2.0 Service Provider
You need to have AWS IAM Identity Center enabled at this point
Navigate to IAM Identity Center settings in your AWS Console (typically at
https://{region}.console.aws.amazon.com/singlesignon)In
Identity Source click the Change Identity Source button and select External Identity Provider and then Next.The information for the AWS SAML 2.0 SP are in the 1password entry
AWS SAML 2.0 SP.Download the metadata XML file from the 1password entry
Google IdP, and upload that to the IdP SAML metadata field in the Identity provider metadata section.Next we'll configure the AWS SAML app in Google Workspace
Configuring AWS App in Google Workspace
Navigate to Apps -> Web and mobile apps
Click
Add app and then Search for appsType in
Amazon Web into the search field and select the Amazon Web Services appClick continue as we have this information already...
From the 1password entry
AWS SAML 2.0 SP copy the respective fields into the appropriate fields. (e.g. IAM ACS URL to the ACS URL etc)In the
Name ID section, change Name ID format from UNSPECIFIED to EMAILFor
Name ID leave it at Basic Information > Primary email then click continue...In the
Attributes section, for the Google Directory attributes map our previously created custom attribute Amazon > Role to https://aws.amazon.com/SAML/Attributes/Role and Basic Information > Primary email to https://aws.amazon.com/SAML/Attributes/RoleSessionName.Click
Save then in the User access section, turn the Service status to ON for everyone.Verify the configuration by clicking the
Test SAML login link in the Google Workspace admin console to ensure the setup is working correctly.Enable automatic user provisioning in IAM Identity Center
In the IAM Identity Center page, you should see an "Automatic provisioning" callout box with an enable button.. click
EnableThis will present you with a modal containing a SCIM endpoint URL and an access token. These values are in the
1password entry AWS SCIM Provisioning.Navigate to the AWS app in the Google Workspace and in the
Autoprovisioning section, configure the access token on the first page with the value from the previously mentioned 1password entry then click continue. On the following page, enter the SCIM Endpoint url using the value from the 1password entry for SCIM Endpoint URL. Click continue for the rest of the screens until you're back at the AWS App page.Toggle the
Autoprovisioning from Inactive to Active. You should soon see there are a number of users created in the last 30 days (7 at time of writing)Creating and assigning AWS permission sets
Navigate to the AWS Permission sets page in the IAM Identity Center console
Create a predefined permission set for AdministratorAccess using the predefined permission set and click
NextIn the
Multi-account permissions > AWS Accounts section, select the accounts you want to apply the permission sets to and then click the Assign users or groups button. This will present a page with a Groups tab selected.. select the Users tab and select all the users you'd like to assign and then click Next.On the following page select the
AdministratorAccess permission and choose Next. In the following review and submit page, validate the users are who you expect and then choose Submit.AWS will thenconfigure/provision the access for the users.
Test authentication
Navigate to your AWS start URL (found in the IAM Identity Center settings under "Dashboard") and sign in with Google Workspace. You will be presented with a list of accounts and the roles you may assume. Celebrate your success!
Next steps
There's no automatic provisioning for groups in Google Workspace to AWS IAM Identity Center so enabling ssosync is the next step. Docs forthcoming...
Last updated on