Use SAML2 to log in to the AWS console (China)

• Use SAML2 to log in to the AWS console (China)
  • Ready to work
  • Configure Authing SAML2 IdP
  • Configure AWS IAM console
  • Test connection

The configuration of AWS China and International Region is slightly different. This article describes the relevant configuration of using Authing SAML2 IdP to log in to the AWS China console.

Ready to work

If you do not have an Authing account, please register (opens new window) an Authing account, [create a user pool](/quickstart/create-authing-account.md#authing-user pool) And [create an application](/quickstart/create-authing-account.md#create your first application).

Configure Authing SAML2 IdP

Go to Control Panel> Applications> Application List, find your application, and click "Configuration".

Click "Configure SAML2 Identity Provider", turn on the "Enable SAML2 Provider" switch, and fill in the default ACS address below: https://signin.amazonaws.cn/saml.

Please paste the following content for setting content:

{
  "audience": "https://signin.amazonaws.cn/saml",
  "recipient": "https://signin.amazonaws.cn/saml",
  "destination": "https://signin.amazonaws.cn/saml",
  "mappings": {
    "email": "https://aws.amazon.com/SAML/Attributes/RoleSessionName"
  },
  "digestAlgorithm": "http://www.w3.org/2000/09/xmldsig#sha1",
  "signatureAlgorithm": "http://www.w3.org/2000/09/xmldsig#rsa-sha1",
  "authnContextClassRef": "urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified",
  "lifetimeInSeconds": 3600,
  "signResponse": false,
  "nameIdentifierFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
  "samlRequestSigningCert": ""
}

Add a custom SAML Response attribute at the bottom, the Name attribute is: https://aws.amazon.com/SAML/Attributes/Role, the type is Uri, and the value is filled in according to this format arn:aws-cn :iam::<AWS account ID>:role/<role name>,arn:aws-cn:iam::<AWS account ID>:saml-provider/<identity provider name>. Click "Save".

You can fill in the above <AWS account ID>, <identity provider name> and <role name> at will first, and then modify them after the AWS IAM console is configured.

Finally, download the metadata file of SAML2 Identity Provider:

https://core.authing.cn/api/v2/saml-idp/application ID/metadata

Configure AWS IAM console

Log in to the AWS IAM console (opens new window), enter Access Management> Identity Provider, Click "Create Provider".

Select SAML, fill in the provider name, upload the metadata file just downloaded, and click "Next".

Click "Create".

After the creation is successful, go to Access Management> Role, and click "Create Role".

Select SAML2.0 Identity Federation, select the SAML provider just created in SAML provider, select Authing here, select Allow programmatic access and AWS management console access, and then click "Next".

Grant role permissions, this article selects the highest permission AdministratorAccess, and then click "Next".

Click "Next".

Fill in a role name, record the identity provider arn below, and click "Create Role".

Find the role you just created in the role list and click to view details.

Record the role arn.

Go back to the Authing console, and fill in the correct role arn and identity provider arn in the custom SAML Response properties of the Authing SAML2 IdP in the place you just filled out at random, and click Save.

Test connection

Visit in the browser: https://core.authing.cn/api/v2/saml-idp/[application ID]

Choose a method to log in.

After successful login, you will be redirected to the AWS console