AWS SSO SAML Setup
This guide details configuring a Turbot application in AWS as well as the directory in Turbot. Administrator access in AWS and Turbot/Owner permissions in Turbot are required for configuration.
Create the Directory in Turbot
- In Turbot, navigate to the Turbot resource, then click on the Permissions tab (designated with a user icon), and finally on the Directory card.
- Click New Directory and select SAML.
-
Enter the following information:
- Title: The title for this directory that will display in the login screen.
- Description: A description for this directory.
- Entry Point: This is the identity provider's single sign on URL.
- Issuer: This is the identity provider issuer URL .
- Certificate: This is the Certificate from the identity provider
- The Profile ID Template can generally be left to the default value,
{{profile.email}
. This is the unique identifier for any new user profile. -
Under the Advanced tab, there is an option to Enable or Disable IdP-initiated SSO logins. If checked, IdP-initiated SSO will be allowed. There are security risks associated with allowing IdP-initiated SSO as the InResponseTo field cannot be used to identify SP-solicited SAML assertions. Please be fully aware of the security impact that not validating the InReponseTo field can have before making this change. Often, however, this configuration is set by an organizations security team, and can be verified prior to directory creation.
- If a user attempts to log in using SAML and gets an
InResponseTo is missing from response
error, the IdP-initiated SSO box will need to be checked.
- If a user attempts to log in using SAML and gets an
- Click Create.
- The directory is now created and will appear in the list of directories. The directory can be activated immediately, but it will not function correctly until the SAML app is configured within the SAML application.
- Click the Edit pencil next to the new directory. Scroll to the bottom of the window and copy the Callback URL.
AWS SSO Configuration:
- Login to your AWS Organization Master account containing the AWS SSO directory.
- Go to AWS SSO Service.
- Select Applications → Add a new Application → Add a custom SAML 2.0 Application.
- Set the Display Name and Description to values that make sense, such as Turbot.
- Go down to Application metadata, select the option If you don't have a metadata file, you can manually type your metadata values.
- From the Turbot directory you created, copy the Callback URL and paste it into the Application ACS URL and the Application SAML audience fields in AWS.
SAML Attribute Mapping
- Select the Attribute Mapping tab in AWS SSO for the Application you have created.
- Replicate the following fields in the application. Note that the Attributes are referred to with
${ user : attribute }
. Also the attributes in the first column are case sensitive.) Refer to the AWS SSO Attribute docs for more information:
- Click Save Changes.
Re-configure Turbot Directory
- In AWS SSO for your Turbot SAML application, copy the AWS SSO sign-in URL, AWS SSO sign-out URL, and AWS SSO issuer URL and paste them in a new file.
- Download the AWS SSO certificate.
- In Turbot, paste the AWS SSO sign-in URL into the Entry Point field and the AWS SSO issuer URL into the Issuer field.
- Copy the AWS SSO Certificate into the Turbot Directory Certificate field.
- Click Update.
- On the Directories page, be sure to click the up arrow in the new directories' row to activate!
- You can now test your directory by logging in with your new SAML directory. Please note when you first login you will not have any permissions associated with your new profile. Once the associated SAML user profile exists, any existing administrator can assign proper rights.