See how OneLogin integrates AWS here: (https://www.OneLogin.com/partners/technology-partners/aws)
1.1) Login to OneLogin as an administrator and click on Administration at the upper right of the console
1.2) Select Applications then Add Application
1.3) Search for
AWS and select the Amazon Web Services (AWS) Multi Account
1.4) Set a name for the App and choose Save
1.5) Go to the Configuration section.Click on the “Generate Token” and note down the generated value, you will need it on step 2.5 d. Choose Save
1.6) Note down the OneLogin IdP metadata link. Choose More Actions, right click on SAML Metadata and select Copy Link Location. You will need it on step 2.5 c)
Keep this tab open, we will get back to this in section-3.
2.1) Download the CloudFormation template aws-onelogin-integration.template
2.2) Go to the CloudFormation StackSet console in the
Master account and click Create StackSet
2.3) Select Upload a template file, select the
aws-onelogin-integration.template which will be uploaded to S3 and then click on Next
2.4) Set a name for your StackSet, for example
2.5) Let’s configure the template parameters now.
a) Determine if you require those roles or not for the Control Tower integration. By default its creation is done, otherwise select false in its related field
b) Set the OneLogin Identity Provider Metadata URL you copied from your OneLogin AWS application configuration in Step 1.5
c) Set the OLExternalId, that will be assigned to the Role that will use OneLogin to extract the Role List. You generated that value in Step 1.4
Then Click Next
2.6) In Configure StackSet options page, under the Permission section, choose Self service permissions and for the IAM Admin Role ARN, Select AWSControlTowerStackSetRole from the list under IAM role name. Type in
AWSControlTowerExecution for IAM Execution role name and click on Next
2.7) Specify the Accounts and Region to deploy into, and click Next
- Organizational Units (OUs)
- or a CSV list of valid accounts.
These are the accounts that you want to federate the users through OneLogin.
2.8) Review, Acknowledge the IAM box, and [Submit]
2.9) Wait for all of the instances to be created successfully.
3.1) Configure OneLogin application
TIP: You can lookup your IdP ARN in your AWS account/IAM Console/Identity providers - Direct link
3.2) Refresh the entitlements in OneLogin applicaiton
When you refresh entitlements, OneLogin uses the AWS API to get your AWS accounts and roles that have been enabled for OneLogin SSO.
3.3) [Optional] Map Onelogin roles to AWS Multi account app and provide additional app security policy if needed.
3.4) Create Rules on OneLogin to assign to AWS acount/role(s).
3.5) Reapply the provisioning mappings
Note: You can also assign individual OneLogin users to AWS account | role pairs by selecting the account | role pairs directly on the user’s login record for the app, as long as you’ve already given the user access to your AWS Multi Account app in OneLogin. Go to the Users tab in the AWS Multi Account app edit page, select the user from the User list, select the roles you want to assign from the Available values list, click the right arrow to add them to the Selected values list, and click Save.
3.6) Log in to AWS accounts using OneLogin SSO
Now when your users log in to AWS using OneLogin SSO. They will be presented with an AWS page that lets them choose from among the accounts and roles you’ve given them access to.
they will be presented with an AWS page that lets them choose from among the accounts and roles you’ve given them access to.