In this lab we will walk through how to integrate Googles GSuite as an authentication source for Control Tower. We’ll be leveraging the external identity provider capabilities of the AWS Single Sign On service and enabling automated account provisioning. Whilst roles and rights will be managed by the permissions sets feature.
alias
(the mailbox/username)domain
(a genuine domain you control),
so alias
@domain
Before we can start to configure the lab you’ll need to create a Google GSuite instance, signup here. Details of a 14 day free trial is available here
You’ll need to validate the domain you register for it.
In this section we are going to configure AWS SSO to use Google GSuite as an External Identity Provider.
* Log into the Google Admin portal
* Click on the menu
* Select Apps, SAML apps
* Click Add a service/App to your domain
* Step 1
* Click SETUP MY OWN CUSTOM APP
* Step 2 of 5
* Option 2
* Click DOWNLOAD
* Save to you computer
* Click NEXT
* Step 3 of 5
* Application Name : AWS SSO
* Description :
leave blank
* Save this AWS logo to a png,
* Click CHOOSE FILE
* Select the AWS logo image file
* Click NEXT
* Step 4 of 5
* ACS URL : AWS SSO ACS URL
* Entity ID : AWS SSO issuer URL
* Start URL : AWS SSO Sign-in URL
* Check Signed Response
* Name ID : Basic Information : Primary Email
* Name ID Format : EMAIL
* Click NEXT
* Click FINISH
* Switch back to the browser tab On the AWS SSO
* in the section Identity provider metadata
* Click Browse and select the GoogleIDPMetadata-
domain
.xml document you saved above
* Click Next: Review
* Review and confirm
* Review the information provided
* Type ACCEPT in the field at the bottom
* click Change Identity source
* Once the reconfiguration has completed click Return to settings
Open the Google Developer’s console
* Click CREATE PROJECT
* New Project
* Project name : SCIM-SSO-sync
* Location :
leave blank
* Click CREATE
* You will now be within the project you just created
* Click + ENABLE APIS AND SERVICES
* Click in Search for APIs & Services and enter Admin SDK
* Click ENABLE
Open the Google Developer’s console
* Select the project you created earlier
* Click + CREATE SERVICE ACCOUNT
* Create service account
* Service account name : aws-sso
* Service account id : aws-sso@
scim-sso-sync
.iam.gserviceaccount.com
* Service account description :
* Click CREATE
* Service account permissions (optional)
* Click Continue
* Grant users access to this service account (optional)
* Click DONE
* Service accounts for project “SCIM-SSO-sync”
* Click on the *i*Actions** option in the row for the service account you just created and click create key
* In the Create private key for “AWS-SSO” diaogue
* Select JSON
* Click CREATE
* In the Private key saved to your computer
* Rename the JSON file just downloaded to credentials.json and move to a save place (you’ll need it later in this lab).
* Click CLOSE
* Click on the Actions option again and click edit
* Service account details
* Click on SHOW DOMAIN-WIDE DELEGATION
* Check Enable G Suite Domain-wide Delegation
* Product name for the consent screen : AWS SSO SCIM v2 provisioner
* Email address : leave as default
* Click SAVE
Open the Google Developer’s console,
* From the main menu select APIs & Services and then Credentials.
* In the OAuth 2.0 CLient IDs section
* Copy the Client ID to your clipboard
Open the GSuite Domain Console from the main menu select security, then API controls
* In the the Domain wide delegation section, click MANAGE DOMAIN WIDE DELEGATION
* Domain-wide Delegation
* Click Add new
* In the Add a new client ID dialogue
* Client ID :
paste from your clipboard
* OAuth scopes (comma-delimited) : https://www.googleapis.com/auth/admin.directory.group.readonly,https://www.googleapis.com/auth/admin.directory.group.member.readonly,https://www.googleapis.com/auth/admin.directory.user.readonly
* Click Authorize
* Switch back to the browser tab On the AWS SSO - Settings
* Click on the link Enable automatic provisioning
* You’ll need to copy and paste the following fields into the Amazon Web Services (AWS) | Provisioning form on the tab you left open on the A
Open the AWS Console and then lauch the application from the AWS Serverless Application Repository
* Application settings
* Application name : ssosync
* GoogleAdminEmail :
your admin user in gsuite
* GoogleCredentials : the content of credentials.json
* SCIMEndpointAccessToken : access token from AWS SSO
* SCIMEndpointUrl : SCIM endpoint from AWS SSO
* SSOSyncFunction
* LogFormat : leave as default
* LogLevel : leave as default
* ScheduleExpression : leave as default
* Check I acknowledge that this app creats custom IAM roles.
* Click Deploy
We going to create a group to represent our Financial Operations team members, who should have permissions to access billing information on our organisations master payer.
* One the top ribbon, click the menu and select Directory, then Groups
* Click Create group
* click + New group
* Group information
* Group details
* Name : AWSFinOpsUsers
* Group description : Cross Account Financial Operations Users.
* Group email : AWSFinOpsUsers @
domain
* Group owner(s) : your admin user's email address
* Click Next
* Group settings
* Access type
* Select Team
* Click Create Group
* One the top ribbon, click the menu and select Apps, then SAML Apps
* Click on the App you created earlier.
* Click Test SAML login
* Click GRANT ACCESS
* On the left pane click on Groups, then Search for a group
* Select AWSFinOpsUsers
* Service status
* Service status : Check on
* Click SAVE
* Open the AWS console for AWS SSO
* Click on Users in the left panel, and check that your users have been replicated from the Google GSuite Directoy
* Click on Groups in the left panel, and check that your groups have been replicated from the Google GSuite Directoy
We’ll now create a permission with appropriate rights for the Financial Operations Team.
* Switch to the browser tab On the AWS SSO
* In the left panel, click AWS accounts, and then the Permission sets tab
* Click Create permission set
* Create new permission set
* select Use an existing job function policy
* Click Billing and click Create
* Click on Billing in the list of permission sets
* Billing - Permissions tab
* Click Edit
* Relay state : https://console.aws.amazon.com/billing/home?#/
* Click Continue
* Click Finish
We now need to add the group of users represented by the group (from GSuite) AWSFinOpsUsers@domain
with the permission set Billing to the master payer account.
* Switch to the browser tab On the AWS SSO
* In the left panel, click AWS accounts, and then the AWS organization tab
* Click Root
* Check your master account and click Assign users
* Assign Users
* Click the Groups tab
* Check AWSFinOpsUsers
* Click Next: Permission sets
* Select permission sets
* check Billing
* Click Finish
* Complete
* Click Proceed to AWS accounts
In this section, you’ll create a test user in the Azure portal.
* In the Gsuite admin console, from the main menu, click Directory, Users
* click add New user on the top menu.
* New user
* Select Create user
* Identity
* User name :
alias
@domain
* Name : your first name
your last name
* First name : your first name
* Last name : your last name
* Groups and roles
* click 0 groups selected
* select AWSFinOpsUsers
* click Select
* Roles : User
* Settings
* Block sign in : No
* Usage location : leave blank
* job info
* job title : leave blank
* Department : leave blank
* click Create
* In the list of users, click your first name
your last name
(the user you just created)
* click Reset password on the top menu
* in the righthand menu, click Reset password
* copy the Temporary password to the clipboard
Now we can see what the experience we’ve configured for our test user.
alias
@domain
the one you copied to the clipboard
In the Master account:
In the Google Cloud Platform portal
In the Google Gsuite portal
*Copyright 2020, Amazon Web Services, All Rights Reserved.*