Single Sign On - OneLogin

Estimated Average time taken to complete the lab : 20 minutes


In this lab, we will walk through how to integrate OneLogin with AWS Control Tower. We’ll leverage the external identity provider capabilities of the AWS Single Sign-On service (AWS SSO) and enable automated account provisioning. The AWS SSO permissions sets feature will manage roles and rights.


To get started, you need the following items:

  • This lab requires an AWS account with Administrator privileges and access to AWS Control Tower in that account as an Administrator.
  • It requires a OneLogin account for which we will be utilizing an OneLogin Developer free account to create our OneLogin instance and test users for this lab. Sign up for an account here

Configure OneLogin - Create an Amazon Web Services Single Sign On (AWS SSO) App

First we need to create an Amazon Web Services Single Sign On (AWS SSO) integration app.

  • Sign in to OneLogin as an administrator and navigate to the admin portal. (if you don’t have one, Sign up here)

  • Go to Applications, Applications, Add Apps, then search for and select and select AWS Single Sign-On. Change the Display Name if you’d like, then choose Save.

* Choose More Actions and select the option to download SAML metadata, then store the file as OneLogin-idp.xml on your computer, close the browser tab displaying the metadata. * Leave this browser tab open

Configure AWS SSO - Service Provider Metadata & Automated Provisioning

Let’s switch to AWS console. In this section we are going to configure AWS SSO to use OneLogin as an External Identity Provider and gather the information we’ll need from SSO to complete the pairing.

  • On AWS SSO Dashboard, under Recommended setup steps, choose 1. Choose your Identity source.
  • In the Identity Source section, in the row Identity Source, choose the Change link.
  • Choose External Identity Provider . Next,choose Show individual metadata value under Configure external identity provider > Service provider metadata.
  • Note down the values for AWS SSO ACS url and AWS SSO issuer Url. We will use it in the next steps.
  • Scroll down to “Identify provider metadata” and upload the SAML Metadata downloaded from OneLogin OneLogin-idp.xml in the previous step and choose Next: Review and CONFIRM the changes.

  • Under AWS SSO, Settings, Identity source, provisioning, choose Enable Automatic Provisioning If you already have it configured then you can choose View Details under Provisioning | SCIM.

  • Copy the SCIM endpoint (Also known as the SCIM Base URL).

  • Also generate and copy a new Access token (also known as a SCIM Bearer token).

  • Leave this browser tab open, and go back to your previous tab to access your OneLogin Console

OneLogin – Configure SAML 2.0 parameters

  • Inside your OneLogin portal, inside your recently created AWS SSO app, choose on Configuration.Enter the following details gathered from AWS SSO in the previous section.

    • AWS SSO issuer URL
    • SCIM Base URL (Also known as a SCIM endpoint If there is a trailing slash ‘/’ be sure to remove it)
    • SCIM Bearer Token (Also known as an Access token)
  • To complete the configuration, choose Enable under API Connection, and choose Save.

OneLogin - Enable Provisioning

  • Next, choose Provisioning and select Enable Provisioning. You can select the create, delete and update user boxes for admin approval on these actions and then Save the configuration.

  • While under Provisioning , choose Refresh under Entitlements this would pull and sync existing Groups from AWS SSO into OneLogin.

  • Choose Save.

OneLogin – Configure Parameters & Rules for Groups

  • Choose Parameters

    • Navigate to Optional Parameters
    • Choose Groups -> Choose Include in User Provisioning
    • Choose Save , this Enables Groups Provisioning into AWS SSO

  • Choose Rules, Add Rule.
    • Provide a Name to your Rule - eg. AWS Groups
    • You can skip conditions for now.
    • Under Actions –> Choose Set Groups in AWS Single Sign-On.
    • Select Map from OneLogin
    • From the drop Down, select For Each Role with value that matches .*.
    • Choose Save

OneLogin - Configure Groups & Users

  • Next, Users on the top ribbon

    • Under the dropdown , Choose Roles. ( Think Roles as Groups)
    • Choose New Role to create a new role.
    • Name the role yourprefix-FinopsRole
    • Under Select Apps to Add, select your AWS Single Sign On App
    • Choose Save
  • Now under Roles, choose the Role you just created to assign Users.

    • Choose Users
    • Under Check existing or add new users to this role, enter the userName (eg. the user you have logged into OneLogin portal ) and choose Check.
    • Choose Add to Role
    • Choose Save

OneLogin - Verify Groups, Users & Apps Assignment

  • Choose Users , under the dropdown choose Users on the top ribbon
    • Choose your user-name which was setup above, choose Applications to verify the Roles assigned.
    • If you had created the Rule while you are creating the app, the mappings are applied right away to add and sync the users to AWS SSO.
    • If you create the Rule after you have created the app, then choose More Actions > Reapply Entitlements.
    • If provisoning is under PENDING status, choose Approve toS propagate the changes to AWS SSO.

  • Check the Activity Tab for Events for messages like user provisioned into AWS SSO , groups synced or any other errors if any.

AWS SSO - Verify Group Sync and User Sync.

  • Login into AWS SSO and choose groups and search for companyFinOpsRole which should have synced from OneLogin via SCIM.

  • In the left panel, choose Users,
    • In the list of users you should now see the account we created above
    • Choose on the Display nameyour first name your last name” with Username
    • you should see that the user was Created By : SCIM

AWS SSO - Assign Permission Sets

We’ll now create a permission with appropriate rights for the Financial Operations Team Users.

  • Switch to the browser tab On the AWS SSO
  • In the left panel, choose AWS accounts, and then the Permission sets tab
  • Choose Create permission set
  • Create new permission set
    • select Use an existing job function policy
    • Choose Billing and choose Create
  • Choose on Billing in the list of permission sets
  • Billing - Permissions tab

AWS SSO - Assign Users

We now need to add the group of users represented by the group (from OneLogin) companyFinOpsRole with the permission set Billing to the Management / payer account.

  • Switch to the browser tab On the AWS SSO
  • In the left panel, choose AWS accounts, and then the AWS Organization tab
  • choose Root
  • Check your Management account and choose Assign users
  • Assign Users
    • choose the Groups tab
    • Check companyFinOpsRole
    • choose Next: Permission sets
  • Select permission sets
    • check Billing
    • choose Finish
  • Complete
    • choose Proceed to AWS accounts

Explore as our FinOps User

Now we can see what the experience we’ve configured for our user.

  • Open a browser window in Private or incognito mode and login into your OneLogin Portal
  • choose on your AWS Single Sign On App.
  • It should successfully redirect to AWS Single Sign-On start page
  • choose AWS Account (1)
    • choose the name of your Management account
    • On the line Billing choose the link Management Console
    • A new tab should open and display the Billing & Cost Management Dashboard for your organization.

Deleting AWS resources deployed in this lab

In the Management account:

  • In the AWS SSO Dashboard
    • In the Identity Source section, in the row Identity Source, choose the Change link.
    • Change identity source
      • Select AWS SSO,
      • choose Next: Review
    • Review and confirm
      • Review the information provided
      • Type CONFIRM in the field at the bottom
      • choose Change Identity source
    • Once the reconfiguration has completed choose Return to settings
  • In the OneLogin console,
    • delete the AWS SSO app
    • delete the user
    • delete the role: companyFinOpsRole

Copyright 2021, Amazon Web Services, All Rights Reserved.