OneLogin with SSO

Overview

In this tutorial, you’ll learn how to connect OneLogin as an identity source for AWS Single Sign-on (SSO). When you connect OneLogin to Control Tower you can:
1. Control in OneLogin who has access to AWS Control Tower
2. Enable your users to be automatically signed-in to AWS SSO with their OneLogin accounts
3. Optionally configure OneLogin and AWS Control Tower to provision enabled users into AWS SSO automatically (see the tutorial Configure AWS Control Tower for automatic user provisioning)
4. Manage permissions to AWS accounts and applications centrally in AWS Control Tower for your OneLogin enabled users.

Prerequisites

To get started, you need the following items:
1. A OneLogin account (https://www.onelogin.com/developer-signup)
2. Provide a work email (e.g., yourAlias+controltower@domain.com, confirm email, set up MFA if required, and sign in as administrator)
3. AWS Control tower should be setup on your AWS account and you should have Admin Access to your Control Tower master Account

Scenario description

In this tutorial, you configure and test OneLogin SSO via SAML 2.0. Note: AWS SSO supports Service Provider (SP) and Identity Provider (IDP) initiated SSO

Adding the AWS Control Tower Demo application in OneLogin

Note: In future, a built-in AWS SSO application may be available in OneLogin, which may make things a little easier. For this tutorial, we’ll create a custom SAML application.

Configure OneLogin – Part 1

To configure the integration of AWS Control Tower into OneLogin, you need to add AWS Control Tower as an application in OneLogin. In this scenario, OneLogin is the identity provider, and AWS SSO is the service provider, so we’re effectively setting up AWS SSO as a SaaS app from OneLogin’s perspective.
1. Sign in to the OneLogin admin portal using the account you created in prerequisites.
2. Navigate in the header to Applications -> Applications
3. Click Add App on the top right corner
4. In the search box, type saml test, and search (hit Enter)
5. Click on “SAML Test Connector (Advanced)” Onelogin-appl 6. Enter AWS Control Tower Demo for the display name, and click Save in upper right

Configure AWS SSO via AWS Control Tower – Part 1

Leaving your OneLogin browser window open and open a second browser and perform the following

Open the AWS Control Tower console. Click on User and Access on the left-hand side and click on View in AWS Single Sign-On to open up AWS SSO. controltower-appl

Once in AWS SSO: In the left navigation pane, choose Settings.

  1. On the Settings page, find Identity source, choose Change.
  2. On the Change directory page, choose External identity provider.
  3. In the Service provider metadata section, click Show Individual Metadata Values
  4. Click the Copy icon next to AWS SSO ACS URL controltower-appl

Configure OneLogin SSO – Part 2

Return to your open browser window for the OneLogin Portal where you are configuring the AWS SSO Demo application.

  1. Select Configuration in the left-hand navigation pane onelogin-appl
  2. Paste the AWS SSO ACS URL from AWS SSO (copied from previous section) into the following fields on OneLogin:
    • Recipient
    • ACS (Consumer) URL Validator
    • ACS (Consumer) URL
  3. !! Important tricky part !! Modify the URL in the ACS (Consumer) URL Validator* field as follows
  4. Return to the AWS SSO SAML metadata browser window and copy the AWS SSO issuer URL onelogin-appl
  5. Paste the AWS SSO issuer URL into the Audience field on OneLogin
  6. Scroll down and confirm that SAML nameID format is set to Email (should be default)
  7. Click Save in upper right
  8. Under More Actions, click SAML Metadata. This will download the OneLogin SAML metadata file from OneLogin to your computer’s downloads folder. onelogin-appl

Configure AWS Control Tower with Onelogin SSO – Part 2

Open the AWS Control Tower console. Click on user and Access on the left-hand side and click on View in AWS Single Sign-On to open up AWS SSO.

  1. In the Identity provider metadata section, choose Browse to search for the metadata file that you downloaded from the OneLogin Portal in Step 8 of the preceding section, and upload the file.
  2. Choose Next: Review.
  3. In the text box, type CONFIRM to confirm changing directory.
  4. Choose Finish.

Assign the OneLogin test user to the “AWS Control Tower Demo” app in OneLogin Return to your open OneLogin browser window. In this section, you’ll enable your OneLogin user to use the “AWS Control Tower Demo” application.

  1. In the OneLogin portal, select Users in the top navigation bar
  2. Click on your test user
  3. In the left-hand navigation pane, select Applications
  4. Click the blue “+” button (to add a new application for this user) onelogin-appl
  5. Select “AWS Control Tower Demo” from the drop-down and click Continue, if it’s already not displayed
  6. Confirm that the nameID value shown matches the email address of your test user (in my setup, the email address of my OneLogin user happened to be “yourAlias+controltower@domain.com”)
  7. Click Save
  8. Click Save User

Create AWS SSO test user using Control Tower

The objective of this section is to provision the OneLogin user in AWS Control Tower, and assign the user access to AWS resources, so you can test authentication between OneLogin and AWS Control Tower. For this example, we will show how to provision the user manually through the AWS SSO console.

  1. Open the AWS Control Tower console. Click on user and Access on the left-hand side and click on View in AWS Single Sign-On to open up AWS SSO.
  2. Once in AWS SSO, In the left navigation pane, choose Users.
  3. On the Users page, choose Add user.
  4. On the Add user page, follow these steps:
    • a. In the Username field, enter the email address associated with your OneLogin user (if not, authentication will fail). i.e in this case yourAlias+testcontroltower@.domain.com
    • b. In the Email and Confirm email address fields, enter the same email as in (a)
    • c. Enter any value you like for First and Last name.
    • d. Ensure Display name field is populated
    • e. Choose Next: Groups : Select AWSControl Tower Admins and AWSLogArchiveAdmins For testing purposes
    • f. Click on Add User onelogin-appl
  5. Next, you will assign the user to your AWS account. To do so, in the left navigation pane of the AWS SSO console, choose AWS accounts. Assign it to the AWS Control tower master account. onelogin-appl
  6. On the AWS Accounts page, select the AWS organization tab, check the box next to the AWS account you want to assign to the user. Then choose Assign users : select the user you had just created while ago (in step 4f)
  7. On the Assign Users page, find and check the box next to the user you just created. Then choose Next: Permission sets
  8. Under the select permission sets section, check the box next to the permission set you want to assign to the user. If you don’t have an existing permission set, choose Create new permission set.
  9. Finish.

Test SSO

In this section, you test your OneLogin single sign-on configuration.

Initiate login from OneLogin (identity provider-initiated flow) 1. Return to your OneLogin browser window, and select (Profile) -> App Portal/Home from top-right onelogin-appl 2. Switch to Company: Everything tab 3. Click on the AWS Control Tower Demo application (if it doesn’t appear, re-confirm that your test user is assigned to the AWS Control Tower Demo in OneLogin). onelogin-appl 4. Following a set of browser redirects, the AWS Single Sign-On User Portal page appears, and you are able to access your AWS account based on the OneLogin user authentication Login into to your control tower master or log account accordingly onelogin-appl

Optional Creating a new managed account in Control Tower via account Factory and associating it with OneLogin User:

  1. Open the Control Tower console from your master account, navigate to Account Factory and click on Provision New account. onelogin-appl

    1.1 Next, select AWS control Tower Account Factory as the product-Name and click on Launch Product.
    1.2 Provide a name for the product and click on Next
    1.3 Type in a new SSO user email (a valid one ensure you receive an email), account email, & managed OU Details etc to create a new SSO login for a AWS account managed by control tower and click Next
    onelogin-appl 1.4 Provide a tag If needed and click Next and click Launch
    1.5 This step takes about 15-20 minutes to complete and status should be updated to SUCCEDED, you should receive an Invitation email to your inbox to from no-reply@login.awsapps.com, and click on Accept Invitation and also note the following 2 details from the email.

While the above step is in progress, move on to the below steps

Creating and Associating the New Control Tower Managed AWS Account in Onelogin :

  1. Sign in to the OneLogin admin portal using the account you created in Prerequisites 2.1 Click on Administration and select Users. 2.2 Click on new User on top Right corner onelogin-appl 2.3 Enter the userInfo - please use the same emailID username used in step 1.3 for Email and UserName fields and click on Save User 2.4 While in Users, click on Applications and click on + , on the top right corner to add the application and select AWS Control Tower Demo from the dropdown ( i.e the same Application-Name which was initially created at the beginning of the lab) onelogin-appl 2.5 Next, click on the application, to verify the NameId Value is the same 2.6 Next, Navigate to More Actions and click send Invitation. This will complete the authentication and verification portion of newly setup onelogin user. 2.7 Check your inbox and verify the email from OneLogin noreply@onelogin.com titled “Invitation to OneLogin ..” and click on the link provided in the email to create a password.

Login to AWS SSO via Onelogin and access the newly Control Tower managed account

  1. Open a fresh browser (eg. incognito mode from chrome), paste url from “Your User portal URL”, captured in step 1.5 ( i.e the one received in AWS SSO email from no-reply@login.awsapps.com)
  2. This performs a series of redirects on your browser to take you to onelogin Identity provider site. onelogin-appl
  3. Enter the OneLogin username which was created in step 2.3,
  4. This should redirect you to AWS SSO, through which you can log into your control tower managed AWS account which was setup as part of step 1.5 onelogin-appl