Tags: security, keycloak, aws, idp, sso, auth

TABLE OF CONTENTS

• Overview
• Pre-requisites
• Preparation
• Basic configuration
• References

Overview

This article describes configuration of AWS Identity Center (AWS IDC) as an Identity Provider (IdP) for Kublr Control Plane (KCP).

Pre-requisites

1. Deployed Kublr Control Plane
2. An Okta account with administrative credentials

Preparation

1. Enable AWS IDC in you AWS account according to AWS documentation
2. Pick a name for Kublr KCP within AWS IDC.
   We will use "Kublr KCP" in this article, but you can choose a different name.
   If you have several Kublr control plane installations for which you want to setup SSO via AWS IDC, different names will need to be used.
3. Pick an alias and optionally a display name for AWS IDC within Kublr KCP identity provider.
   We will refer to it as {aws-idc-idp-alias} in this document.
   aws-identity-center alias will be used in the screenshots in this document.
4. Make sure that you have Kublr KCP base URL configured and accessible from your local machine.
   The hostname of the KCP base URL will be used in this document and will be referred to as {kcp-hostname}.
   So for example if your KCP is running on https://my-kcp.my-org.com URL, then your {kcp-hostname} will be my-kcp.my-org.com
5. sd
6. 
   
7. Make sure that you have your organization Okta base URL configured and accessible from your local machine.
   The hostname of the Okta base URL will be used in this document and will be referred to as {okta-hostname}.
   So for example if your Okta base URL is https://my-org.okta.com, then your {okta-hostname} will be my-org.okta.com

Basic configuration

1. Login to AWS IDC as an administrator and create a new Custom SAML 2.0 Application

Make sure to specify:

• Display name: Kublr KCP in this example
• Description (optional)
• Application start URL: this must be specified and set to Kublr KCP base URL as https://{kcp-hostname} (in this example https://my-kcp.my-org.com)
• Application ACS URL: this must be set to the value
  https://{kcp-hostname}/auth/realms/kublr-ui/broker/{aws-idc-idp-alias}/endpoint
• Application SAML audience: this must be set to the value
  https://{kcp-hostname}/auth/realms/kublr-ui

2. Save the application, open it and copy/note IAM Identity Center SAML metadata file download URL

3. Open "Edit attribute mappings" screen for the application and set "Subject" mapping to "${user:email}" with "emailAddress" format

4. Create a test user in AWS IDC and assign it to the application

5. Login to Kublr KCP Keycloak Identity Broker and create a new "Identity Provider" of type "SAML v 2.0" in "kublr-ui" realm

Make sure to specify

• Alias: aws-identity-center in this example
• Display name
• Paste the IAM Identity Center SAML metadata file download URL saved on the step 2 above into SAML identity descriptor field

6. Save the identity provider and test login

References

• https://docs.aws.amazon.com/singlesignon/latest/userguide/get-started-enable-identity-center.html
• https://docs.aws.amazon.com/singlesignon/latest/userguide/attributemappingsconcept.html
• https://docs.aws.amazon.com/singlesignon/latest/userguide/mapawsssoattributestoapp.html
• https://support.kublr.com/support/solutions/articles/33000267263-configure-okta-as-an-identity-provider-for-kublr
• https://support.kublr.com/support/solutions/articles/33000261274-configure-google-as-an-identity-provider-for-kublr
• https://support.kublr.com/support/solutions/articles/33000283452-troubleshoot-keycloak-via-logs