Integration Guide for AWS SSO – Beyond Identity

Introduction

This guide provides information on how to:

Set up BI Admin Console application on AWS SSO.
Set up BI User Console application on AWS SSO.
Set up Beyond Identity as an external IdP to provide Passwordless access to Web applications on the AWS SSO.

Assumptions:

BI Admin console is currently not part of AWS app gallery and needs to be added manually using SAML2.0
BI User console is currently not part of AWS app gallery and needs to be added manually using SAML2.0
AWS SSO currently does NOT support SCIM client for user provisioning in BI directory. Users need to be provisioned manually both on the AWS console and BI admin console.
Users are already created on the AWS SSO console by the organization.
Once the domain is federated ALL users will be authenticated using BI Passwordless service. Currently, AWS does not support federating select users or groups.

Create Groups:

Admin Console setup:

Login to the AWS SSO console as a root user.
Navigate to Applications🡪Add a new application.
Click on Add a custom SAML 2.0 application.
Display Name and Description “Beyond Identity Admin Console”
Download AWS SSO SAML metadata file.
In the Application properties fill in the
1. Application Start URL: https://admin.byndid.com/auth/?org_id= (Fill in the BI Tenant name)
2. Relay State: Empty
3. Session Duration: 1 hour
Login to the BI support console (BI authorized users only).
Under the BI Tenant follow the below steps
1. Admin Portal SSO integration
  1. SSO type Add SAML SSO
  2. Upload the AWS SSO SAML metadata file downloaded in step 5.
  3. Name: AWS-SSO
  4. Name ID format: emailAddress
  5. Subject User Attribute: UserName
  6. Request Binding: http_post
  7. Save Changes and note down the SP SSO URL and SP issuer.
Log back into the AWS SSO console as a root user.
Under Application Metadata click on If you don’t have a metadata file, you can manually type your metadata values.
1. Application ACS URL: Paste the SP SSO URL (Ending in /sso)
2. Application SAML audience: Paste SP issuer URL (Ending in /metadata.xml)
Under Attribute Mappings
1. User attribute in application: Subject
2. Maps to this string value attribute in AWS SSO: ${user:subject}
3. Format: emailAddress
Under Assigned Users add the BI_Admins group.

User Console setup:

Login to the AWS SSO console as a root user.
Navigate to Applications🡪Add a new application.
Click on Add a custom SAML 2.0 application.
Display Name and Description “Beyond Identity User Console”
Download AWS SSO SAML metadata file.
In the Application properties fill in the
1. Application Start URL: https://admin.byndid.com/auth/?org_id= (Fill in the BI Tenant name)
2. Relay State: Empty
3. Session Duration: 1 hour
Login to the BI support console (BI authorized users only).
Under the BI Tenant follow the below steps
1. User Portal SSO integration
  1. SSO type Add SAML SSO
  2. Upload the AWS SSO SAML metadata file downloaded in step 5.
  3. Name: AWS SSO
  4. Name ID format: emailAddress
  5. Subject User Attribute: UserName
  6. Request Binding: http_post
  7. Save Changes and note down the SP SSO URL and SP issuer.
Log back into the AWS SSO console as a root user.
Under Application Metadata click on If you don’t have a metadata file, you can manually type your metadata values.
1. Application ACS URL: Paste the SP SSO URL (Ending in /sso)
2. Application SAML audience: Paste SP issuer URL (Ending in /metadata.xml)
Under Attribute Mappings
1. User attribute in application: Subject
2. Maps to this string value attribute in AWS SSO: ${user:subject}
3. Format: emailAddress
Under Assigned Users add the BI_Users group.

Setup beyond identity as idp:

Login to the AWS SSO console as a root user.
Navigate to Dashboard🡪Choose your identity source
Click on External Identity provider.
Under Service Provider Metadata download the AWS SSO SAML metadata file.
Login to the BI Admin console using the admin account.
Under the BI Tenant follow the below steps
1. Navigate to Integrations 🡪 SAML
  1. Add SAML connection
  2. Upload the AWS SSO SAML metadata file downloaded in step 4.
  3. Name: AWS SSO
  4. Name ID format: emailAddress
  5. Subject User Attribute: UserName
  6. Request Binding: http_redirect
  7. Signed Response: Signed
  8. Save Changes and download the Metadata file (Icon: </>).
Log back into the AWS SSO console as a root user.
Under Identity Provider Metadata browse to and upload the BI IdP metadata file downloaded at the end of STEP 6.
Click Review and complete the process.

User enrollment:

Manually add users on Beyond Identity Admin console
Enrolled user will receive an email from Beyond Identity welcoming them to the new Identity Provider.
See image below for reference:

Each enrolled user will be asked to follow the two steps below:
1. Download the Beyond Identity Authenticator to their device.
2. When the user clicks “View Download Options”, the Beyond Identity Authenticator downloads page will open in a browser with all supported platforms displayed. The user should download and install the Beyond Identity Authenticator on their device if they have not already.
Register their Credential in the Beyond Identity IdP.
By clicking “Register New Credential”, the user’s credential will get enrolled in the Beyond Identity service on the back end.Once completed, the user will see a credentials in the Authenticator.
See example image below:

User Authentication (Signing in)

Each enrolled user can visit their AWS instance or any application supported by your SSO to sign into their corporate applications.
The user should click affirmatively on the prompt to be signed into their application, without the use of a password. The Beyond Identity app along with a success notification will be displayed.

Related articles