Admins can configure AWS roles in ºÚÁϺ£½Ç91Èë¿Ú using constant attributes. Configuring AWS roles with constant attributes works well if users need access to the same collection of roles. This method produces multiple connectors, each with their own collection of roles.
PrerequisitesÌý
- You need an activated AWS SSO connector to configure AWS roles. Learn more about configuring the AWS connector for SSO: .
- You need to create federated roles in AWS and collect ARNs before you can configure AWS roles in ºÚÁϺ£½Ç91Èë¿Ú. See Create Federated Roles in AWS.
Considerations
- This article does not apply to AWS IAM (successor to AWS SSO)
- You need to create a separate AWS SSO connector for each collection of roles.Ìý
Creating AWS Roles with Constant Attributes
To configure roles in ºÚÁϺ£½Ç91Èë¿Ú using constant attributes
- Log in to the Admin Portal: .
- Go to Applications, then select the AWS connector to open the connector's details panel.
- In Constant Attributes, replace the string in the second value with the ARN for the role and then the ARN for the identity provider separated by a comma. For example: arn:aws:iam::YOUR_AWS_ACCOUNT_NUMBER:role/ROLE_NAME,arn:aws:iam::YOUR_AWS_ACCOUNT_NUMBER:saml-provider/ºÚÁϺ£½Ç91Èë¿Ú
- Click add attribute for each additional role this connector should provide access to.
- Under Service Provider Attribute Name, enter for each additional attribute.
- Under Value enter the ARN values that represent your AWS roles.
- Click save to commit new role mappings.
Isolating User Access
After you define and map IAM Roles in Amazon to the Single Sign On (SSO) Amazon AWS connector, you need to decide how user access is isolated to these resources.
The above diagram example shows the following environment:
User Group 1
Users in group 1 are authorized to access AWS Connector A. When users from group 1 log in to their User Portal, they see one AWS connector. When a user clicks on the AWS connector, they can choose either the Admin or User role.
User Group 2
Users in group 2 are authorized to access AWS Connectors A and B. They have two AWS applications to choose from in their User Portal. If a user selects AWS Connector A, the user gets to choose either the Administrator or User role. If a user selects AWS Connector B, the user gets to choose the Support or Read Only role.
User Group 3
Users in group 3 are authorized to access AWS Connector B. They see one AWS connector when they log in to their User Portal. When a user selects AWS Connector B, the user gets to choose the Support or Ready Only role.
User Experience
After the SSO connector is created and your roles are configured, make sure to authorize user access. See Authorize Users to an SSO App.
When you use constant attributes to create roles, the user experience can vary. This section describes two typical experiences.
Single Amazon AWS Connector with Multiple Roles
After using SP-initiated or IdP-initiated authentication to log in, the user is presented an Amazon IAM page to select the role that they’d like to use.
Multiple Amazon AWS Connectors
After a user logs in to the ºÚÁϺ£½Ç91Èë¿Ú User Portal, they can choose which AWS SSO connector to use. Make sure to use distinctive and informative Display Labels to make it easy for users to identify similar connectors.