Guide For Drupal as IDP with AWS AppStream2 as SP

Step 1: Download Metada XML file from IdP

  • Go to IDP METADATA tab. Click on Download XML Metadata button. Keep this XML file to configure your SP.
  • Drupal idp metadata

Step 2: Setting SAML in AWS AppStream

  • Login to your Amazon Web Services (AWS) Console as an admin.
  • Click on Services Tab. Under Security, Identity, & Compliances, click on IAM (Identity and Access Management).
  • drpal service tab
  • From the left-hand side list, click on Identity Providers and then click on Create Provider button in the right section.
  • drupal create provider

Step 3: Configure IdP in AWS AppStream

  • In the Configure Provider, select SAML as Provider type from the drop-down list.
  • Enter any Provider Name (e.g Miniorange).
  • Click on Choose File button and choose a metadata file that you have already downloaded in Step 1, then click on Next Step.
  • choose a metadata file
  • In the next screen, you will be shown your entered provider information. Verify it and click on the Create button. The SAML Provider is created and it should be listed in the Provider table.
  • created saml provider

Step 4: Create/Add Role

  • Now click on Roles from the left-hand side list and then click on Create role button.
  • In the Create Role section, click on SAML 2.0 federation tab.
  • Under Choose SAML 2.0 Provider, select the SAML Provider that you have created previously i.e Miniorange.
  • choose saml 2.0 provider
  • After that, choose Allow programmatic access only radio option.
  • Select SAML:aud option from the Attribute drop-down list.
  • Enter the value as https://signin.aws.amazon.com/saml.
  • Then, click on Next: Permissions button.
  • Check the Policy Name AmazonEC2ReadOnlyAccess and click on Next: Tags button.
  • Policy Name AmazonEC2ReadOnlyAccess
  • Then, skip Step Add Tags (Optional) by clicking on Next:Rreview button.
  • In the next step, enter Role name and click on Create Role button.
  • Next:Rreview button
  • Click on your created role name.
  • In the Summary section, click on the trusted relationship tab and copy Role ARN and Trusted Entities value.
  • Keep the values with you in comma separated format. For example- arn:aws:iam::656620318436:role/SSORole,arn:aws:iam::656620318436:saml-provider/miniorange
  • comma separated format

Step 5: Configuring Drupal as Identity Provider (IDP)

  • In miniOrange Drupal SAML IDP module, go to Service Provider tab. There are three ways to configure the module:
    • idp_sso_image1  By Uploading AWS Metadata File :

      • Click on the Upload SP Metadata button.
      • Upload metadata file and click on Upload.

      idp_sso_image8  By AWS Metadata URL :

      • Click on Upload SP Metadata.
      • Enter Metadata URL and click on Fetch Metadata.
      • matadata url

      idp_sso_image8  Manual Configuration :

      • Provide the required settings (i.e. Service Provider Name, SP Entity ID or Issuer, X.509 Certificate) and save it.
      Service Provider Name Give any appropriate name to your Service Provider
      ACS URL https://signin.aws.amazon.com/saml .
      This might vary for non-US regions in which case you would find it in metadata (https://signin.aws.amazon.com/static/saml-metadata.xml) as Location attribute of AssertionConsumerService.
      SP Entity Id or Issuer Get the SP Entity ID or Issuer from the metadata (https://signin.aws.amazon.com/static/saml-metadata.xml). You will find the value in the first line against entityID. It is set to urn:amazon:webservices but may vary for non-US regions.
      Relay State https://console.aws.amazon.com. (You can set value for relay state depending on where you want to redirect the user after SSO.)
      X.509 Certificate Note: You can find the X.509 Certificate in Your SP-Metadata XML file enclosed in tag X509Data having attribute as X509Certificate.
      Response Signed checked
      manual configuration
  • Enter all the details above and click on Save Configuration button.

Step 6: Add attributes for AWS AppStream

  • Enter the value https://aws.amazon.com/SAML/Attributes/RoleSessionName in the Attribute Name field and select E-Mail Address from the Attribute Value dropdown list.
  • Click on the '+' icon besides Additional User Attributes to add another set of attributes and enter the value https://aws.amazon.com/SAML/Attributes/Role in the Attribute Name field and enter the machine name whose value here (arn:aws:iam::656620318436:role/SSORole,arn:aws:iam::656620318436:saml-provider/miniOrange) you want to send to SP.
  • select Custom Attribute Value from the Attribute Value list and in the Custom Attribute Value, enter comma separated value that created in step 3 e.g.[arn:aws:iam::656620318436:role/SSORole,arn:aws:iam::656620318436:saml-provider/miniOrange].
  • attribute mapping
  • Now you have successfully configured miniOrange Drupal SAML IDP with AWS appstream as SP.

If you are looking for anything which you cannot find, please drop us an email on info@xecurify.com