AWS Single Sign On (SSO) with WordPress as IDP | Login into AWS using WordPress

AWS

AWS SSO is a cloud based Single Sign-On solution which provides secure access to Amazon web services and full access to multiple cloud Applications with one set of login credentials. Specifically, it helps you manage SSO access and user permissions across all your AWS accounts as well as custom applications that support Security Assertion Markup Language (SAML) 2.0. AWS SSO integration by miniOrange provides a special-case where users can find access to all their assigned AWS accounts, cloud applications, and custom applications in one place.

Login using WordPress Users ( WP as SAML IDP ) plugin gives you the ability to use your WordPress credentials to log into AWS. Here we will go through a step-by-step guide to configure SSO between AWS as Service Provider and WordPress as an Identity Provider.


Note: Premium Version is required to set up SSO to AWS.



Follow the Step-by-Step Guide given below for AWS Single Sign On (SSO)


Step 1: Download and Setup the plugin


  • Login to WordPress using Administrator account.
  • Download / Install this plugin - Login using WordPress Users ( WP as SAML IDP ) and activate it. You will see WordPress IDP in your WordPress menu bar in the Dashboard.

  • Click on the WordPress IDP option in the menu bar, and select IDP Metadata tab. Here, you can find the Identity Provider metadata such as Entity ID , Login URL, Logout URL and Metadata File which are used to configure the Service Provider (AWS).

  • plugin setup nextcloud as sp

Step 2: Configure AWS as Service Provider


  • Login to your Amazon Web Services (AWS) Console as an admin.

  • Click on Services Tab. Under Security, Identity & Compliances click on IAM (Identity and Access Management).

  • aws iam aws as sp

  • From the left-hand side list, click on Identity Providers and then click on Create Provider button in the right section.

  • aws idp aws as sp

  • In the Configure Provider, select SAML as Provider type from the drop-down list.

  • Enter any Provider Name (e.g miniOrange/WordPress).

  • Click on Choose File and choose the metadata file that you have already downloaded in Step 1, then click on Next Step.

  • aws create provider aws as sp

  • In the next screen, you will be shown your entered provider information. Verify it and click on the Create button. The SAML Provider is created and it should be listed in the Provider table.

  • check provider name aws as sp

  • Now click on Roles from the left-hand side list and then click on Create role button.

  • In the Create Role section, click on SAML 2.0 federation tab.

  • Under Choose SAML 2.0 Provider, select the SAML Provider that you have created previously i.e miniOrange.

  • aws create role aws as sp

  • After that, choose Allow programmatic access only radio option.

  • Select SAML:aud option from the Attribute drop-down list.

  • Enter the value as https://signin.aws.amazon.com/saml.

  • Then, click on Next: Permissions button.

  • Check the Policy Name AmazonEC2ReadOnlyAccess and click on Next: Tags button.

  • choose policy name aws as sp

  • Then, skip Step Add Tags (Optional) by clicking on Next:Preview button.

  • In the next step, enter Role name and click on Create Role button.

  • review role aws as sp

  • Click on your created role name.

  • In the Summary section, click on the Trusted relationship tab and copy Role ARN and Trusted Entities value.

  • Keep the values with you in comma separated format. For example- [arn:aws:iam::656620318436:role/SSORole,arn:aws:iam::656620318436:saml-provider/miniOrange]

  • role settings aws as sp

Step 3: Configure WordPress as the Identity Provider


  • Go to WordPress IDP Plugin on the Dashboard and select Service Providers tab.

  • Enter the following information into the corresponding fields. Click Save.


  • Service Provider Name AWS
    SP Entity ID or Issuer You can get the SP Entity ID or Issuer from the metadata (https://signin.aws.amazon.com/static/saml-metadata.xml). You will find the value in the first line against entityID. It is set to urn:amazon:webservices but may vary for non-US regions.
    ACS URL https://signin.aws.amazon.com/saml. This might vary for non-US regions in which case you would find it in metadata ( https://signin.aws.amazon.com/static/saml-metadata.xml)
    as Location attribute of AssertionConsumerService.
    NameID Format urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
    Assertion Signed Check to sign the SAML Assertion.
    enter sp info aws as sp

Step 4: Configure attributes in the plugin (This is a premium feature)


  • Select Attribute/Role Mapping. In the User Attributes section, enter the following information. Click Save.

    Name User Meta Data
    email user_email
  • wp attribute mapping aws as sp
Hello there!

Need Help? We are right here!

support
Contact miniOrange Support
success

Thanks for your inquiry.

If you dont hear from us within 24 hours, please feel free to send a follow up email to info@xecurify.com