Implementing AWS Single Sign On (SSO) using Google Workspace (formerly G Suite)

noyonict

Md Mohaymenul Islam (Noyon)

Posted on April 24, 2022

Implementing AWS Single Sign On (SSO) using Google Workspace (formerly G Suite)

If your organization useing Google Workspace (formerly G Suite) and AWS then you can connect AWS SSO to Google Workspace (G Suite) allowing your users to access AWS accounts with their Google Workspace (G Suite) credentials.

How it works

When you will use Google Workspace (G Suite) to authenticate and manage your users, you will have to create a user in your AWS SSO. The user entity will not be a user account, but it will be a logical object. Which maps a Google Workspace (G Suite) user via its primary email address as the username to the user acccount in AWS SSO. The user entity in AWS SSO allows you to grant a Google Workspace (G Suite) user access to AWS accounts and define its permissions in those accounts.

Image description

Prerequisites

  • You need to be a super administrator privileges in Google Workspace (G Suite) and need to have access to the Google Admin console.

  • You need to have setup AWS Organizations with All features set to enabled. If not setup yet please follw this (How to setup AWS Organizations)

  • You need to have management (root) account access of the Organizations with administrator privileges.

setup an external identity provider in AWS SSO

  1. Login to your Organizations management account and open AWS Signle Sign-On (SSO) service.

Image description

  1. You will see You seccessfully enabled AWS SSO message. Select Choose your identity source.

Image description

  1. Select the Settings, from the Identity source select Change

Image description

  1. By default, AWS SSO uses its own directory (AWS SSO) as the identity provider. To use Google Workspace (G Suite) as your identity provider, you have to switch to an external identity provider. Select External identity provider from the available identity sources.

Image description

  1. Choosing the External identity provider option reveals additional information needed to configure it. Choose Show individual metadata values to show the information you need to configure a custom SAML application.

Image description

Note down the AWS SSO SAML metadata information to configure the a custom SAML application in Google Workspace (G Suite)

For the next steps, you need to switch to your Google Admin
console and use the service provider metadata information to configure AWS SSO as a custom SAML application.

Now one a new tab and follow the bellow step for IdP SAML metadata* to complete the SSO setup.

Google Workspace (G Suite) SAML application setup

  1. Open your Google Admin console in a new browser tab, navigate to the Web and mobile apps section, select Add App, and then select Add custom SAML app.

Image description

  1. To configure the name of the application, in the App details section, under App name, enter AWS SSO (or any other name you want), and then choose CONTINUE.

  2. To download the Google IdP metadata, under Option 1: Download IdP metadata, choose DOWNLOAD METADATA, and then choose CONTINUE. This will downloads an XML file named GoogleIDPMetadata.xml, which you will use to configure Google Workspace (G Suite) as the IdP in AWS SSO.

Image description

  1. Using the data from AWS SSO you noted, provide information in the Service provider details, and then choose CONTINUE.

The mapping for the data is as follows:

  • For ACS URL, enter the AWS SSO ACS URL.
  • For Entity ID, enter the AWS SSO Issue URL.
  • For Start URL, leave the field blank.
  • For Name ID format, choose EMAIL.
  • For Name ID, choose Basic Information > Primary email.

Image description

  1. On the Attribute mapping screen, leave the default settings and choose FINISH.

  2. On the application page, in the User access section, select the down arrow to expand the section.

Image description

  1. select ON for everyone and choose SAVE.

Image description

Congratulations! You have now enabled the application for all your users. But this doesn’t give access to any resources inside of your AWS accounts. Permissions are granted in AWS SSO.

Note: If you want to manage access for particular users you can do this via organizational units (for example, you can enable the AWS SSO application for your engineering department).

You’re done configuring AWS SSO in Google Workspace (G Suite). Return to the other browser tab with the AWS SSO configuration and complete the SSO setup.

Add identity provider metadata in AWS SSO

  1. SO you have done the Google Workspace (G Suite) setup and you downloaded the GoogleIDPMetadata.xml file. Choose Browse… on the configuration page and select this file from your computer and click Next: Review button.

Image description

  1. Type CONFIRM and click Change identity source to complete the setup.

Image description

  1. Your configuration is completed! Now click Return to settings

Image description

Add a user to AWS SSO

  1. Select Users from the sidebar of the AWS SSO overview page and then choose Add user.

Image description

  1. Enter the user details and use your user’s primary email address (username@gsuite_domain.com) as the username. Choose Next: Groups to add the user to a group.

Image description

  1. Skip the Add user to groups step or you can select your's group(s) then click Add user.

Image description

You have successfully created a user!

  1. Now assign the user to an AWS account in your AWS Organization. This allows the user to access the assigned account. Select the account you want to assign your user to and choose Assign users.

Image description

  1. Select the user you just added, then choose Next: Permission sets to continue configuring the effective permissions of the user in the assigned account.

Image description

  1. Since you didn’t configure a permission set before, you need to configure one now. Choose Create new permission set.

Image description

  1. AWS SSO has managed permission sets that are similar to the AWS managed policies you already know. Make sure that Use an existing job function policy is selected, then select PowerUserAccess from the list of existing job function policies and choose Create.

Image description

  1. You can now select the created permission set from the list of available sets for the user. Select the PowerUserAccess permission set and choose Finish to assign the user to the account.

Image description

  1. You see a message that the assignment has been successful.

Image description

Access an AWS Account with Google Workspace (G Suite)

You can find your user portal URL in the AWS SSO settings, as shown in the following screenshot. Unauthenticated users who use the link will be redirected to the Google account login page and use their Google Workspace (G Suite) credentials to log in.

Image description

After authenticating, users are redirected to the user portal. They can select from the list of assigned accounts, as shown in the following example, and access the AWS Management Console of these accounts.

Image description

Another way your users can use AWS SSO is by selecting it from their Google Apps to be redirected to the user portal, as shown in the following screenshot. That is one of the quickest ways for users to access accounts.

Image description

You’ve successfully set up G Suite as an external identity provider for AWS SSO. Your users can access your AWS accounts using the credentials they already use.

Using AWS CLI with SSO

You can use the AWS Command Line Interface (CLI) to access AWS resources. AWS CLI version 2 supports access via AWS SSO. You can automatically or manually configure a profile for the CLI to access resources in your AWS accounts. To authenticate your user, it opens the user portal in your default browser. If you aren’t authenticated, you’re redirected to the G Suite login page. After a successful login, you can select the AWS account you want to access from the terminal.

To upgrade to AWS CLI version 2, follow the instructions in the AWS CLI user guide.

Summary

You’ve set up Google Workspace (G Suite) as an external IdP for AWS SSO, granted access to an AWS account for a G Suite user, and enforced fine-grained permission controls for this user. This enables your business to have easy access to the AWS Cloud.

Thanks for reading! Happy Cloud Computing!

Connect with me: Linkedin

💖 💪 🙅 🚩
noyonict
Md Mohaymenul Islam (Noyon)

Posted on April 24, 2022

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related