Use JumpCloud SAML Single Sign On (SSO) to give your users convenient but secure access to all their web applications with a single set of credentials. Automate and centralize AWS IAM Identity Center user and group management through the full lifecycle by configuring an Identity Management integration between your JumpCloud account and AWS IAM Identity Center.
Read this article to learn how to configure the AWS IAM Identity Center Integration.
Prerequisites
- A JumpCloud administrator account
- JumpCloud SSO Package or higher or SSO add-on feature
- AWS Admin account (AWS root user)
- AWS organization
Important Considerations
- Single sign-on for AWS IAM Identity Center is recommended, but not required, when creating an Identity Management integration with AWS IAM Identity Center.
- SAML is the recommended method for managing secure user authentication into AWS IAM Identity Center.
- For the connector to work, usernames in AWS IAM Identity Center need to match email addresses in JumpCloud.
- If you need to renew your token, you must deactivate the Identity Management integration first, update your token and then reactivate the integration.
- If you deactivate Identity Management integration on an AWS IAM Identity Center application connector, you will need to generate a new access token if you want to activate it again.
- If you delete an integrated AWS IAM Identity Center application from your Applications list, the application is removed from JumpCloud, but any previously bound users remain active in AWS IAM Identity Center. These users will be able to log in to AWS IAM Identity Center with the password they used prior to enablement of SSO to the AWS IAM Identity Center application from your JumpCloud account.
- When a user is deleted in JumpCloud, the user is deleted from AWS IAM Identity Center.
- Once the Identity Source is changed to “External Identity Provider” and SCIM Provisioning is enabled in AWS IAM Identity Center, you can no longer create or update users and groups in AWS IAM Identity Center.
- To manage AWS IAM Identity Center users who were created before SCIM provisioning was enabled, you need to add them in JumpCloud and add them to a User Group that is associated with the AWS IAM Identity Center application connector.
- To manage AWS IAM Identity Center groups that were created before SCIM provisioning was enabled, in JumpCloud, you have to select the Enable management of User Groups and Group Membership in this application. Then, create user groups with the same name as your existing AWS IAM Identity Center groups, and add those groups to the AWS IAM Identity Center application connector.
- AWS IAM Identity Center is only capable of returning 50 groups from their ListGroups API.
- Group names in JumpCloud cannot have a ‘:’ character. Otherwise, they won’t sync.
- The username in AWS IAM Identity Center must match the email address in JumpCloud. If users were manually created in AWS IAM Identity Center before JumpCloud was configured as the external identity source, the username must be updated to the email address specified for that user in JumpCloud. If the username is not a valid JumpCloud email, then the following will occur.
- Jumpcloud won’t be able to take over management of the user in AWS IAM Identity Center.
- The user won’t be able to log in via SSO.
- The user encounters an invalid MFA credentials error:
Attribute Considerations
- A default set of attributes are managed for users. See the Attribute Mappings section for more details.
- If the display name is updated in JumpCloud, AWS IAM Identity Center won’t overwrite it.
- When you update a Group name in the JumpCloud administrator portal, it will update in AWS IAM Identity Center as well.
- When a new user is provisioned to AWS IAM Identity Center, the value of the displayName attribute is set to combine the firstName and lastName attributes. For example, the attribute displayName = firstName + lastName:
- firstName = “John”
- lastName = “Doe”
- displayName = “John Doe”
Creating a new JumpCloud Application Integration
- Log in to the JumpCloud Admin Portal.
- Navigate to USER AUTHENTICATION > SSO Applications.
- Click + Add New Application.
- Type the name of the application in the Search field and select it.
- Click Next.
- In the Display Label, type your name for the application. Optionally, you can enter a Description, adjust the User Portal Image and choose to hide or Show in User Portal.
If this is a Bookmark Application, enter your sign-in URL in the Bookmark URL field.
- Click Save Application.
- If successful, click:
- Configure Application and go to the next section.
- Close to configure your new application at a later time.
Configuring the SSO Integration
To configure AWS IAM Identity Center 1
- Log in to the AWS IAM Identity Center management console.
- Under Enable IAM Identity Center, choose Enable.
- If there is not an existing AWS organization, click Create AWS organization to create one.
- Under Recommended setup steps, select Choose your identity source.
- Next to Identity Source, click Change.
- Select External identity provider.
- In the Service provider metadata section, click download metadata file.
- Keep the AWS console open because you need to access it for To configure AWS IAM Identity Center 2.
To configure JumpCloud
Do not select Amazon Web Services (IAM) for this connector.
- Create a new application or select it from the Configured Applications list.
- Select the SSO tab.
- Under Service Provider Metadata, click Upload Metadata.
- Browse to the location of the Service Provider Metadata downloaded from the previous section and click Open.
- Once this file is uploaded, all fields should populate automatically.
- Click Export Metadata under JumpCloud Metadata.
- Optionally, if you want to force SP Initiated Authentication, in the Login URL field, replace the value with your Login URL.
This is the URL provided by Amazon to log directly into your company-specific AWS access portal.
- Click save.
To configure AWS IAM Identity Center 2
- Go back to the AWS IAM Identity Center management console.
- In the Identity provider metadata section, click Choose file, and upload the JumpCloud metadata file.
- Click Next: Review.
- In the text box, type ACCEPT to change your identity source.
- Click Change identity source.
Authorizing User SSO Access
Users are implicitly denied access to applications. After you connect an application to JumpCloud, you need to authorize user access to that application. You can authorize user access from the Application Configuration panel or from the Groups Configuration panel.
To authorize user access from the Application Configuration panel
- Log in to the JumpCloud Admin Portal.
- Go to USER AUTHENTICATION > SSO Applications, then select the application to which you want to authorize user access.
- Select the User Groups tab. If you need to create a new group of users, see Get Started: User Groups.
- Select the check box next to the group of users you want to give access.
- Click save.
To learn how to authorize user access from the Groups Configuration panel, see Authorize Users to an SSO Application.
Validating SSO authentication workflow(s)
IdP Initiated
- Access the JumpCloud User Console.
- Select the application’s tile.
- The application will launch and login the user.
SP Initiated
- Navigate to your Service Provider application URL.
- You will be redirected to log in to the JumpCloud User Portal.
- The browser will be redirected back to the application and be automatically logged in.
Configuring the Identity Management Integration
- Create a new application or select it from the Configured Applications list.
- Select the Identity Management tab.
- Click configure, and keep the window available.
- In a new window, log in to the AWS administrator console.
- Go to All Services > Security, Identity & Compliance, and select AWS Single Sign-On.
- Under Recommended setup steps, select Choose your identity provider.
- In the Identity source section, select Enable automatic provisioning.
- Copy the SCIM Endpoint URL from the Inbound automatic provisioning modal.
- Go back to the AWS IAM Identity Center application connector in JumpCloud.
- Click Enable management of User Groups and Group Membership in this application if you want to provision, manage, and sync groups.
- *SP Base URL: Paste the SCIM Endpoint URL you copied from AWS.
- Go back to the AWS IAM Identity Center Inbound automatic provisioning modal. Click Show token, then copy the token. Important: When you click Show token, you have to keep the window open until you have copied and entered the token into JumpCloud. After you close the Inbound automatic provisioning modal, it doesn’t show you this information again.
- Go back to the AWS IAM Identity Center application connector in JumpCloud. *SP SPI Token: Paste the Access token you copied from AWS.
- Click Activate.
- You receive a confirmation that the Identity Management integration has been successfully verified and a Public Certificate is created. You can download the certificate from here.
- Click save.
- After the application is saved, it appears in the SSO Applications list. You can now connect users to the application in JumpCloud to provision them in AWS IAM Identity Center. Learn how to Authorize Users to an SSO Application.
To configure Attribute Based Access Control (ABAC)
AWS IAM Identity Center supports the use of attributes to control access to your AWS resources across multiple AWS accounts. This authorization strategy is known as attribute-based access control (ABAC). Within the AWS IAM Identity Center console, you can define fine-grained permissions and policies based on attributes sent from JumpCloud. Attributes used for ABAC are called tags in AWS. Using user attributes as tags in AWS helps you simplify the process of creating and managing permissions in AWS and allows you to extend your zero trust security model to your AWS resources.
Configuring ABAC in AWS IAM Identity Center is done through the Attributes for access controls page in the AWS IAM Identity Center console. There are two ways to configure ABAC. You can use SCIM user attributes or SAML attributes.
Important: In scenarios where the same attributes are sent to AWS IAM Identity Center through SAML and SCIM, the SAML attributes values take precedence in access control decisions.
To enable ABAC in AWS IAM Identity Center
To use attributed based access control (ABAC), you need to enable the Attributes for access control feature in AWS IAM Identity Center console. For more information about how to do this, see Enable and configure attributes for access control
- Log in to the AWS IAM Identity Center console.
- Click Settings from the left hand navigation panel.
- On the Settings page, under Identity source, next to Attributes for access control, click Enable.
To configure ABAC Using SCIM User Attributes
You can select user attributes sent to AWS IAM Identity Center via the JumpCloud SCIM Identity Management integration to be used as attributes to manage access (ABAC) to your AWS resources. Then, you create a permission set in AWS IAM Identity Center to manage access based on the attributes you passed from JumpCloud. For more information about which user attributes are passed from JumpCloud, see Attribute Mappings, below. For more information about configuring attributes for access controls, see Enable and configure attributes for access control.
- Log in to the AWS IAM Identity Center console.
- Click Settings from the left hand navigation panel.
- On Settings > Identity source, next to Attributes for access control, click View details.
- Enter a Key value.
- Note: You can provide any name you want. Key represents the name you are giving to the attribute for use in policies and is case sensitive. You need to specify that exact name in the policies you author for access control. The Key must also be named exactly the same in your aws:PrincipalTag condition key (i.e., “ec2:ResourceTag/CostCenter”: “${aws:PrincipalTag/CostCenter}”)
- Select the Value.
- Click Save changes.
To configure ABAC using SAML Attributes
You can configure SAML attributes for AWS IAM Identity Center to manage access to your AWS resources. The attributes that you define in JumpCloud will be passed in a SAML assertion to AWS IAM Identity Center. You then create a permission set in AWS IAM Identity Center to manage access based on the attributes you passed from JumpCloud.
- Open the JumpCloud AWS Single Sign-On application that you installed as part of configuring SAML for JumpCloud. Go to USER AUTHENTICATION > SSO.
- Click the AWS Single Sign-On application, and then click the second tab, SSO.
- At the bottom of this tab you have User Attribute Mapping, click Add new attribute.
- To use one of the predefined JumpCloud Attribute values:
- In the Service Provide Attribute Name field, enter https://aws.amazon.com/SAML/Attributes/AccessControl:AttributeName replacing AttributeName with the name of the attribute you are expecting in AWS IAM Identity Center. For example, https://aws.amazon.com/SAML/Attributes/AccessControl:Region
- In the JumpCloud Attribute Name field, select user attributes from your JumpCloud directory. For example, addresses.work.region.
- Repeat steps 1-2 for each additional attribute you want to map.
- Click save.
- To use dynamic attributes from the user or group record:
- In the Service Provide Attribute Name field, enter https://aws.amazon.com/SAML/Attributes/AccessControl:AttributeName replacing AttributeName with the name of the attribute you are expecting in AWS IAM Identity Center. For example, https://aws.amazon.com/SAML/Attributes/AccessControl:CostCenter.
- In the JumpCloud Attribute Name field, select Custom User or Group Attribute.
- Enter a name for the attribute. For example, AWS-ABAC-Project.
- Repeat steps 1-3 for each additional attribute you want to map.
- Click save.
- Open the user or group record for which you to pass the value for the attribute you created.
- In the Users or Group Details tab, go to the Custom Attributes section and click add new custom attributes.
- Select string.
- For Attribute Name, enter the name of one of the custom attributes that’s listed on the AWS IAM Identity Center configuration. For example AWS-ABAC-Project.
- For Attribute Value, enter the value you want to send for the attribute.
- Repeat steps 1-5 for each additional attribute you want to map.
- Click save.
To use ABAC in Permission Policies
Once you have configured attributes for use with ABAC, you can create permission policies that use those attributes for controlling access to AWS resources, services, and actions.
To apply a permission policy from the AWS IAM Identity Center console:
- Log in to the AWS IAM Identity Center console.
- Navigate to AWS Accounts > Permission Sets.
- Select the permission to which you want to add a permission set.
- Click Edit Permissions in the Permissions Policy.
- Enter the json for the permission policy you want to add or update.
For example, denying certain actions by Project or Region:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"iam:*",
"organizations:DescribeAccount",
"organizations:DescribeOrganization",
"organizations:DescribeOrganizationalUnit",
"organizations:DescribePolicy",
"organizations:ListChildren",
"organizations:ListParents",
"organizations:ListPoliciesForTarget",
"organizations:ListRoots",
"organizations:ListPolicies",
"organizations:ListTargetsForPolicy"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:PrincipalTag/Project": "Automation"
}
}
}
]
}
OR
{
"Sid": "DenyAccessByRegion",
"Effect": "Deny",
"NotAction": [
"cloudfront:*",
"iam:*"
],
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:RequestedRegion": "${aws:PrincipalTag/Region}"
}
}
}
- Click Save Policy.
- *Optionally, select the accounts to which the permission has been applied, so the new or updated policy can be applied and click Reprovision. Otherwise, click Skip for now.
- If you don’t already have tags defined for your permission, click Add tags in the Tags section. Otherwise, click Edit Tags to add a new tag.
- Add all the attributes you will be using in your Permissions Policy.
- For example, Project and Region.
- *Optionally, enter a value for the Key.
- Note: Key is case sensitive and must exactly match the attribute you defined in Attributes for access control interface in the AWS IAM Identity Center console and in the SAML attributes you pass from JumpCloud.
- Click Save changes.
Attribute Mappings
The following table lists attributes that JumpCloud sends to the application. See Attribute Considerations for more information regarding attribute mapping considerations.
Learn about JumpCloud Properties and how they work with system users in our API.
AWS IAM Identity Center User Attributes
JumpCloud Property | JumpCloud UI | SCIM v2 Mapping | AWS IAM Identity Center Value |
---|---|---|---|
username | Username | userName | userName |
Company Email | emails.value | emails.value | |
displayname | Display Name | displayName | displayName |
firstname | First Name | name.givenName | name.givenName |
lastname | Last Name | name.familyName | name,familyName |
active | Status | active | active |
job Title | Job Title | jobTitle | title |
locale | locale | locale | locale |
addresses.streetAddress | Work Street Address | addresses.streetAddress | addresses.streetAddress |
addresses.locality | Work City | addresses.locality | addresses.locality |
addresses.region | Work State | addresses.region | addresses.region |
addresses.postalCode | Work Postal Code | addresses.postalCode | addresses.postalCode |
addresses.country | Work Country | addresses.country | addresses.country |
phoneNumbers.value | Work Phone | phoneNumbers.value | phoneNumbers.value |
employeeIdentifier | Employee ID | employeeNumber | employeeNumber |
company | Company | organization | organization |
department | Department | department | department |
Group Attributes
JumpCloud Property | JumpCloud UI Field Name | SCIM v2 Mapping | Application Value |
---|---|---|---|
name | Name | displayName | Name |
Group Management Considerations
Enabling Group Management
You must select the Enable management of User Groups and Group Membership in this application option to manage groups and group membership in the application from JumpCloud.
Group Provisioning and Syncing
- Empty groups are not created.
- JumpCloud takes over management of existing groups in the application when the user group name in JumpCloud matches the name of the group in the application.
- All user groups associated with the application in JumpCloud are synced. Syncing occurs whenever there is a membership or group change event.
- Group renaming is supported.
- If a user group is disassociated from the application in JumpCloud, syncing immediately stops and the group is left as-is in the application. All members of that user group are deactivated in the application unless they are associated with another active application group that is managed from JumpCloud.
Group Deletion
- Managed groups deleted in JumpCloud are deleted in the application.
- All members of the deleted group are deactivated in the application, unless they are associated with another active application group that is managed from JumpCloud.
Disabling Group Management
- You can disable group and group membership management by unchecking the Enable management of User Groups and Group Membership in this application option.
- The managed groups and group membership are left as-is in the application.
- JumpCloud stops sending group membership information for the user, but the user’s identity will continue to be managed from JumpCloud.
Removing the Integration
These are steps for removing the integration in JumpCloud. Consult your SP's documentation for any additional steps needed to remove the integration in the SP. Failure to remove the integration successfully for both the SP and JumpCloud may result in users losing access to the application.
To deactivate the IdM Integration
- Log in to the JumpCloud Admin Portal.
- Go to USER AUTHENTICATION > SSO Applications.
- Search for the application that you’d like to deactivate and click to open its details panel.
- Under the company name and logo on the left hand panel, click the Deactivate IdM connection link.
- Click confirm.
- If successful, you will receive a confirmation message.
To deactivate the SSO Integration
- Log in to the JumpCloud Admin Portal.
- Go to USER AUTHENTICATION > SSO Applications.
- Search for the application that you’d like to deactivate and click to open its details panel.
- Select the SSO tab.
- Scroll to the bottom of the configuration.
- Click Deactivate SSO or Deactivate Bookmark.
- Click save.
- If successful, you will receive a confirmation message.
To delete the application
- Log in to the JumpCloud Admin Portal.
- Go to USER AUTHENTICATION > SSO Applications.
- Search for the application that you’d like to delete.
- Check the box next to the application to select it.
- Click Delete.
- Enter the number of the applications you are deleting
- Click Delete Application.
- If successful, you will see an application deletion confirmation notification.