How to configure a SAML identity provider to enable SSO in AWS CloudFormation

When you want to configure a SAML identity provider to enable SSO for AWS, you will find that CloudFormation does not provide support for this. In this blog we will present you with a custom provider which will allow you to configure the SAML identity provider in just a few lines!

How to use

To add a SAML identity provider using your AWS CloudFormation template, use a Custom::SAMLProvider resource with reference
to the metadata URL:

  SAMLProvider:
    Type: Custom::SAMLProvider
    Properties:
      Name: auth0
      URL: https://auth0.com/mytenant/providerurl
      ServiceToken: !Sub 'arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:cfn-saml-provider'

When the provider is created, it will load the metadata of the identity provider from the specified URL. If you want a static approach, you can also specify the metadata itself:

  SAMLProvider:
    Type: Custom::SAMLProvider
    Properties:
      Name: auth0
      Metadata: |
        <EntityDescriptor entityID="urn:binxio.auth0.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
                ....
        </EntityDescriptor>
      ServiceToken: !Sub 'arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:cfn-saml-provider'

On completion, it will return the ARN of the SAML Provider. That is all there is to it. From there on, you can configure IAM roles based upon the established identities in this account.

Deploy the custom provider

To deploy the provider, type:

aws cloudformation deploy  \
        --capabilities CAPABILITY_IAM \
        --stack-name cfn-saml-provider \
        --template-file ./cloudformation/cfn-saml-provider.json

This CloudFormation template will use our pre-packaged provider from s3://binxio-public-${AWS_REGION}/lambdas/cfn-saml-provider-latest.zip.

Demo

To install the simple sample of the SAML provider, type:

aws cloudformation deploy --stack-name cfn-saml-provider-demo \
        --template-file ./cloudformation/demo-stack.json

to validate the result, type:

aws iam list-saml-providers

conclusion

With just a few lines of code you can configure the SAML provider required to implement SSO for your AWS accounts, infrastructure as code style. And that is the only way you want it, right?

You may also like How to get AWS credentials and access keys using the Auth0 SAML identity provider and How to limit access to AWS Resources based on SAML Attributes using CloudFormation.

Image by jacqueline macou from Pixabay

Mark van Holsteijn is a senior software systems architect, and CTO of binx.io. He is passionate about removing waste in the software delivery process and keeping things clear and simple.
Share this article: Tweet this post / Post on LinkedIn