To create an Amazon Web Services App Connection in Clearlogin just follow these steps. (Reminder: To use any App Connection in Clearlogin you must first configure an Identity Source, typically an LDAP Server.)
- Access the Clearlogin Admin panel at https://admin.clearlogin.com
- From the left menu select Apps, and then Add New.
- Select Amazon Web Services from the selection of Native Connections.
- Select the access tags you would like to use for the connection, and then click Save Amazon AWS App.
- Finally, click Download Metadata.
- In a new tab, go to your Amazon Web Services Identity and Access Management (IAM) panel to create a new identity provider: https://console.aws.amazon.com/iam/home#providers.
- Click Create Provider to create a new identity provider.
- On the following screen, select SAML as the Provider Type, and give it a name such as Clearlogin. Then select the metadata file you downloaded. Click Next Step and on the following page, click Create.
- After creating Clearlogin as a provider, select it in the list and note the Provider ARN. This contains your AWS Account ID and the name of the provider (example: arn:aws:iam::ACCOUNT_NUMBER:saml-provider/PROVIDER_NAME). You will need this information to finish configuring the App Connection.
- Next you will need to create a role to attach to users that are logging in via SAML. You can create such a role at https://console.aws.amazon.com/iam/home#roles.
- Click Create New Role.
- Give the role a name like Clearlogin_SSO_Role, and click Next Step.
- Choose Role for Identity Provider Access, and select Grant Web Single Sign-On (WebSSO) access to SAML providers.
- Select the Clearlogin SAML provider you created previously, and then click Next Step.
- No changes are necessary for the Role Trust, so just click Next Step.
- Now you will attach the policies to the role. Select something like ReadOnlyAccess or PowerUserAccess. After selecting a policy, click Next Step.
Note: Remember that you can create more than one App Connection for AWS with different access tags. This allows you to define subsets of your users that will receive different AWS roles.
- Take note of the Role_ARN. This contains your AWS account ID as well as the name of the role. (example: arn:aws:iam::ACCOUNT_NUMBER:role/ROLE_NAME). You will need this to complete the App Connection configuration.
- Finally, click Create Role.
- After creating the provider and role, go back to your AWS App Connection and select Edit.
- In the AWS Role field, replace the placeholder text ACCOUNT_NUMBER, ROLE_NAME, and PROVIDER_NAME with the values for the role and provider you just created (example: arn:aws:iam::1234567:role/Clearlogin_SSO_Role,arn:aws:iam::234567:saml-provider/Clearlogin). Note that the AWS Role field includes the Role ARN and the Provider ARN, separated by a comma but no whitespace.
- Finally, check Enable and then click Save. Your new App Connection will appear on your Cloud App Dashboard.
Amazon's full documentation for SAML Providers can be found at http://docs.aws.amazon.com/STS/latest/UsingSTS/STSMgmtConsole-SAML.html.