Skip to main content

SSO Using AWS IAM Identity Center SAML Application

This page explains how to configure AWS IAM Identity Center SAML 2.0 as an authentication method for Styra DAS.

Pre Requisites

  • Ensure you have completed at least steps 1 and 2 of the AWS IAM Identity Center Getting Started guide.

  • Determine the value of the following variables:

    • DAS_URL: This is the URL used to access your Styra DAS tenant. The format should be <ORGANIZATION_NAME>.(svc.)?.styra.com.

    • DAS_SAML_CONFIG_NAME: This will be the name used for an identity provider configuration inside of Styra DAS. Select any DNS-compatible string that will help identify the identity provider in the future.

Configure AWS IAM Identity Center SAML Application

To configure an AWS IAM Identity Center SAML 2.0 Application for signing in to Styra DAS:

  1. Login to your AWS Organization's root AWS Account.

  2. Navigate to the AWS IAM Identity Center service.

  3. On the left navigation pane, click Applications.

  4. Click the Add application button in the top-right.

  5. Select a Custom Application and click Next.

  6. Enter the following details in the configuration form.

    • Display Name: Set to any valid string. Styra recommends including your DAS URL in the Application name for easier identification.

    • Description: Set to any valid string.

    • Application start URL: Leave empty

    • Relay State: Leave empty

    • Session duration: Select any duration.

    • Application Metadata: Select "Manually type your metadata values".

    • Application ACS URL: Enter https://<DAS_URL>/v1/saml/<DAS_SAML_CONFIG_NAME>/callback.

    • Application SAML audience: Enter https://<DAS_URL>/v1/saml/<DAS_SAML_CONFIG_NAME>/metadata.

  7. Under IAM Identity Center metadata, download the IAM Identity Center SAML metadata file. Click Submit at the bottom of the page.

  8. In the configured SAML Application overview, click the Actions tab and select Edit attribute mappings.

  9. Set the following attibute mappings:

    • Subject: Map to the exact string ${user:subject}. Select transient for the Format.

    • email: Create a new mapping, map exact string email to exact string ${user:email}. Select unspecified for the Format.

  10. In the SAML Application overview, select Assign Users

  11. Assign users/groups that can use the SAML 2.0 Application. Please refer to AWS Application Assignments for more details.

Styra DAS Configuration

Next, configure a Single Sign-on Provider in Styra DAS.

  1. Log in to Styra DAS with a username and password.

  2. Go to your Workspace, click Access Control >> Single Sign-On Providers and then click SAML >> + Add SAML Provider.

  3. Enter the following details in the form.

    • Provider name: Set to the <DAS_SAML_CONFIG_NAME> string decided upon earlier.

    • Private key: Use openssl req -x509 -newkey rsa:2048 -keyout private.key -out certificate.cert -days 3650 -nodes -subj "/CN=<DAS_URL>" command to generate a private key and the associated certificate. Enter the private key.

    • Private key certificate: Enter the certificate generated by openssl in the previous step.

    • Identity provider metadata: Enter the IAM Identity Center Certificate downloaded earlier.

    • Email attribute: Enter the exact string email.

    • Allowed Domains: Type the allowed authentication domain(s) of your users. For example, retail.acme.com. If the identity provider supports multiple domains, only users with these domains are allowed to access the service.

    • Allow identity provider to initiate sign in: SAML Authentication in Styra DAS will work regardless of whether this field is enabled.

      • If enabled, users will be able to initiate a Styra DAS sign-in from the AWS Console SAML Application, as well as from Styra DAS itself.

      • If disabled, users will not be able to initiate a Styra DAS sign-in from the AWS Console and will need to go to Styra DAS to log in.

    • Invited users only:

      • If enabled, the authenticated user must have a pre-existing account in the service.

      • If disabled, a new user account will be created just-in-time for any authenticated user, as long as the user's domain matches one of the allowed domains (and the identity provider has assigned the new user to the Styra application).

    • Enabled: Set to TRUE.

Invite Users to Styra (Optional)

If you configured your Styra DAS Identity Provider to only allow invited users to login to the service, then the next step is to add desired users to your Styra DAS tenant. You can add or invite users through the following options:

  • Using the CLI.
  • Using the GUI.
  • Any client calling the Styra CLI API.