Configure Single Sign-On in AWS for CloudCheckr CMx

In this topic, you will learn how to set up Single Sign-On (SSO) for your AWS account in CloudCheckr CMx by configuring:

  • AWS (the Identity Provider or IdP)
  • CloudCheckr CMx (the Service Provider or SP)

Workflow

  1. Log in to the AWS Management Console.
  2. In the Find Services text field, type AWS SSO
  3. From the Dashboard, click Applications.
  4. Click Add a new application.

    The AWS SSO Application Catalog opens.

  5. Click Add a custom SAML 2.0 application.
  6. In the Details section:
    1. Type CloudCheckr CMx in the Display name field.
    2. Type Cloud Management Platform In the Description field.
  7. In the AWS SSO metadata section:
    1. Click Download to download the AWS SSO SAML metadata file and send it to Support.
  8. Under Session duration in the Application properties section, select Custom duration for and select 900 seconds.
  9. In the Application metadata section:
    1. Click the link, If you don't have a metadata file, you can manually type your metadata values.
    2. Choose the Application ACS URL and Application SAML Audience that match the AWS region you use to access CloudCheckr:
      If you are a CloudCheckr enterprise customer who purchased our white label package, contact Customer Success or Support to confirm your authorization endpoint.
      Region Single Sign-On URL Audience URI (SP Entity ID)
      US https://auth-us.cloudcheckr.com/auth/sso/saml2/Acs https://auth-us.cloudcheckr.com/auth
      EU https://auth-eu.cloudcheckr.com/auth/sso/saml2/Acs https://auth-eu.cloudcheckr.com/auth
      AU https://auth-au.cloudcheckr.com/auth/sso/saml2/Acs https://auth-au.cloudcheckr.com/auth
      GOV https://auth-gov.cloudcheckr.com/auth/sso/saml2/Acs https://auth-gov.cloudcheckr.com/auth
      Federal https://auth-fed.cloudcheckr.com/auth/sso/saml2/Acs https://auth-fed.cloudcheckr.com/auth
    3. Type the values you just selected into the appropriate fields.
    4. Click Save Changes.
  10. Click Attribute Mappings.
  11. Perform the following actions in this tab:
    1. For the Subject User attribute, type ${user:email} and leave the format as emailAddress.
    2. Click Add new attribute mapping.
    3. For the name attribute, type${user:email} and leave the format as unspecified.
  12. Click Assigned users.
  13. Click Assign users to assign users you would like to access CloudCheckr CMx from your directory.
  14. Once Support has added your metadata to your account, select CloudCheckr CMx from your AWS apps list to log in.
  1. Create a support ticket in the CloudCheckr Service Desk Portal that indicates you configured your SAML information.
  2. Attach the XML file that you downloaded in the previous procedure to your ticket.
    Although CloudCheckr will provision your users for the first-time logon, your organization must enable specific permissions and account access for your CloudCheckr CMx users. For more information, see the Access Management and Roles topics.

How did we do?