Configure Single Sign-On in AWS for CloudCheckr CMx
In this topic, you will learn how to set up Single Sign-On (SSO) for your AWS account in CloudCheckr CMx by configuring:
- AWS (the Identity Provider or IdP)
- CloudCheckr CMx (the Service Provider or SP)
Prerequisite
You must be an enterprise customer to use IdP-initiated SSO.
Workflow
- Create a support ticket in the CloudCheckr Service Desk Portal that indicates you need to set up SAML.
- A CloudCheckr Support engineer will:
- walk you through how to generate SAML IdP metadata through your SSO provider
- validate that the authentication process is working in your environment successfully
Although CloudCheckr will provision your users for the first-time logon, your organization must enable specific permissions and account access for your CloudCheckr CMx users. For more information, see the Access Management and Roles topics.
- Log in to the AWS Management Console.
- In the Find Services text field, type AWS SSO
- From the Dashboard, click Applications.
- Click Add a new application.
The AWS SSO Application Catalog opens.
- Click Add a custom SAML 2.0 application.
- In the Details section:
- Type CloudCheckr CMx in the Display name field.
- Type Cloud Management Platform In the Description field.
- In the AWS SSO metadata section:
- Click Download to download the AWS SSO SAML metadata file and send it to
Support.
- Under Session duration in the Application properties section, select Custom duration for and select 900 seconds.
- In the Application metadata section:
- Click the link, If you don't have a metadata file, you can manually type your metadata values.
- Choose the Application ACS URL and Application SAML Audience that match the AWS region you use to access CloudCheckr:
Region
Application ACS URL
Application SAML Audience
US
https://auth-us.cloudcheckr.com/auth/sso/saml2/Acs
https://auth-us.cloudcheckr.com/auth
EU
https://auth-eu.cloudcheckr.com/auth/sso/saml2/Acs
https://auth-eu.cloudcheckr.com/auth
AU
https://auth-au.cloudcheckr.com/auth/sso/saml2/Acs
https://auth-au.cloudcheckr.com/auth
GOV
https://auth-gov.cloudcheckr.com/auth/sso/saml2/Acs
https://auth-gov.cloudcheckr.com/auth
- Type the values you just selected into the appropriate fields.
- Click Save Changes.
- Click Attribute Mappings.
- Perform the following actions in this tab:
- For the Subject User attribute, type ${user:email} and leave the format as emailAddress.
- Click Add new attribute mapping.
- For the name attribute, type${user:email} and leave the format as unspecified.
- Click Assigned users.
- Click Assign users to assign users you would like to access CloudCheckr CMx from your directory.
- Once Support has added your metadata to your account, select CloudCheckr CMx from your AWS apps list to log in.