Configure Single Sign-On in AWS for CloudCheckr CMx

In this topic, you will learn how to set up Single Sign-On (SSO) for your AWS account in CloudCheckr CMx by configuring:

  • AWS (the Identity Provider or IdP)
  • CloudCheckr CMx (the Service Provider or SP)

Prerequisite

You must be an enterprise customer to use IdP-initiated SSO.


Workflow

  1. Create a support ticket in the CloudCheckr Service Desk Portal that indicates you need to set up SAML.
  2. A CloudCheckr Support engineer will:
    • walk you through how to generate SAML IdP metadata through your SSO provider
    • validate that the authentication process is working in your environment successfully
      Although CloudCheckr will provision your users for the first-time logon, your organization must enable specific permissions and account access for your CloudCheckr CMx users. For more information, see the Access Management and Roles topics.
  1. Log in to the AWS Management Console.
  2. In the Find Services text field, type AWS SSO
  3. From the Dashboard, click Applications.
  4. Click Add a new application.

    The AWS SSO Application Catalog opens.

  5. Click Add a custom SAML 2.0 application.
  6. In the Details section:
    1. Type CloudCheckr CMx in the Display name field.
    2. Type Cloud Management Platform In the Description field.
  7. In the AWS SSO metadata section:
    1. Click Download to download the AWS SSO SAML metadata file and send it to Support.
  8. Under Session duration in the Application properties section, select Custom duration for and select 900 seconds.
  9. In the Application metadata section:
    1. Click the link, If you don't have a metadata file, you can manually type your metadata values.
    2. Choose the Application ACS URL and Application SAML Audience that match the AWS region you use to access CloudCheckr:

      Region

      Application ACS URL

      Application SAML Audience

      US

      https://auth-us.cloudcheckr.com/auth/sso/saml2/Acs

      https://auth-us.cloudcheckr.com/auth

      EU

      https://auth-eu.cloudcheckr.com/auth/sso/saml2/Acs

      https://auth-eu.cloudcheckr.com/auth

      AU

      https://auth-au.cloudcheckr.com/auth/sso/saml2/Acs

      https://auth-au.cloudcheckr.com/auth

      GOV

      https://auth-gov.cloudcheckr.com/auth/sso/saml2/Acs

      https://auth-gov.cloudcheckr.com/auth

    3. Type the values you just selected into the appropriate fields.
    4. Click Save Changes.
  10. Click Attribute Mappings.
  11. Perform the following actions in this tab:
    1. For the Subject User attribute, type ${user:email} and leave the format as emailAddress.
    2. Click Add new attribute mapping.
    3. For the name attribute, type${user:email} and leave the format as unspecified.
  12. Click Assigned users.
  13. Click Assign users to assign users you would like to access CloudCheckr CMx from your directory.
  14. Once Support has added your metadata to your account, select CloudCheckr CMx from your AWS apps list to log in.

How did we do?