Configure Single Sign-On for AWS in CloudCheckr

In this topic, you will learn how to set up SSO with your AWS account by configuring:

  • AWS (the Identity Provider or IdP)
  • CloudCheckr (the Service Provider or SP)

Procedure

  1. Log in to the AWS Management Console.

    The AWS services page opens.

  2. In the Find Services text field, type AWS SSO.

    The AWS Single Sign-On Console opens.

  3. From the Dashboard, click Applications.

    The Applications screen opens.

  4. Click Add a new application.

    The AWS SSO Application Catalog opens.

  5. Click Add a custom SAML 2.0 application.
  6. In the Details section:
    1. Type CloudCheckr in the Display name field.
    2. Type Cloud Management Platform In the Description field.
  7. Scroll down to the AWS SSO metadata section.
  8. Click Download to download the AWS SSO SAML metadata file and send it to Support.
  9. Scroll down to Application properties.
  10. For Session duration, select Custom duration and select 900 seconds.
  11. Scroll down to Application metadata.
  12. Click the link, If you don't have a metadata file, you can manually type your metadata values.
  13. Choose the Application ACS URL and Application SAML Audience that match the AWS region you use to access CloudCheckr:

    Region

    Application ACS URL

    Application SAML Audience

    US

    https://app.cloudcheckr.com/sso/acs

    https://app.cloudcheckr.com

    EU

    https://eu.cloudcheckr.com/sso/acs

    https://eu.cloudcheckr.com

    AU

    https://au.cloudcheckr.com/sso/acs

    https://au.cloudcheckr.com

    GOV

    https://gov.cloudcheckr.com/sso/acs

    https://gov.cloudcheckr.com

    FED

    https://fed.cloudcheckr.com/sso/acs

    https://fed.cloudcheckr.com

  14. Type the values you just selected into the appropriate fields.
  15. Click Save Changes.

    AWS displays details about your CloudCheckr application.

  16. Click Attribute Mappings.
  17. Perform the following actions in this tab:
    1. For the Subject User attribute, type $ {user:email} and leave the format as emailAddress.
    2. Click Add new attribute mapping.
    3. For the UserName attribute, type ${user:name} and leave the format as unspecified.
  18. Click Assigned users.
  19. Click Assign users to assign users you would like to access CloudCheckr from your directory.
  20. Once CloudCheckr Support has added your metadata to your account, you need to perform the following steps in CloudCheckr:
    1. Launch CloudCheckr.
    2. Select your account from the Accounts List page.
    3. From the header menu, click the Settings icon and select Partner / Account > Users.

      The Users page opens.

    4. Click the name of a user.

      The Edit User page opens.

    5. CloudCheckr cannot auto-provision new users in AWS SSO.

      To identify the users permitted to use AWS SSO, select the SSO checkbox and select AWSfrom the drop-down menu in the Logon section.

    6. At the bottom of the page, click Update.

How did we do?