Using SAML Federation with AWS

1 hour
  • 4 Learning Objectives

About this Hands-on Lab

In this lab, we will learn how to configure an AWS identity provider to work with an existing on-premises identity provider (IdP) to offer single sign-on AWS Management Console access. In this case, the customer is using Shibboleth as their IdP.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Create an IAM Identity Provider

Gather XML Metadata from the Lab Identity Provider (IdP)

  1. Navigate to IAM.
  2. Open a new browser tab to the following address, replacing <PUBLIC_IP_ADDRESS_OF_SHIBBOLETH_IDP> with the value provided on the lab page:


    Note: Mozilla Firefox works more reliably for getting the SAML file.

  3. The site uses a self-signed certificate, which is fine for this lab. Continue to the site.
  4. Copy the XML from the screen into a text editor.
  5. Save it to a file named saml2.xml.

Create IAM Identity Provider

  1. In the IAM browser tab, navigate to IAM > Identity providers.
  2. Click Create Provider, and set the following values:
    • Provider Type: SAML
    • Provider Name: intranet-local-idp
    • Metadata Document: Click Choose File, and select the saml2.xml file
  3. Click Next Step.
  4. Click Create.

Note: If you encounter an error message (Could not parse metadata), the text file likely contains special characters. If so, use the following steps to create the SAML file.

Alternative SAML File Generation if an Error Is Encountered

  1. Open a terminal window.

  2. Ensure you have curl installed.

  3. Run the following command, replacing <PUBLIC_IP_ADDRESS_OF_SHIBBOLETH_IDP> with the value provided on the lab page:

    curl -k https://<PUBLIC_IP_ADDRESS_OF_SHIBBOLETH_IDP>/idp/profile/Metadata/SAML > saml2.xml  
  4. Open the tab for IAM in the AWS Management Console.

  5. From the screen where the error was encountered, click Previous.

  6. Click Choose File, and select the saml2.xml saved earlier.

  7. Click Next Step.

  8. Click Create.

Create IAM Role
  1. Click Roles in the left-hand menu.
  2. Click Create role.
  3. Select SAML 2.0 Federation as the type of trusted entity.
  4. Set the following values:
    • SAML provider: intranet-local-idp
    • Allow programmatic and AWS Management Console access: Select
  5. Click Next: Permissions.
  6. On the permissions policies page, search for (in the Filter policies box) and select ReadOnlyAccess. (It will be far down on the list.)
  7. Click Next: Tags > Next: Review.
  8. Set the following values:
    • Role name: intranet-local-readonly
    • Role description: Intranet local read only role
  9. Click Create role.
  10. Click the newly created intranet-local-readonly role.
  11. Copy its role ARN, and paste it into a text document for later use.
  12. Click the Trust relationships tab.
  13. Under Trusted entities copy the listed IdP ARN, and paste it into a text document for later use.
Configure the Source IdP to Work with AWS
  1. Log in to the Shibboleth IdP via SSH, replacing <PUBLIC_IP_ADDRESS_OF_SHIBBOLETH_IDP> with the value provided on the lab page:

  2. Move to the Shibboleth configuration directory:

    cd shibconf
  3. Edit the configuration file:

    sudo vim attribute-resolver.xml
  4. Scroll down in the file until you find the AWS Resolver block.

  5. Replace ROLE_ARN with the role ARN you copied earlier.

  6. Replace IDP_ARN with the IdP ARN you copied earlier.

  7. Save the file.

  8. Move to the root directory:

    cd ..
  9. Run the script to restart tomcat:

    sudo ./
Test SAML Federation from Shibboleth to AWS
  1. Open a remote desktop client.
  2. Click + New to configure a new connection.
  3. Enter "Bastion Host" as the connection name.
  4. For PC name, enter the public IP address of the bastion host provided on the lab page.
  5. Enter "cloud_user" as the user name.
  6. For password, enter the password for the bastion host provided on the lab page.
  7. Open the connection.
  8. Click Use Default Config.
  9. Open a web browser from the bastion host.
  10. Navigate to the login URL: https://idp.intranet.local/idp/profile/SAML2/Unsolicited/SSO?providerId=urn:amazon:webservices
  11. The site uses a self-signed certificate, which is fine for this lab. Click Advanced, and then Click Proceed to idp.intranet.local (unsafe).
  12. Enter "clouduser" as the name.
  13. Enter "bettertogether" as the password. You should then be directed to the AWS Management Console.

Additional Resources

In this lab, we are stepping into the role of a security engineer who's been tasked with completing a proof of concept configuration of SAML 2.0 federation between our company's Shibboleth IdP and AWS Identity and Access Management.

To accomplish this, we need to collect the SAML XML metadata from the provided Shibboleth IdP at the URL below, replacing <IP_ADDRESS> with the IP address provided under Public IP address of Shibboleth IdP. Take care to copy the full XML contents and nothing else.


The XML document found at the above URL needs to be saved locally because we will upload it to AWS in the process of creating the federation between AWS and our Shibboleth IdP.

We then need to log in to the AWS Management Console with the provided URL and credentials. Then, navigate to the Identity and Access Management (IAM) console and create a new IdP (with the file we saved above) and associated role with the AWS managed ReadOnlyAccess policy attached.

Note: Mozilla Firefox works more reliably for getting the SAML file. _If you encounter parsing errors when creating your IAM IdP with the document above, using curl to save it directly to a file can avoid/correct this: curl -k https://<IP_ADDRESS>/idp/profile/Metadata/SAML > metadata.xml_

We then need to gather the ARN for the role and IAM IdP created above, log in the Shibboleth IdP via SSH, and modify the attribute-resolver.xml file in the /home/cloud_user/shibconf directory, replacing ROLE_ARN and IDP_ARN with the values we gathered from the AWS Management Console. Save and exit the file, and run the provided script to restart Tomcat sudo /home/cloud_user/

At this point, our federation between AWS and our Shibboleth IdP is complete. To test this, we need to log in to the provided bastion host with a remote desktop client. The IP address and credentials can be found under Public IP address of Bastion Host. Once logged in to the bastion host, open a web browser and proceed to the URL below, logging in with the provided credentials.

  • URL: https://idp.intranet.local/idp/profile/SAML2/Unsolicited/SSO?providerId=urn:amazon:webservices
  • Username: clouduser
  • Password: bettertogether

Identity Provider and backing database links:

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Get Started
Who’s going to be learning?

How many seats do you need?

  • $499 USD per seat per year
  • Billed Annually
  • Renews in 12 months

Ready to accelerate learning?

For over 25 licenses, a member of our sales team will walk you through a custom tailored solution for your business.


Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!