{"id":497,"date":"2017-04-07T14:28:30","date_gmt":"2017-04-07T12:28:30","guid":{"rendered":"https:\/\/blog.besharp.it\/497\/"},"modified":"2021-03-29T16:24:41","modified_gmt":"2021-03-29T14:24:41","slug":"single-sign-on-with-g-suite-on-the-amazon-web-services-console","status":"publish","type":"post","link":"https:\/\/blog.besharp.it\/single-sign-on-with-g-suite-on-the-amazon-web-services-console\/","title":{"rendered":"Single-sign-on with G Suite on the Amazon Web Services console"},"content":{"rendered":"<p id=\"2e44\" class=\"graf graf--p graf-after--h3\">Which AWS console user has never run into the age-old problem of\u00a0<strong class=\"markup--strong markup--p-strong\">managing multiple users on multiple accounts<\/strong>, having to create different IAM users\u200a\u2014\u200awith complex passwords for each of them\u200a\u2014\u200aon top of the highly fundamental (but, let\u2019s be honest, decidedly inconvenient)\u00a0<strong class=\"markup--strong markup--p-strong\">two-factor-authentication<\/strong>?<\/p>\n<p id=\"e37f\" class=\"graf graf--p graf-after--p\">And on the topic of two-factor-authentication, assuming that you don\u2019t want to use a dedicated hardware token for every single IAM user, the choice is almost totally limited to\u00a0<a class=\"markup--anchor markup--p-anchor\" href=\"https:\/\/en.wikipedia.org\/wiki\/Google_Authenticator\" target=\"_blank\" rel=\"nofollow noopener noreferrer\" data-href=\"https:\/\/en.wikipedia.org\/wiki\/Google_Authenticator\"><strong class=\"markup--strong markup--p-strong\">Google Authenticator<\/strong><\/a>, with codes and QR codes that proliferate like mushrooms and that become difficult to safeguard from adverse smartphone-related events (theft, loss, breakage, backup, changing device\u2026).<\/p>\n<p id=\"d1bb\" class=\"graf graf--p graf-after--p\">AWS actually offers\u00a0<a class=\"markup--anchor markup--p-anchor\" href=\"https:\/\/aws.amazon.com\/blogs\/aws\/new-cross-account-access-in-the-aws-management-console\/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\" data-href=\"https:\/\/aws.amazon.com\/blogs\/aws\/new-cross-account-access-in-the-aws-management-console\/\"><strong class=\"markup--strong markup--p-strong\">a cross-account access service<\/strong><\/a>\u00a0for its management console, which, however, has several limitations, including:<\/p>\n<ul class=\"postList\">\n<li id=\"1861\" class=\"graf graf--li graf-after--p\"><del>the maximum limit of 5 manageable AWS accounts;<\/del><strong> [UPDATE: this limit has been removed :)]<\/strong><\/li>\n<li id=\"f71f\" class=\"graf graf--li graf-after--li\">being based on the cookies of the browser used to log into it (if we change browsers or delete the cache, everything gets reset);<\/li>\n<li id=\"b508\" class=\"graf graf--li graf-after--li\">its requirement for at least one \u201cmaster\u201d IAM user to start with, which requires dedicated login and TFA credentials.<\/li>\n<\/ul>\n<p id=\"bec9\" class=\"graf graf--p graf-after--li\">The most appropriate response to the need to centrally manage users and login details, for AWS as well as for the vast majority of applications that need multi-user authentication, is called\u00a0<strong class=\"markup--strong markup--p-strong\">Single-sign-on<\/strong>\u00a0(SSO).<\/p>\n<p id=\"05fc\" class=\"graf graf--p graf-after--p\">Typically, the SSO mechanism is based on an\u00a0<a class=\"markup--anchor markup--p-anchor\" href=\"https:\/\/en.wikipedia.org\/wiki\/Identity_provider\" target=\"_blank\" rel=\"nofollow noopener noreferrer\" data-href=\"https:\/\/en.wikipedia.org\/wiki\/Identity_provider\"><strong class=\"markup--strong markup--p-strong\">Identity Provider<\/strong><\/a>\u00a0(a centralised repository of all corporate identities with their attributes\u200a\u2014\u200ausername, password, groups, roles, etc\u2026) and a series of Service Providers (applications where users can log in with their corporate identities) that are federated to the Identity Provider with strong\u00a0<em class=\"markup--em markup--p-em\">trust<\/em>\u00a0relationships that are typically based on shared keys, certificates or tokens. This allows users to use a single user profile (and therefore a single password and a single TFA), which is centrally managed, to log into all the applications that have been enabled for them.<\/p>\n<p id=\"497a\" class=\"graf graf--p graf-after--p\">Although Service Providers can be the most disparate of applications (Web, desktop, mobile, remote access, CLI, API etc\u2026), Identity Providers are almost always\u00a0<a class=\"markup--anchor markup--p-anchor\" href=\"https:\/\/en.wikipedia.org\/wiki\/Lightweight_Directory_Access_Protocol\" target=\"_blank\" rel=\"nofollow noopener noreferrer\" data-href=\"https:\/\/en.wikipedia.org\/wiki\/Lightweight_Directory_Access_Protocol\"><strong class=\"markup--strong markup--p-strong\">LDAP<\/strong><\/a><strong class=\"markup--strong markup--p-strong\">\u00a0or\u00a0<\/strong><a class=\"markup--anchor markup--p-anchor\" href=\"https:\/\/en.wikipedia.org\/wiki\/Active_Directory\" target=\"_blank\" rel=\"nofollow noopener noreferrer\" data-href=\"https:\/\/en.wikipedia.org\/wiki\/Active_Directory\"><strong class=\"markup--strong markup--p-strong\">Microsoft Active Directory servers<\/strong><\/a>. Specifically, MS AD is the de facto standard in most highly-structured companies for corporate identity management, and it is therefore supported by default by all applications that require the option of using SSO.<\/p>\n<p id=\"f945\" class=\"graf graf--p graf-after--p\">However, it is not that common to find an MS AD infrastructure implemented (but this also applies partly to LDAP), especially in smaller, younger or more agile businesses, for reasons ranging from cost to complexity of management (especially if they are in need of a highly reliably provided AD service), without ignoring the fact that MS AD is typical of Microsoft-centric companies (almost all the large legacy companies) and is therefore less prevalent where the client base is more varied (Windows+Mac+Linux\u2026).<\/p>\n<p id=\"b6f2\" class=\"graf graf--p graf-after--p\">A very widespread trend in businesses is to use the company Google Apps account (recently renamed to\u00a0<a class=\"markup--anchor markup--p-anchor\" href=\"https:\/\/gsuite.google.com\/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\" data-href=\"https:\/\/gsuite.google.com\/\">G Suite<\/a>)\u200a\u2014\u200aa widely-used service mostly used for its email and collaboration functions\u200a\u2014\u200aas an Identity Provider. By doing so, you can use SSO on a multitude of applications that already natively support the \u201clogin with Google\u201d function, but also on those (as is the case with the AWS console) that support the\u00a0<a class=\"markup--anchor markup--p-anchor\" href=\"https:\/\/en.wikipedia.org\/wiki\/Security_Assertion_Markup_Language\" target=\"_blank\" rel=\"nofollow noopener noreferrer\" data-href=\"https:\/\/en.wikipedia.org\/wiki\/Security_Assertion_Markup_Language\">SAML standard<\/a>, which G Suite has been providing the service of Identity Provider for for around a year.<\/p>\n<figure id=\"cf1c\" class=\"graf graf--figure graf-after--p\">\n<div class=\"aspectRatioPlaceholder is-locked\">\n<div class=\"aspectRatioPlaceholder-fill\"><\/div>\n<div class=\"progressiveMedia js-progressiveMedia graf-image is-canvasLoaded is-imageLoaded\" data-image-id=\"1*6oXNkTw5nxNT2rWCnx-sXg.png\" data-width=\"624\" data-height=\"294\" data-scroll=\"native\">\n<figure id=\"attachment_523\" aria-describedby=\"caption-attachment-523\" style=\"width: 624px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-523\" src=\"\/wp-content\/uploads\/2017\/04\/WD_2.png\" alt=\"Single Sign on with G Suite to AWS\" width=\"624\" height=\"294\" srcset=\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/WD_2.png 624w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/WD_2-400x188.png 400w\" sizes=\"(max-width: 624px) 100vw, 624px\" \/><figcaption id=\"caption-attachment-523\" class=\"wp-caption-text\">Operating diagram for authentication using SAML between G Suite and the AWS\u00a0console<\/figcaption><\/figure>\n<\/div>\n<\/div><figcaption class=\"imageCaption\"><\/figcaption><\/figure>\n<p id=\"5631\" class=\"graf graf--p graf-after--figure\">So let\u2019s see how to\u00a0<strong class=\"markup--strong markup--p-strong\">configure our AWS and G Suite accounts to make Single-Sign-On work with SAML.<\/strong><\/p>\n<p id=\"e2e7\" class=\"graf graf--p graf-after--p\">First of all, in the G Suite administration page, we have to add custom attributes to our users, through which our Identity Provider (Google) will communicate the identity of the user logged in, as well as additional information that we will explain later, to the Service Provider (AWS).<\/p>\n<figure id=\"66af\" class=\"graf graf--figure graf-after--p\">\n<div class=\"aspectRatioPlaceholder is-locked\">\n<div class=\"progressiveMedia js-progressiveMedia graf-image is-canvasLoaded is-imageLoaded\" data-image-id=\"1*bjCxdlwRtMkpCek-L_fSdQ.png\" data-width=\"800\" data-height=\"300\" data-action=\"zoom\" data-action-value=\"1*bjCxdlwRtMkpCek-L_fSdQ.png\" data-scroll=\"native\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-524\" src=\"\/wp-content\/uploads\/2017\/04\/user_attributes.png\" alt=\"\" width=\"1588\" height=\"596\" srcset=\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/user_attributes.png 1588w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/user_attributes-400x150.png 400w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/user_attributes-1024x384.png 1024w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/user_attributes-768x288.png 768w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/user_attributes-1536x576.png 1536w\" sizes=\"(max-width: 1588px) 100vw, 1588px\" \/><\/div>\n<\/div>\n<\/figure>\n<p id=\"67d6\" class=\"graf graf--p graf-after--figure\">Now create a custom attribute class and call it \u201cAWS SAML\u201d and then create the attributes \u201cIAM Role\u201d and \u201cSessionDuration\u201d. It is important for both attributes to be private (that is, not viewable by all users in your organisation) and for the attribute \u201cIAM Role\u201d to support multiple values.<\/p>\n<figure id=\"7cf5\" class=\"graf graf--figure graf-after--p\">\n<div class=\"aspectRatioPlaceholder is-locked\">\n<div class=\"progressiveMedia js-progressiveMedia graf-image is-canvasLoaded is-imageLoaded\" data-image-id=\"1*35L1hXbWuckFFIaTCnz7rQ.png\" data-width=\"800\" data-height=\"811\" data-action=\"zoom\" data-action-value=\"1*35L1hXbWuckFFIaTCnz7rQ.png\" data-scroll=\"native\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-525\" src=\"\/wp-content\/uploads\/2017\/04\/user_attributes2.png\" alt=\"\" width=\"1349\" height=\"1369\" srcset=\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/user_attributes2.png 1349w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/user_attributes2-296x300.png 296w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/user_attributes2-1009x1024.png 1009w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/user_attributes2-768x779.png 768w\" sizes=\"(max-width: 1349px) 100vw, 1349px\" \/><\/div>\n<\/div>\n<\/figure>\n<figure id=\"8d77\" class=\"graf graf--figure graf-after--figure\">\n<div class=\"aspectRatioPlaceholder is-locked\">\n<div class=\"progressiveMedia js-progressiveMedia graf-image is-canvasLoaded is-imageLoaded\" data-image-id=\"1*e6HGhVF76OpnS_ZXFI938g.png\" data-width=\"800\" data-height=\"539\" data-action=\"zoom\" data-action-value=\"1*e6HGhVF76OpnS_ZXFI938g.png\" data-scroll=\"native\"><canvas class=\"progressiveMedia-canvas js-progressiveMedia-canvas\" width=\"75\" height=\"50\"><\/canvas><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-526\" src=\"\/wp-content\/uploads\/2017\/04\/user_attributes3.png\" alt=\"\" width=\"1430\" height=\"965\" srcset=\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/user_attributes3.png 1430w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/user_attributes3-400x270.png 400w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/user_attributes3-1024x691.png 1024w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/user_attributes3-768x518.png 768w\" sizes=\"(max-width: 1430px) 100vw, 1430px\" \/><\/div>\n<\/div>\n<\/figure>\n<p id=\"1a87\" class=\"graf graf--p graf-after--figure\">With this done, go into the \u201cApps\u201d section and add a new SAML application, starting with the preconfigured template for AWS.<\/p>\n<figure id=\"9a9e\" class=\"graf graf--figure graf-after--p\">\n<div class=\"aspectRatioPlaceholder is-locked\">\n<div class=\"progressiveMedia js-progressiveMedia graf-image is-canvasLoaded is-imageLoaded\" data-image-id=\"1*Hoff7UXPLaNLRVN6FbQERw.png\" data-width=\"800\" data-height=\"227\" data-action=\"zoom\" data-action-value=\"1*Hoff7UXPLaNLRVN6FbQERw.png\" data-scroll=\"native\"><canvas class=\"progressiveMedia-canvas js-progressiveMedia-canvas\" width=\"75\" height=\"20\"><\/canvas><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-527\" src=\"\/wp-content\/uploads\/2017\/04\/saml.png\" alt=\"\" width=\"3312\" height=\"943\" srcset=\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/saml.png 3312w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/saml-400x114.png 400w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/saml-1024x292.png 1024w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/saml-768x219.png 768w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/saml-1536x437.png 1536w\" sizes=\"(max-width: 3312px) 100vw, 3312px\" \/><\/div>\n<\/div>\n<\/figure>\n<figure id=\"1b88\" class=\"graf graf--figure graf-after--figure\">\n<div class=\"aspectRatioPlaceholder is-locked\">\n<div class=\"progressiveMedia js-progressiveMedia graf-image is-canvasLoaded is-imageLoaded\" data-image-id=\"1*PSIc4Ntmu0zecPW8lhHWqw.png\" data-width=\"800\" data-height=\"780\" data-action=\"zoom\" data-action-value=\"1*PSIc4Ntmu0zecPW8lhHWqw.png\" data-scroll=\"native\"><canvas class=\"progressiveMedia-canvas js-progressiveMedia-canvas\" width=\"75\" height=\"72\"><\/canvas><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-528\" src=\"\/wp-content\/uploads\/2017\/04\/saml2.png\" alt=\"\" width=\"1362\" height=\"1329\" srcset=\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/saml2.png 1362w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/saml2-307x300.png 307w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/saml2-1024x999.png 1024w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/saml2-768x749.png 768w\" sizes=\"(max-width: 1362px) 100vw, 1362px\" \/><\/div>\n<\/div>\n<\/figure>\n<p id=\"9ef4\" class=\"graf graf--p graf-after--figure\">Download (option 2) the IDP Metadata (which is an\u00a0.xml file that contains some configuration parameters and the X509 certificate that the\u00a0<em class=\"markup--em markup--p-em\">trust<\/em>relationship between IdP and SP is based on) and set it aside for a later step.<\/p>\n<blockquote id=\"fe59\" class=\"graf graf--blockquote graf-after--p\"><p><strong class=\"markup--strong markup--blockquote-strong\">WARNING!!! The contents of this file should not be released for any reason; the security of the entire solution relies on its remaining confidential!<\/strong><\/p><\/blockquote>\n<figure id=\"5bf8\" class=\"graf graf--figure graf-after--blockquote\">\n<div class=\"aspectRatioPlaceholder is-locked\">\n<div class=\"progressiveMedia js-progressiveMedia graf-image is-canvasLoaded is-imageLoaded\" data-image-id=\"1*nkmVC1uNozb_UqVkHKTybg.png\" data-width=\"800\" data-height=\"772\" data-action=\"zoom\" data-action-value=\"1*nkmVC1uNozb_UqVkHKTybg.png\" data-scroll=\"native\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-529\" src=\"\/wp-content\/uploads\/2017\/04\/idp_meta.png\" alt=\"\" width=\"1331\" height=\"1286\" srcset=\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/idp_meta.png 1331w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/idp_meta-310x300.png 310w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/idp_meta-1024x989.png 1024w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/idp_meta-768x742.png 768w\" sizes=\"(max-width: 1331px) 100vw, 1331px\" \/><\/div>\n<\/div>\n<\/figure>\n<p id=\"3402\" class=\"graf graf--p graf-after--figure\">We continue the configuration by mapping the SAML entity known as \u201cName ID\u201d on \u201cPrimary Email\u201d (that is, the user will be presented to the AWS console with their email address as their unique identifier).<\/p>\n<figure id=\"f152\" class=\"graf graf--figure graf-after--p\">\n<div class=\"aspectRatioPlaceholder is-locked\">\n<div class=\"progressiveMedia js-progressiveMedia graf-image is-canvasLoaded is-imageLoaded\" data-image-id=\"1*UM-xftqna6wjVwl6leTi2A.png\" data-width=\"800\" data-height=\"764\" data-action=\"zoom\" data-action-value=\"1*UM-xftqna6wjVwl6leTi2A.png\" data-scroll=\"native\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-530\" src=\"\/wp-content\/uploads\/2017\/04\/mapping1.png\" alt=\"\" width=\"1337\" height=\"1277\" srcset=\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/mapping1.png 1337w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/mapping1-314x300.png 314w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/mapping1-1024x978.png 1024w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/mapping1-768x734.png 768w\" sizes=\"(max-width: 1337px) 100vw, 1337px\" \/><\/div>\n<\/div>\n<\/figure>\n<p id=\"647c\" class=\"graf graf--p graf-after--figure\">In the next step, we need to configure three additional mappings (be careful, as here the G Suite UI is not very clear, as the URLs in the left column aren\u2019t very legible):<\/p>\n<ul class=\"postList\">\n<li id=\"12c4\" class=\"graf graf--li graf-after--p\">The attribute\u00a0<a class=\"markup--anchor markup--li-anchor\" href=\"https:\/\/aws.amazon.com\/SAML\/Attributes\/RoleSessionName\" target=\"_blank\" rel=\"nofollow noopener noreferrer\" data-href=\"https:\/\/aws.amazon.com\/SAML\/Attributes\/RoleSessionName\"><em class=\"markup--em markup--li-em\">https:\/\/aws.amazon.com\/SAML\/Attributes\/RoleSessionName<\/em><\/a>should be mapped to \u201cPrimary Email\u201d again.<\/li>\n<li id=\"5dd9\" class=\"graf graf--li graf-after--li\">The attribute\u00a0<a class=\"markup--anchor markup--li-anchor\" href=\"https:\/\/aws.amazon.com\/SAML\/Attributes\/Role\" target=\"_blank\" rel=\"nofollow noopener noreferrer\" data-href=\"https:\/\/aws.amazon.com\/SAML\/Attributes\/Role\"><em class=\"markup--em markup--li-em\">https:\/\/aws.amazon.com\/SAML\/Attributes\/Role<\/em><\/a>\u00a0should be mapped to the custom attribute \u201cIAM role\u201d that we created earlier. What we are doing with this is telling AWS which roles the user is authorised to take on and on which<span class=\"markup--quote markup--li-quote is-other\" data-creator-ids=\"9a875ab37d7e\">\u00a0<\/span>accounts.<\/li>\n<\/ul>\n<p id=\"4315\" class=\"graf graf--p graf-after--li\">The attribute\u00a0<a class=\"markup--anchor markup--p-anchor\" href=\"https:\/\/aws.amazon.com\/SAML\/Attributes\/SessionDuration\" target=\"_blank\" rel=\"nofollow noopener noreferrer\" data-href=\"https:\/\/aws.amazon.com\/SAML\/Attributes\/SessionDuration\"><em class=\"markup--em markup--p-em\">https:\/\/aws.amazon.com\/SAML\/Attributes\/SessionDuration<\/em><\/a>should be added, mapped to the custom attribute \u201cSessionDuration\u201d that we created earlier. Here, we are telling AWS how long the session of a particular user should last before they are automatically logged out.<\/p>\n<figure id=\"c6c1\" class=\"graf graf--figure graf-after--p\">\n<div class=\"aspectRatioPlaceholder is-locked\">\n<div class=\"progressiveMedia js-progressiveMedia graf-image is-canvasLoaded is-imageLoaded\" data-image-id=\"1*H1JI_PkCwbFOsHHDGVonGQ.png\" data-width=\"800\" data-height=\"770\" data-action=\"zoom\" data-action-value=\"1*H1JI_PkCwbFOsHHDGVonGQ.png\" data-scroll=\"native\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-531\" src=\"\/wp-content\/uploads\/2017\/04\/mapping2.png\" alt=\"\" width=\"1345\" height=\"1295\" srcset=\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/mapping2.png 1345w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/mapping2-312x300.png 312w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/mapping2-1024x986.png 1024w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/mapping2-768x739.png 768w\" sizes=\"(max-width: 1345px) 100vw, 1345px\" \/><\/div>\n<\/div>\n<\/figure>\n<p id=\"1829\" class=\"graf graf--p graf-after--figure\">It is very useful to be able to customise this parameter because the default session is 1 hour long, which, for people who work quite a lot on the AWS console, is very short, leading to many inconvenient forced logouts during daily operations.\u00a0<strong class=\"markup--strong markup--p-strong\">WARNING!!! This \u201ctrick\u201d is exclusive to beSharp; it is not documented in the official Google or AWS guides! (nda).<\/strong><\/p>\n<p id=\"efce\" class=\"graf graf--p graf-after--p\">At this point, the configuration of G Suite is finished and we move on to the configuration of AWS.<\/p>\n<p id=\"aae3\" class=\"graf graf--p graf-after--p\">We go into the\u00a0<a class=\"markup--anchor markup--p-anchor\" href=\"https:\/\/aws.amazon.com\/iam\/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\" data-href=\"https:\/\/aws.amazon.com\/iam\/\"><strong class=\"markup--strong markup--p-strong\">IAM<\/strong><\/a> section \u2013&gt; Identity Providers and create a new one, SAML type, which we will call \u201cGoogleApps\u201d; at this point, we will have to upload the IdP metadata that we downloaded earlier (once the file is uploaded at this point, I suggest deleting it from your computer).<\/p>\n<figure id=\"4d93\" class=\"graf graf--figure graf-after--p\">\n<div class=\"aspectRatioPlaceholder is-locked\">\n<div class=\"progressiveMedia js-progressiveMedia graf-image is-canvasLoaded is-imageLoaded\" data-image-id=\"1*vwjlg2GgtKsH3PjjLaJQfA.png\" data-width=\"800\" data-height=\"193\" data-action=\"zoom\" data-action-value=\"1*vwjlg2GgtKsH3PjjLaJQfA.png\" data-scroll=\"native\"><canvas class=\"progressiveMedia-canvas js-progressiveMedia-canvas\" width=\"75\" height=\"17\"><\/canvas><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-532\" src=\"\/wp-content\/uploads\/2017\/04\/aws_idp.png\" alt=\"\" width=\"3328\" height=\"807\" srcset=\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/aws_idp.png 3328w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/aws_idp-400x97.png 400w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/aws_idp-1024x248.png 1024w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/aws_idp-768x186.png 768w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/aws_idp-1536x372.png 1536w\" sizes=\"(max-width: 3328px) 100vw, 3328px\" \/><\/div>\n<\/div>\n<\/figure>\n<figure id=\"4482\" class=\"graf graf--figure graf-after--figure\">\n<div class=\"aspectRatioPlaceholder is-locked\">\n<div class=\"progressiveMedia js-progressiveMedia graf-image is-canvasLoaded is-imageLoaded\" data-image-id=\"1*HUkMlAzskSO9RiAcEo7vqA.png\" data-width=\"768\" data-height=\"436\" data-action=\"zoom\" data-action-value=\"1*HUkMlAzskSO9RiAcEo7vqA.png\" data-scroll=\"native\"><canvas class=\"progressiveMedia-canvas js-progressiveMedia-canvas\" width=\"75\" height=\"42\"><\/canvas><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-533\" src=\"\/wp-content\/uploads\/2017\/04\/aws_idp2.png\" alt=\"\" width=\"924\" height=\"525\" srcset=\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/aws_idp2.png 924w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/aws_idp2-400x227.png 400w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/aws_idp2-768x436.png 768w\" sizes=\"(max-width: 924px) 100vw, 924px\" \/><\/div>\n<\/div>\n<\/figure>\n<figure id=\"a07b\" class=\"graf graf--figure graf-after--figure\">\n<div class=\"aspectRatioPlaceholder is-locked\">\n<div class=\"progressiveMedia js-progressiveMedia graf-image is-canvasLoaded is-imageLoaded\" data-image-id=\"1*7ltXkNl3FoNuE_1CHiR02A.png\" data-width=\"768\" data-height=\"349\" data-action=\"zoom\" data-action-value=\"1*7ltXkNl3FoNuE_1CHiR02A.png\" data-scroll=\"native\"><canvas class=\"progressiveMedia-canvas js-progressiveMedia-canvas\" width=\"75\" height=\"32\"><\/canvas><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-534\" src=\"\/wp-content\/uploads\/2017\/04\/aws_idp3.png\" alt=\"\" width=\"1174\" height=\"534\" srcset=\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/aws_idp3.png 1174w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/aws_idp3-400x182.png 400w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/aws_idp3-1024x466.png 1024w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/aws_idp3-768x349.png 768w\" sizes=\"(max-width: 1174px) 100vw, 1174px\" \/><\/div>\n<\/div>\n<\/figure>\n<p id=\"f237\" class=\"graf graf--p graf-after--figure\">Then we create a new IAM role that we\u2019ll call \u201cGoogleLogin\u201d and as the role type, select \u201cIdentity Provider Access\u201d \u2013&gt; \u201cWebSSO\u201d and associate it with the \u201cGoogleApps\u201d Identity Provider we\u2019ve just created.<\/p>\n<figure id=\"8233\" class=\"graf graf--figure graf-after--p\">\n<div class=\"aspectRatioPlaceholder is-locked\">\n<div class=\"progressiveMedia js-progressiveMedia graf-image is-canvasLoaded is-imageLoaded\" data-image-id=\"1*Bn1mtHo1kL-Q3iAiimfe4w.png\" data-width=\"800\" data-height=\"248\" data-action=\"zoom\" data-action-value=\"1*Bn1mtHo1kL-Q3iAiimfe4w.png\" data-scroll=\"native\"><canvas class=\"progressiveMedia-canvas js-progressiveMedia-canvas\" width=\"75\" height=\"22\"><\/canvas><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-535\" src=\"\/wp-content\/uploads\/2017\/04\/role.png\" alt=\"\" width=\"1962\" height=\"609\" srcset=\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/role.png 1962w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/role-400x124.png 400w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/role-1024x318.png 1024w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/role-768x238.png 768w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/role-1536x477.png 1536w\" sizes=\"(max-width: 1962px) 100vw, 1962px\" \/><\/div>\n<\/div>\n<\/figure>\n<figure id=\"1c27\" class=\"graf graf--figure graf-after--figure\">\n<div class=\"aspectRatioPlaceholder is-locked\">\n<div class=\"progressiveMedia js-progressiveMedia graf-image is-canvasLoaded is-imageLoaded\" data-image-id=\"1*vT-Kp6b5Q31QVd94QksnVw.png\" data-width=\"800\" data-height=\"198\" data-action=\"zoom\" data-action-value=\"1*vT-Kp6b5Q31QVd94QksnVw.png\" data-scroll=\"native\"><canvas class=\"progressiveMedia-canvas js-progressiveMedia-canvas\" width=\"75\" height=\"17\"><\/canvas><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-536\" src=\"\/wp-content\/uploads\/2017\/04\/role2.png\" alt=\"\" width=\"3304\" height=\"818\" srcset=\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/role2.png 3304w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/role2-400x99.png 400w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/role2-1024x254.png 1024w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/role2-768x190.png 768w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/role2-1536x380.png 1536w\" sizes=\"(max-width: 3304px) 100vw, 3304px\" \/><\/div>\n<\/div>\n<\/figure>\n<figure id=\"c253\" class=\"graf graf--figure graf-after--figure\">\n<div class=\"aspectRatioPlaceholder is-locked\">\n<div class=\"progressiveMedia js-progressiveMedia graf-image is-canvasLoaded is-imageLoaded\" data-image-id=\"1*unmz8hjxZPK6atfk0GkFhQ.png\" data-width=\"800\" data-height=\"138\" data-action=\"zoom\" data-action-value=\"1*unmz8hjxZPK6atfk0GkFhQ.png\" data-scroll=\"native\"><canvas class=\"progressiveMedia-canvas js-progressiveMedia-canvas\" width=\"75\" height=\"12\"><\/canvas><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-537\" src=\"\/wp-content\/uploads\/2017\/04\/role3.png\" alt=\"\" width=\"3232\" height=\"558\" srcset=\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/role3.png 3232w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/role3-400x69.png 400w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/role3-1024x177.png 1024w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/role3-768x133.png 768w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/role3-1536x265.png 1536w\" sizes=\"(max-width: 3232px) 100vw, 3232px\" \/><\/div>\n<\/div>\n<\/figure>\n<p id=\"b4f8\" class=\"graf graf--p graf-after--figure\">In the next steps of the wizard, we will associate a policy with the IAM role to provide the permissions (in our example we gave admin permissions\u200a\u2014\u200a<strong class=\"markup--strong markup--p-strong\">DON\u2019T TRY THIS AT HOME!!!:)\u00a0<\/strong>) and the configuration on the AWS side is complete.<\/p>\n<figure id=\"fe35\" class=\"graf graf--figure graf-after--p\">\n<div class=\"aspectRatioPlaceholder is-locked\">\n<div class=\"progressiveMedia js-progressiveMedia graf-image is-canvasLoaded is-imageLoaded\" data-image-id=\"1*P4TZDCp0CsFSOJAk-1U89g.png\" data-width=\"800\" data-height=\"336\" data-action=\"zoom\" data-action-value=\"1*P4TZDCp0CsFSOJAk-1U89g.png\" data-scroll=\"native\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-538\" src=\"\/wp-content\/uploads\/2017\/04\/role4.png\" alt=\"\" width=\"2413\" height=\"1015\" srcset=\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/role4.png 2413w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/role4-400x168.png 400w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/role4-1024x431.png 1024w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/role4-768x323.png 768w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/role4-1536x646.png 1536w\" sizes=\"(max-width: 2413px) 100vw, 2413px\" \/><\/div>\n<\/div>\n<\/figure>\n<figure id=\"815e\" class=\"graf graf--figure graf-after--figure\">\n<div class=\"aspectRatioPlaceholder is-locked\">\n<div class=\"progressiveMedia js-progressiveMedia graf-image is-canvasLoaded is-imageLoaded\" data-image-id=\"1*7ocolwe_g1IiUN6V7jcj9Q.png\" data-width=\"800\" data-height=\"387\" data-action=\"zoom\" data-action-value=\"1*7ocolwe_g1IiUN6V7jcj9Q.png\" data-scroll=\"native\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-539\" src=\"\/wp-content\/uploads\/2017\/04\/role5.png\" alt=\"\" width=\"3292\" height=\"1595\" srcset=\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/role5.png 3292w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/role5-400x194.png 400w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/role5-1024x496.png 1024w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/role5-768x372.png 768w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/role5-1536x744.png 1536w\" sizes=\"(max-width: 3292px) 100vw, 3292px\" \/><\/div>\n<\/div>\n<\/figure>\n<figure id=\"aa6f\" class=\"graf graf--figure graf-after--figure\">\n<div class=\"aspectRatioPlaceholder is-locked\">\n<div class=\"progressiveMedia js-progressiveMedia graf-image is-canvasLoaded is-imageLoaded\" data-image-id=\"1*-oNBOCe9cWm_nPMqLP22vA.png\" data-width=\"800\" data-height=\"244\" data-action=\"zoom\" data-action-value=\"1*-oNBOCe9cWm_nPMqLP22vA.png\" data-scroll=\"native\"><canvas class=\"progressiveMedia-canvas js-progressiveMedia-canvas\" width=\"75\" height=\"22\"><\/canvas><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-540\" src=\"\/wp-content\/uploads\/2017\/04\/role6.png\" alt=\"\" width=\"1976\" height=\"604\" srcset=\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/role6.png 1976w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/role6-400x122.png 400w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/role6-1024x313.png 1024w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/role6-768x235.png 768w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/role6-1536x470.png 1536w\" sizes=\"(max-width: 1976px) 100vw, 1976px\" \/><\/div>\n<\/div>\n<\/figure>\n<p id=\"0f27\" class=\"graf graf--p graf-after--figure\">Now we turn to the administration of G Suite, to assign individual users permissions according to which roles they can take and on which AWS accounts.<\/p>\n<figure id=\"7962\" class=\"graf graf--figure graf-after--p\">\n<div class=\"aspectRatioPlaceholder is-locked\">\n<div class=\"progressiveMedia js-progressiveMedia graf-image is-canvasLoaded is-imageLoaded\" data-image-id=\"1*ktbr0zFf0u8DjYq_4E8mhg.png\" data-width=\"800\" data-height=\"369\" data-action=\"zoom\" data-action-value=\"1*ktbr0zFf0u8DjYq_4E8mhg.png\" data-scroll=\"native\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-541\" src=\"\/wp-content\/uploads\/2017\/04\/utente.png\" alt=\"\" width=\"3311\" height=\"1530\" srcset=\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/utente.png 3311w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/utente-400x185.png 400w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/utente-1024x473.png 1024w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/utente-768x355.png 768w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/utente-1536x710.png 1536w\" sizes=\"(max-width: 3311px) 100vw, 3311px\" \/><\/div>\n<\/div>\n<\/figure>\n<p id=\"9cf5\" class=\"graf graf--p graf-after--figure\">This is the least intuitive part of the configuration: with regard to the roles and accounts that are accessible, AWS expect values like this from Google:<\/p>\n<pre id=\"6ffa\" class=\"graf graf--pre graf-after--p\">arn:aws:iam::1234567891012:role\/GoogleLogin,arn:aws:iam::1234567891012:saml-provider\/GoogleApps<\/pre>\n<p id=\"641a\" class=\"graf graf--p graf-after--pre\">As you can see, these are two\u00a0<a class=\"markup--anchor markup--p-anchor\" href=\"http:\/\/docs.aws.amazon.com\/general\/latest\/gr\/aws-arns-and-namespaces.html\" target=\"_blank\" rel=\"nofollow noopener noreferrer\" data-href=\"http:\/\/docs.aws.amazon.com\/general\/latest\/gr\/aws-arns-and-namespaces.html\"><strong class=\"markup--strong markup--p-strong\">ARNs<\/strong><\/a> separated by a comma. The first is the ARN of the role that that user can assume, the second is the ARN of the identity provider that we created within the AWS account. (The number 1234567891012 is a placeholder that must be replaced with the actual account number of your AWS account). This value must be entered in the custom field \u201cIAM role\u201d that we created earlier. This allows us to specify which role each user can take on and on which AWS account.<\/p>\n<figure id=\"2b73\" class=\"graf graf--figure graf-after--p\">\n<div class=\"aspectRatioPlaceholder is-locked\">\n<div class=\"progressiveMedia js-progressiveMedia graf-image is-canvasLoaded is-imageLoaded\" data-image-id=\"1*NcfBJUZlrCtKVsr80S6Fng.png\" data-width=\"800\" data-height=\"492\" data-action=\"zoom\" data-action-value=\"1*NcfBJUZlrCtKVsr80S6Fng.png\" data-scroll=\"native\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-542\" src=\"\/wp-content\/uploads\/2017\/04\/attributi.png\" alt=\"\" width=\"1305\" height=\"804\" srcset=\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/attributi.png 1305w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/attributi-400x246.png 400w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/attributi-1024x631.png 1024w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/attributi-768x473.png 768w\" sizes=\"(max-width: 1305px) 100vw, 1305px\" \/><\/div>\n<\/div>\n<\/figure>\n<figure id=\"4ab7\" class=\"graf graf--figure graf-after--figure\">\n<div class=\"aspectRatioPlaceholder is-locked\">\n<div class=\"progressiveMedia js-progressiveMedia graf-image is-canvasLoaded is-imageLoaded\" data-image-id=\"1*Tp_ScVsjKyB5d_pjNMKtWA.png\" data-width=\"800\" data-height=\"386\" data-action=\"zoom\" data-action-value=\"1*Tp_ScVsjKyB5d_pjNMKtWA.png\" data-scroll=\"native\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-543\" src=\"\/wp-content\/uploads\/2017\/04\/mario_rossi.png\" alt=\"\" width=\"3322\" height=\"1606\" srcset=\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/mario_rossi.png 3322w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/mario_rossi-400x193.png 400w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/mario_rossi-1024x495.png 1024w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/mario_rossi-768x371.png 768w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/mario_rossi-1536x743.png 1536w\" sizes=\"(max-width: 3322px) 100vw, 3322px\" \/><\/div>\n<\/div>\n<\/figure>\n<p id=\"7747\" class=\"graf graf--p graf-after--figure\">If you remember, we made sure that the \u201cIAM role\u201d attribute supported multiple values; indeed, it is possible to specify multiple roles for the same user within the same account, or even on different accounts. Simply add more tuples such as:<\/p>\n<pre id=\"640e\" class=\"graf graf--pre graf-after--p\">arn:aws:iam::112233445566:role\/Ruolo1,arn:aws:iam::112233445566:saml-provider\/GoogleApps\r\narn:aws:iam::112233445566:role\/Ruolo2,arn:aws:iam::112233445566:saml-provider\/GoogleApps<\/pre>\n<p id=\"53e2\" class=\"graf graf--p graf-after--pre\">and immediately after logging in we will be asked which role we want to assume on which account.<\/p>\n<p id=\"a9b5\" class=\"graf graf--p graf-after--p\">Of course, for everything to work properly, in our example we should also repeat the SAML federation process (exchanging the IdP metadata) for account 112233445566.<\/p>\n<p id=\"2cb7\" class=\"graf graf--p graf-after--p\">In the custom field \u201cSessionDuration\u201d, you can specify the duration of the login session in seconds for each user. I suggest the value 28800, which corresponds to 8 hours: more or less a typical workday.<\/p>\n<p id=\"2039\" class=\"graf graf--p graf-after--p\">At this point, all we have left to do is enable the SAML application that we created, and all users will find a new icon in their quick access menu for Google Apps.<\/p>\n<figure id=\"2343\" class=\"graf graf--figure graf-after--p\">\n<div class=\"aspectRatioPlaceholder is-locked\">\n<div class=\"progressiveMedia js-progressiveMedia graf-image is-canvasLoaded is-imageLoaded\" data-image-id=\"1*HNMfzDvIKosUYSEyjTyWZg.png\" data-width=\"800\" data-height=\"279\" data-action=\"zoom\" data-action-value=\"1*HNMfzDvIKosUYSEyjTyWZg.png\" data-scroll=\"native\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-544\" src=\"\/wp-content\/uploads\/2017\/04\/turn_on.png\" alt=\"\" width=\"3312\" height=\"1158\" srcset=\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/turn_on.png 3312w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/turn_on-400x140.png 400w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/turn_on-1024x358.png 1024w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/turn_on-768x269.png 768w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/turn_on-1536x537.png 1536w\" sizes=\"(max-width: 3312px) 100vw, 3312px\" \/><\/div>\n<\/div>\n<\/figure>\n<p id=\"056d\" class=\"graf graf--p graf-after--figure\">We\u2019ll log in with our test account \u201cMario Rossi\u201d and, by clicking on the corresponding icon, we will magically be directed to the AWS console where, as you can see, we are logged in with our federated account, m.rossi@besharp.net.<\/p>\n<figure id=\"705f\" class=\"graf graf--figure graf-after--p\">\n<div class=\"aspectRatioPlaceholder is-locked\">\n<div class=\"progressiveMedia js-progressiveMedia graf-image is-canvasLoaded is-imageLoaded\" data-image-id=\"1*4YmV6a4CS36lTJHeib-iIQ.png\" data-width=\"800\" data-height=\"341\" data-action=\"zoom\" data-action-value=\"1*4YmV6a4CS36lTJHeib-iIQ.png\" data-scroll=\"native\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-545\" src=\"\/wp-content\/uploads\/2017\/04\/icona.png\" alt=\"\" width=\"3351\" height=\"1431\" srcset=\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/icona.png 3351w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/icona-400x171.png 400w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/icona-1024x437.png 1024w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/icona-768x328.png 768w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/icona-1536x656.png 1536w\" sizes=\"(max-width: 3351px) 100vw, 3351px\" \/><\/div>\n<\/div>\n<\/figure>\n<figure id=\"2e8d\" class=\"graf graf--figure graf-after--figure\">\n<div class=\"aspectRatioPlaceholder is-locked\">\n<div class=\"progressiveMedia js-progressiveMedia graf-image is-canvasLoaded is-imageLoaded\" data-image-id=\"1*DgzbV9ZJG948eyWBGzyBXQ.png\" data-width=\"800\" data-height=\"278\" data-action=\"zoom\" data-action-value=\"1*DgzbV9ZJG948eyWBGzyBXQ.png\" data-scroll=\"native\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-546\" src=\"\/wp-content\/uploads\/2017\/04\/login.png\" alt=\"\" width=\"3228\" height=\"1123\" srcset=\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/login.png 3228w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/login-400x139.png 400w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/login-1024x356.png 1024w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/login-768x267.png 768w, https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/login-1536x534.png 1536w\" sizes=\"(max-width: 3228px) 100vw, 3228px\" \/><\/div>\n<\/div>\n<\/figure>\n<p id=\"ae19\" class=\"graf graf--p graf-after--figure\">Satisfied?<\/p>\n<p id=\"0413\" class=\"graf graf--p graf-after--p\">In the next article, you will see how we used\u200a\u2014\u200ain a very creative way\u200a\u2014\u200athe same approach based on G Suite and SSO to use AWS services that require authentication using a key\/secret pair, such as <a class=\"markup--anchor markup--p-anchor\" href=\"https:\/\/aws.amazon.com\/cli\/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\" data-href=\"https:\/\/aws.amazon.com\/cli\/\"><strong class=\"markup--strong markup--p-strong\">AWS CLI<\/strong><\/a>,\u00a0<a class=\"markup--anchor markup--p-anchor\" href=\"https:\/\/aws.amazon.com\/codecommit\/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\" data-href=\"https:\/\/aws.amazon.com\/codecommit\/\"><strong class=\"markup--strong markup--p-strong\">CodeCommit<\/strong><\/a>\u00a0and access to APIs from clients outside the VPC.<\/p>\n<p id=\"e287\" class=\"graf graf--p graf-after--p\">In subsequent articles, on the other hand, we will further develop how to use G Suite as an Identity Provider for all the other services that would normally require a federation with Active Directory or LDAP.<\/p>\n<p id=\"f6cb\" class=\"graf graf--p graf-after--p graf--trailing\">Any doubts or questions? Comment on the article and we\u2019ll reply ASAP! And if you want to implement a solution like this but don\u2019t have the time or desire to do so\u2026\u00a0<a class=\"markup--anchor markup--p-anchor\" href=\"https:\/\/www.besharp.it\/en\/contact-us\/\" target=\"_blank\" rel=\"noopener noreferrer\" data-href=\"mailto:info@besharp.it\"><strong class=\"markup--strong markup--p-strong\">contact us<\/strong><\/a>!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Which AWS console user has never run into the age-old problem of\u00a0managing multiple users on multiple accounts, having to create [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":522,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[472],"tags":[272,346,330],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v21.9.1 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Single-sign-on with G Suite on the Amazon Web Services console - Proud2beCloud Blog<\/title>\n<meta name=\"description\" content=\"How to set up single-sign-on with G Suite on the Amazon Web Services console\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.besharp.it\/single-sign-on-with-g-suite-on-the-amazon-web-services-console\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"SSO with G Suite on Amazon Web Services\" \/>\n<meta property=\"og:description\" content=\"How to set up single-sign-on with G Suite on the Amazon Web Services console\" \/>\n<meta property=\"og:url\" content=\"https:\/\/blog.besharp.it\/single-sign-on-with-g-suite-on-the-amazon-web-services-console\/\" \/>\n<meta property=\"og:site_name\" content=\"Proud2beCloud Blog\" \/>\n<meta property=\"article:published_time\" content=\"2017-04-07T12:28:30+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-03-29T14:24:41+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/WD_2.png\" \/>\n<meta name=\"author\" content=\"Simone Merlini\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:title\" content=\"SSO with G Suite on Amazon Web Services\" \/>\n<meta name=\"twitter:description\" content=\"How to set up single-sign-on with G Suite on the Amazon Web Services console\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/WD_2.png\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Simone Merlini\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.besharp.it\/single-sign-on-with-g-suite-on-the-amazon-web-services-console\/\",\"url\":\"https:\/\/blog.besharp.it\/single-sign-on-with-g-suite-on-the-amazon-web-services-console\/\",\"name\":\"Single-sign-on with G Suite on the Amazon Web Services console - Proud2beCloud Blog\",\"isPartOf\":{\"@id\":\"https:\/\/blog.besharp.it\/#website\"},\"datePublished\":\"2017-04-07T12:28:30+00:00\",\"dateModified\":\"2021-03-29T14:24:41+00:00\",\"author\":{\"@id\":\"https:\/\/blog.besharp.it\/#\/schema\/person\/f5772030de5fdee2860686ede72225ee\"},\"description\":\"How to set up single-sign-on with G Suite on the Amazon Web Services console\",\"breadcrumb\":{\"@id\":\"https:\/\/blog.besharp.it\/single-sign-on-with-g-suite-on-the-amazon-web-services-console\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.besharp.it\/single-sign-on-with-g-suite-on-the-amazon-web-services-console\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.besharp.it\/single-sign-on-with-g-suite-on-the-amazon-web-services-console\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.besharp.it\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Single-sign-on with G Suite on the Amazon Web Services console\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.besharp.it\/#website\",\"url\":\"https:\/\/blog.besharp.it\/\",\"name\":\"Proud2beCloud Blog\",\"description\":\"il blog di beSharp\",\"alternateName\":\"Proud2beCloud Blog\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.besharp.it\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.besharp.it\/#\/schema\/person\/f5772030de5fdee2860686ede72225ee\",\"name\":\"Simone Merlini\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.besharp.it\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/3476bf5e5ab09a9a5cfe42385c9cbe8f?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/3476bf5e5ab09a9a5cfe42385c9cbe8f?s=96&d=mm&r=g\",\"caption\":\"Simone Merlini\"},\"description\":\"CEO e co-fondatore di beSharp, Cloud Ninja ed early adopter di qualsiasi tipo di soluzione *aaS. Mi divido tra la tastiera del PC e quella a tasti bianchi e neri; sono specializzato nel deploy di cene pantagrueliche e nel test di bottiglie d'annata.\",\"url\":\"https:\/\/blog.besharp.it\/author\/amadeus\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Single-sign-on with G Suite on the Amazon Web Services console - Proud2beCloud Blog","description":"How to set up single-sign-on with G Suite on the Amazon Web Services console","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.besharp.it\/single-sign-on-with-g-suite-on-the-amazon-web-services-console\/","og_locale":"en_US","og_type":"article","og_title":"SSO with G Suite on Amazon Web Services","og_description":"How to set up single-sign-on with G Suite on the Amazon Web Services console","og_url":"https:\/\/blog.besharp.it\/single-sign-on-with-g-suite-on-the-amazon-web-services-console\/","og_site_name":"Proud2beCloud Blog","article_published_time":"2017-04-07T12:28:30+00:00","article_modified_time":"2021-03-29T14:24:41+00:00","og_image":[{"url":"https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/WD_2.png"}],"author":"Simone Merlini","twitter_card":"summary_large_image","twitter_title":"SSO with G Suite on Amazon Web Services","twitter_description":"How to set up single-sign-on with G Suite on the Amazon Web Services console","twitter_image":"https:\/\/blog.besharp.it\/wp-content\/uploads\/2017\/04\/WD_2.png","twitter_misc":{"Written by":"Simone Merlini","Est. reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.besharp.it\/single-sign-on-with-g-suite-on-the-amazon-web-services-console\/","url":"https:\/\/blog.besharp.it\/single-sign-on-with-g-suite-on-the-amazon-web-services-console\/","name":"Single-sign-on with G Suite on the Amazon Web Services console - Proud2beCloud Blog","isPartOf":{"@id":"https:\/\/blog.besharp.it\/#website"},"datePublished":"2017-04-07T12:28:30+00:00","dateModified":"2021-03-29T14:24:41+00:00","author":{"@id":"https:\/\/blog.besharp.it\/#\/schema\/person\/f5772030de5fdee2860686ede72225ee"},"description":"How to set up single-sign-on with G Suite on the Amazon Web Services console","breadcrumb":{"@id":"https:\/\/blog.besharp.it\/single-sign-on-with-g-suite-on-the-amazon-web-services-console\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.besharp.it\/single-sign-on-with-g-suite-on-the-amazon-web-services-console\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/blog.besharp.it\/single-sign-on-with-g-suite-on-the-amazon-web-services-console\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.besharp.it\/"},{"@type":"ListItem","position":2,"name":"Single-sign-on with G Suite on the Amazon Web Services console"}]},{"@type":"WebSite","@id":"https:\/\/blog.besharp.it\/#website","url":"https:\/\/blog.besharp.it\/","name":"Proud2beCloud Blog","description":"il blog di beSharp","alternateName":"Proud2beCloud Blog","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.besharp.it\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.besharp.it\/#\/schema\/person\/f5772030de5fdee2860686ede72225ee","name":"Simone Merlini","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.besharp.it\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/3476bf5e5ab09a9a5cfe42385c9cbe8f?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/3476bf5e5ab09a9a5cfe42385c9cbe8f?s=96&d=mm&r=g","caption":"Simone Merlini"},"description":"CEO e co-fondatore di beSharp, Cloud Ninja ed early adopter di qualsiasi tipo di soluzione *aaS. Mi divido tra la tastiera del PC e quella a tasti bianchi e neri; sono specializzato nel deploy di cene pantagrueliche e nel test di bottiglie d'annata.","url":"https:\/\/blog.besharp.it\/author\/amadeus\/"}]}},"_links":{"self":[{"href":"https:\/\/blog.besharp.it\/wp-json\/wp\/v2\/posts\/497"}],"collection":[{"href":"https:\/\/blog.besharp.it\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.besharp.it\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.besharp.it\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.besharp.it\/wp-json\/wp\/v2\/comments?post=497"}],"version-history":[{"count":0,"href":"https:\/\/blog.besharp.it\/wp-json\/wp\/v2\/posts\/497\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.besharp.it\/wp-json\/wp\/v2\/media\/522"}],"wp:attachment":[{"href":"https:\/\/blog.besharp.it\/wp-json\/wp\/v2\/media?parent=497"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.besharp.it\/wp-json\/wp\/v2\/categories?post=497"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.besharp.it\/wp-json\/wp\/v2\/tags?post=497"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}