Protect AWS IAM Identity Center with eID MFA
Last updated
Last updated
In this scenario, AWS IAM Identity Center, which is the AWS platform for sign-in and management of B2B identities, using Integrity as SAML Identity Provider. With this setup, it's possible to use eIDs such as BankID, SITHS, EFOS, Freja, Norwegian ID-porten, Foreign eID (eIDAS) or Suomi.fi to perform passwordless MFA authentication to AWS IAM Identity Center.
In the use case described below, Freja orgID is used as the eID method.
Integrity will fetch all user attributes from the Freja orgID certificate used during authentication.
! This scenario could easily be copied and modified to fulfill:
Using other eID methods for MFA, such as SITHS, EFOS, BankID, Norwegian ID-porten, Foreign eID (eIDAS) or Suomi.fi
There are some prerequisite for this use case. You will need the following:
Freja certificate. To be able to communicate with Freja backend.
AWS console administration rights.
Host (DNS) name of the Integrity service (external access)
Outgoing TCP/443 communication. To be able to communicate with Freja backend services.
Open the folder where you have installed Web
Rename the customer folder to customer_OLD. Result should look like below: \..\FortifiedID\web\customer_OLD
Download the following ZIP-file, USE_CASE_AWS_IAM_IDENTITY_CENTER_FREJA_MFA.zip.
Unzip the file
Copy the customer_WEB folder to \..\FortifiedID\web\
Rename customer_WEB to customer, result should look like: \..\FortifiedID\web\customer
In this section we will look at parts of the configuration and add/replace data for your environment. In this use case we are using the globals concept which is using variables to easily replace data specific to an environment or if a value is used in many places just update it in one place.
First of all, open the file customer/config/config.json. Change the globals section according to the instructions below.
base_dir
base_dir is the top folder where data is located that you do not want to be overwritten by an upgrade. Update the base_dir folder to map your installation.
For Windows the value should be: "base_dir": "../customer"
For Docker, the value should be: "base_dir": ".",
host Set the host value to your DNS name entry, including https://.
keystore - https and saml
Either you use the test certificate provided by us, if so you do not need to change anything. If you have a keystore then update the values below to point to your keystore.
Find in section: keystore
keystore - freja
Please use your Freja keystore. Name the keystore freja.p12 and place it in the folder /config/resources_internal/certificates/Freja/. Change the password variables below to match your keystore and private key passwords. Find in section: keystore
Save the config.json file.
Start the service and verify the start by looking through the server.log file.
Open a browser and address https://<your_integrity_host>/saml/metadata/integrity_idp.
A SAML IdP metadata xml file should be downloaded. This file will be used in later step.
Login to AWS Console
Search for IAM Identity Center
Select the service IAM Identity Center
Select Settings
Scroll down to Identity Source
Select Actions->Change identity source
Select External Identity Provider
Next
Click Download metadata to the right of Service Provider metadata. This file will be used in later step.
On the Identity Provider metadata, click Choose file and select the SAML IdP XML file that was downloaded from Integrity.
Next
Create
Rename the downloaded SAML SP file to aws-sp.xml
Place the file in the directory customer/config/resources_external/saml_metadata/. Replace current file.
Restart the Integrity Web service
Open the AWS Console -> IAM Identity Center
Settings->Identity Center
Click the AWS access portal URL
You should now be redirected to Fortified ID Integrity Web
Fulfill Freja orgID authentication
You should now be redirected back to AWS IAM Identity Center and be logged into the portal.
