The templates in this folder enable AWS SSO in the Management account. SSO is used to enable human access to accounts within the organization, both to the console as well as through the CLI.
Follow these instructions to setup AWS SSO and integrate it with Jumpcloud IDP. This is a one time setup.
- Login to AWS console as admin.
- Goto SSO console and Enable SSO.
- Goto SSO settings and disable MFA because we already require MFA on our IDP.
- Setup JC IDP integration with SSO using the JC instructions
- Copy the "AWS SSO Sign-in URL" from AWS SAML 2.0 authentication and paste it into the JC SSO setting "Login URL"
- In JC SSO setting "Enable management of User Groups and Group Membership in this application" to allow JC to manage AWS SSO user and groups with SCIM.
- In the AWS SSO identity source setting select "Enable automatic provisioning" then copy the "SCIM endpoint" and "Access Token" from AWS and paste it into the JC SCIM settings "SP base URL" and "SP API Token" fields.
- Setup JC users/groups and give access to JC SSO app.
- Check that JC users/groups are automatically synced to AWS SSO
- Verify that JC app from the JC user login portal has access to the AWS account(s) and can sign into the account from JC.
Follow these instructions to setup Jumpcloud user access to AWS accounts.
- Login to Jumpcloud admin console
- Create a JC user group
- Map the JC user group to the AWS SSO application
- Login to the Sage AWS Organization account and goto SSO console. An SSO user group ID (i.e. 906769aa66-5d23a723-54f3-4c08-a67b-311e555f4e85) will automatically be created for the new group.
- Add a new resource to ./_tasks.yaml with the new policy, role and matching AWS SSO group ID.
- Deploy the resource.
- In JC admin console map users to the JC user group
- Login to the Jumpcloud user portal with the user that was mapped to the JC user group.
- Select applications -> AWS SSO
- The account with the role should appear for the user to select.