Setup AWS Organizations With Google Suite SAML SSO

person using AWS SSO

A simplified AWS account management, with centralized billing and resource share, authenticated with G Suite identity provider

As a tech lead for Theodo, an international software development agency, I rely heavily on AWS for web project hosting. Most of my colleagues do as well, especially as more and more projects go down a serverless architecture trend. Initially, Theodo was built around Google as it’s main identity provider. All our digital tools use Google authentication (Trello, Workplace and so on). On the technical tools side, we mostly rely on our Github accounts. As far as AWS is concerned, Theodo was providing for all its developers IAM user credentials for web console access and programmatic access to a single AWS master account. This account centralized experiments, developer environments for a few applications and some production environments of our internal tools.

However, such setup has a few drawbacks :

In order to tackle those issues, I moved our teams from manual organisation setup remembering account IDs, managing many different passwords to a single page authenticated with Google, listing all the accounts they have access to. The following AWS services came in handy to operate such transition:

This setup will provide all your employees with a unique user portal listing all AWS accounts they have access to, authenticating with their already existing Google credentials.

AWS SSO and Organization with G Suite SAML Provider

The following instructions aim to describe the required steps to setup an AWS SSO on AWS Organization accounts. It differs from a lot of available tutorials on the web when searching for aws sso google which focus on setting up SSO for a single AWS Account using AWS IAM roles with trusted SAML provider.

The main advantage of setting up SSO for an organization is to ensure resources segregation and therefore avoid contamination of a service by a developer doing some experimentation of their own. It also removes the need for company developers to create their own account on the side with their own personal billing information, or company billing information, that your financial team needs later on to consolidate.

Implementation

AWS Organizations

AWS Organizations requires one account to be used as the master account of your company. This account billing information will be use to charge all other accounts expenses within the organization.

In order to setup AWS Organizations, you need the following accesses:

Check : When I go to https://console.aws.amazon.com/console/home, I can authenticate to my company’s master account with the Root user option.

Instructions to setup AWS Organizations

AWS SSO

AWS SSO setup requires AWS Organizations to be active on your AWS master account. Make sure to follow the steps above first before continuing.

In order to setup AWS SSO, you need the following accesses :

Check : When I go to https://admin.google.com, I can see an Apps section

I. AWS SSO endpoint configuration

By default, AWS SSO uses an internal store for quick and easy user management. The following steps II to V will focus on implementing a SAML SSO authentication flow for your AWS Organizations.

II. G Suite SAML App initialization and metadata recovery

Keep this browser tab open, we will need to complete the application setup process in step IV.

III. AWS SSO external IdP configuration with G Suite metadata and AWS metadata recovery

IV. G Suite SAML App configuration with AWS metadata

V. AWS SSO users provisioning

AWS SSO uses SCIM (System for Cross-domain Identity Management) to do automatic provisioning of users based on IdP information. Unfortunately, no SCIM option is exposed for G Suite IdP. This automatic provisioning method is mainly used for Azure Active Directory federated AWS SSO configuration.

Therefore, when setting up AWS SSO with G Suite accounts, you need to manually add user in AWS SSO interface. The management of user permission is also made from AWS SSO interface.

VI. AWS SSO accounts and users management

You can now go to the URL you configured in the first step (https://{company}.awsapps.com/start) , authenticate via google with G Suite account and be redirected to AWS SSO user portal. In this portal, listed under AWS Account, you can see each AWS Account of your AWS Organization for which your user has at least one permission set. And for each AWS Account listed, you can see a list of available permission set you can use both within the web management console and the command line.

I recommend using groups rather than individual users for AWS account used for various project. Individual user permission set attribution to AWS account shall only be used for AWS personal account with the organization (we use such account in Theodo for experimentation and training purposes).

Adding an account and user from start to finish

And just like that, you have a new fully functional AWS Account just for your employee in less than a minute, without credentials exchange. They simply needs to go to your previously setup user portal URL and see their newly created accounts.

Going further

Resources used to compile this article

Serverless Transformation

Serverless Tools, Techniques, and Case Studies

Thanks to Xavier Lefèvre and Ben Ellerby

Frédéric Barthelet

Written by

AWS Community Builder. @serverless/typescript maintainer and Serverless framework contributor.

Serverless Transformation

Tools, techniques, and case studies of using serverless to release fast and scale optimally.

Frédéric Barthelet

Written by

AWS Community Builder. @serverless/typescript maintainer and Serverless framework contributor.

Serverless Transformation

Tools, techniques, and case studies of using serverless to release fast and scale optimally.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store