Within our lab I’m constantly on the hunt for more (free) SAML based SaaS solutions to enable in our environment. With a lot being said around Horizon on AWS, I thought it might be the perfect solution to add to the lab!

The first thing I thought to check was; “supported 3rd party SAML providers for”. Now, unfortunately VMware Identity Manager is not listed in the supported solutions but I can tell you first hand. IT IS and I can prove it!

First thing you’ll need to do is log into your AWS console and navigate to the IAM service: https://console.aws.amazon.com/iam

You should be greeted with the following console:

IAM Console

You should be able see from the above screen shot that I have 1 Identity provider, a number of users added and a number or roles within my IAM service.

This is (hopefully) what you’ll have by the end of this post 😀

Create the application:

Ok, so first step. Login to your vIDM portal and add a new application. Catalogue->Web Apps->New:

Name your application, I’m going for AWS TEST.

Hit next.

Now we need to grab the SAML metadata from AWS. Use the generic SP Entity ID of: https://signin.aws.amazon.com/static/saml-metadata.xml

Hit next, next and save. This will load the meta data into the application ready for you to configure the next step.

Re-open the application by clicking ‘AWS TEST’.

You’ll notice a couple of things about the application, the certificate has already been added, the SSO URL and Recipient URL’s have been populated.

Now we need to head over to the AWS IAM console to add our identity provider and assign our users some roles.

Search for IAM

Adding the IdP in AWS:

Now we need to add a new identity provider:

Hit ‘Create Provider’ then choose SAML as the provider type:

After choosing SAML, we need to name our Identity Provider and upload our IdP metadata.

The ‘Metadata Document’ can be found within your vIDM portal under: Catalogue->Web Apps->Settings:

This will bring up the following information:

Right-click on ‘Identity Provider (IdP) metadata’ and hit ‘Save link as’ or ‘Save as’. This will allow you to save the IdP metadata as a .xml file.

Save this somewhere on your local machine so that we can upload it into AWS IAM.

Upload the idp.xml file into the AWS ‘Create Provider’ page and verify the identity provider.

Create the User Role:

Click on ‘Roles’ and hit ‘Create Role’:

Then select ‘SAML 2.0 federation’ choose the Identity provider that we just created:

As this role is for users to acces the AWS management portal, I’ve ticked ‘Allow programmatic and AWS management console access’. Selecting this should automatically add the sign in URL.

Hit ‘Next for Permissions’ and select the permission level that you want you SAML users to have. I’ve selected ‘Administrators’ for my test:

Then hit ‘Next: Tags’ and then ‘Next: Review’ and name your new role.

I’ve named mine ‘AWS Test’.

Now under roles you’ll have AWS TEST. Click the role as there’s some bits we need to make a note of:


Click on ‘Trust relationships’ for the info we need:

  • Select the Role ARN and paste it in a text file. Also select the Provider ARN from the Trusted Entities and paste it in the same text file separated by a comma. The text file should look something like this:

We’re going to need this for the last bit of configuration in the vIDM console:

On your AWS Test application within vIDM do the following:

  • Click Edit
  • Click configuration
  • Paste the following into the ‘Relay State URL’ field: https://console.aws.amazon.com
  • Click ‘Advanced Properties’
  • Tick ‘Sign Assertion’
  • Scroll down to ‘Custom Attribute Mapping’
  • Delete all the attribute apart from the top 2:

In the top attribute (https://aws.amazon.com/SAML/Attributes/Role) add the contents of your text file eg: arn:aws:iam::420312340206:role/AWSTEST,arn:aws:iam::420312340206:saml-provider/EUCSE

In the bottom attribute (https://aws.amazon.com/SAML/Attributes/RoleSessionName) add ‘${user.userPrincipalName}’ this will then use the user’s email address in the SAML assertion.

Hit save and assign the application to any users that also have an account in AWS. For example, my email in the lab is [email protected] and I’ve created a user in AWS with the username of [email protected]

You should then be able to test your application to make sure it’s working ok!

If you have a requirement to setup different roles for different users. You could create multiple AWS apps within vIDM with different https://aws.amazon.com/SAML/Attributes/Role attribute and assigned to different users.

Spread the love