2024-06-18 15:53:06 +02:00
---
title: SAML AWS SSO
slug: /deployment/security/saml/aws
2024-09-05 10:30:31 +02:00
collate: false
2024-06-18 15:53:06 +02:00
---
# SAML AWS SSO
Follow the sections in this guide to set up AWS SSO using SAML.
{% note %}
Security requirements for your **production** environment:
- **DELETE** the admin default account shipped by OM.
- **UPDATE** the Private / Public keys used for the [JWT Tokens ](/deployment/security/enable-jwt-tokens ) in case it is enabled.
{% /note %}
## Create OpenMetadata application
### Step 1: Configure a new Application in AWS Console
- Login to [AWS Console ](https://aws.amazon.com/console/ ) as an administrator and search for IAM Identity Center.
2024-12-04 11:44:41 +01:00
{% image src="/images/v1.6/deployment/security/saml/aws/saml-aws-1.png" alt="IAM-Identity-Center" /%}
2024-06-18 15:53:06 +02:00
- Click on `Choose your identity source` and configure as per security requirements.
2024-12-04 11:44:41 +01:00
{% image src="/images/v1.6/deployment/security/saml/aws/saml-aws-2.png" alt="identity-source" /%}
2024-06-18 15:53:06 +02:00
- After identity source is set up successfully, goto step 2 and click on `Manage Access to application` and add all the required users who need access to application.
2024-12-04 11:44:41 +01:00
{% image src="/images/v1.6/deployment/security/saml/aws/saml-aws-3.png" alt="manage-access" /%}
2024-06-18 15:53:06 +02:00
- Click on `Set up Identity Center enabled applications` , and click `Add application` , and select `Add custom SAML 2.0 application` .
2024-12-04 11:44:41 +01:00
{% image src="/images/v1.6/deployment/security/saml/aws/saml-aws-4.png" alt="saml-application" /%}
2024-06-18 15:53:06 +02:00
- Set Display Name to `OpenMetadata` , and download the metadata xml file and save it someplace safe, it is needed to setup OM Server
2024-12-04 11:44:41 +01:00
{% image src="/images/v1.6/deployment/security/saml/aws/saml-aws-5.png" alt="metadata-xml" /%}
2024-06-18 15:53:06 +02:00
- Click on `Manage assignments to your cloud applications` and select `OpenMetadata` from list of applications.
- Click on `Actions` and select `Edit Configurations` from list. Populate the shown values replacing `localhost:8585` with your `{domain}:{port}` and Submit.
2024-12-04 11:44:41 +01:00
{% image src="/images/v1.6/deployment/security/saml/aws/saml-aws-6.png" alt="edit-configuration" /%}
2024-06-18 15:53:06 +02:00
- Click on `Actions` again and select `Edit Attribute Mapping` from list. Populate the values as shown below and submit
2024-12-04 11:44:41 +01:00
{% image src="/images/v1.6/deployment/security/saml/aws/saml-aws-7.png" alt="edit-attribute" /%}
2024-06-18 15:53:06 +02:00
### Step 2: Setup `OpenMetadata Server`
- Open the downloaded metadata xml file, and populate the following properties in `openmetadata.yml`
```yaml
samlConfiguration:
debugMode: ${SAML_DEBUG_MODE:-false}
idp:
entityId: ${SAML_IDP_ENTITY_ID:-"https://mocksaml.com/api/saml/sso"}
ssoLoginUrl: ${SAML_IDP_SSO_LOGIN_URL:-"https://saml.example.com/entityid"}
idpX509Certificate: ${SAML_IDP_CERTIFICATE:-""}
authorityUrl: ${SAML_AUTHORITY_URL:-"http://localhost:8585/api/v1/saml/login"}
nameId: ${SAML_IDP_NAME_ID:-"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"}
sp:
2024-09-12 20:46:44 +05:30
entityId: ${SAML_SP_ENTITY_ID:-"http://localhost:8585/api/v1/saml/acs"}
2024-06-18 15:53:06 +02:00
acs: ${SAML_SP_ACS:-"http://localhost:8585/api/v1/saml/acs"}
spX509Certificate: ${SAML_SP_CERTIFICATE:-""}
callback: ${SAML_SP_CALLBACK:-"http://localhost:8585/saml/callback"}
security:
strictMode: ${SAML_STRICT_MODE:-false}
tokenValidity: ${SAML_SP_TOKEN_VALIDITY:-"3600"}
sendEncryptedNameId: ${SAML_SEND_ENCRYPTED_NAME_ID:-false}
sendSignedAuthRequest: ${SAML_SEND_SIGNED_AUTH_REQUEST:-false}
signSpMetadata: ${SAML_SIGNED_SP_METADATA:-false}
wantMessagesSigned: ${SAML_WANT_MESSAGE_SIGNED:-false}
wantAssertionsSigned: ${SAML_WANT_ASSERTION_SIGNED:-false}
wantAssertionEncrypted: ${SAML_WANT_ASSERTION_ENCRYPTED:-false}
wantNameIdEncrypted: ${SAML_WANT_NAME_ID_ENCRYPTED:-false}
keyStoreFilePath: ${SAML_KEYSTORE_FILE_PATH:-""}
keyStoreAlias: ${SAML_KEYSTORE_ALIAS:-""}
keyStorePassword: ${SAML_KEYSTORE_PASSWORD:-""}
```
2025-03-18 16:03:32 +05:30
- Populate the above config from [xml metadata ](/deployment/security/saml/xml_file )
2024-06-18 15:53:06 +02:00
2024-12-04 11:44:41 +01:00
{% image src="/images/v1.6/deployment/security/saml/aws/saml-aws-8.png" alt="populate-metadata" /%}
2024-06-18 15:53:06 +02:00
- IDP Config
`entityID` -> Populate it from Metadata XML Entity ID
`HTTP-Redirect SSO Login URL` -> always select HTTP-Redirect Url for SSO Login Url
`X509 Certificate` -> This is also available in the IDP XML.
`NameIDFormat` -> from MetadataXML NameIDFormat
`authorityUrl` -> set as {http}/{https}://{domain}:{port}/api/v1/saml/login
- SP Config
2024-09-12 20:46:44 +05:30
`entityId` -> -> set as {http}/{https}://{domain}:{port}/api/v1/saml/acs
2024-06-18 15:53:06 +02:00
`acs` -> Assertion Consumer Url , set as {http}/{https}://{domain}:{port}/api/v1/saml/acs
`spX509Certificate` -> set to your X509 Signing Key
`callback` -> set as {http}/{https}://{domain}/api/v1/saml/callback
- Security Parameters can be configured in case we want to have signed or encrypted or both assertions.
In any case we decided to use above config for security then it i s mandatory to provide keystore config,
from where the system can load the signing certificate or Private Key for encryption.
### Step 3: Setup JWT Configuration
- Follow the guide here for JWT Configuration [Enable JWT Token ](/deployment/security/enable-jwt-tokens ).
{% note %}
Security requirements for your **production** environment:
- **UPDATE** the Private / Public keys used for the [JWT Tokens ](/deployment/security/enable-jwt-tokens ) the ones shipped with OM are for POC only.
{% /note %}
### Step 4: Start the server
- Set up for SAML is done, you should be routed to your IDP on trying to Sign-in.
