ContextQMD
Back to Zitadel

Log in with ZITADEL on AWS through SAML 2.0

apps/docs/content/guides/integrate/services/aws-saml.mdx

5.0.0-base3.6 KB
Original Source

This guide shows how to enable login with ZITADEL on AWS SSO.

It covers how to:

  • create and configure the application in your project
  • create and configure the connection in your AWS SSO external IDP

Prerequisites:

  • existing ZITADEL Instance, if not present follow this guide
  • existing ZITADEL Organization, if not present follow this guide
  • existing ZITADEL project, if not present follow the first 3 steps here
  • prerequisites on AWS side here.
  • enabled AWS SSO here

We have to switch between ZITADEL and AWS. If the headings begin with "ZITADEL" switch to the ZITADEL Management Console and if the headings start with "AWS" please switch to the AWS GUI.

AWS: Change to external identity provider ZITADEL

As you have activated SSO you still have the possibility to use AWS itself to manage the users, but you can also use a Microsoft AD or an external IDP.

Described here how you can connect to ZITADEL as a SAML2 IDP.

  1. Chose the External identity provider:

  2. Download the metadata file, to provide ZITADEL with all the information it needs, and save the AWS SSO Sign-in URL, which you use to log in afterward.

  3. Fill out the fields as follows, to provide AWS with all the information it needs:

    To connect to another environment, change the domains, for example if you would use ZITADEL under the url " https://example.com" you would have the URLs "https://example.com/saml/v2/SSO" and "https://example.com/saml/v2/metadata".

  4. Download the ZITADEL-used certificate to sign the responses, so that AWS can validation the signature.

    You can download the certificate from following URL: ${CUSTOM_DOMAIN}/saml/v2/certificate

  5. Then upload the ".crt"-file to AWS and click "next".

  6. Lastly, accept to confirm the change and ZITADEL is used as the external identity provider for AWS SSO to provide connectivity to your AWS Accounts.

As for how the SSO users are then connected to the AWS accounts, you can find more information in the AWS documentation, for example here.

ZITADEL: Create the application

The metadata used in this part is from "Change to external identity provider ZITADEL" step 2.

In your existing project:

  1. Press the "+"-button to add an application
  2. Fill in a name for the application and chose the SAML type, then click "Continue".
  3. Either fill in the URL where ZITADEL can read the metadata from, or upload the metadata XML directly, then click " Continue".
  4. Check your application, if everything is correct, press "Create".

Everything on the side of ZITADEL is done if the application is correctly created.

AWS: Test the connection

The result, you can now log in to you AWS account through your ZITADEL-login with the AWS SSO Sign-in URL, which you should have saved in "Change to external identity provider ZITADEL" step 2.