Configuring AWS EUSC SSO with Authentik
AWS can be particularly awkward to get working with Authentik if you don't cross the T's and dot the I's. In this guide I run through some of the easy pitfalls and their solutions to get an IDP initiated flow working in no time.
Happy day! AWS have now released IAM Identity Centre for the European Sovereign Cloud instance of AWS. This means that users can now authenticate against an account in this partition. I took the opportunity to set this up with my trusty Authentik IDP and wanted to share a few gotcha's I found across the way.
- Certificate Length
I ended up going round and round trying to enable the 'External' identity source. After uploading metadata, certificates etc, entering 'ACCEPT' in the confirmation dialog and starting the process; I would always be returned to the same page with no updates made. No error message is given, but there is a button to 'retry failed steps'.
The Problem: Turns out to be a limit on the length of the certificate being used to sign the SAML assertions. I used a certificate signed by a public CA (and thus had a long authority chain). This caused the problem because it exceeded the limit.
The Solution: Creating an AWS specific SAML signing certificate, issued by Authentik (self signed) created a new certificate with a short enough length for AWS to be happy!
- Audience
The Problem: After configuring a basic SAML flow, I got a load of 'we had a problem' errors when trying to perform an IDP initiated SSO flow. This was because I hadn't set the Audience attribute on the Authentik side. AWS mandates the specification of an Audience to prevent assertions meant for other applications being used to authenticate against AWS.
The Solution: Setting the Audience to the issuer / entity ID quickly resolved this issue, but can be hard to diagnose if you miss setting it initially. For transparency, I used the same Entity ID for both the SP (AWS) and IDP (Authentik).
- SCIM Provisioning
Be sure to select 'AWS' compatibility mode in the Authentik SCIM provider. Remember to assign your Authentik groups to the relevant roles within AWS to provide true SSO & provisioning. You can do this under the 'Mult-account permissions / AWS accounts' screen in IAM Identity Centre.
Be sure to make sure that your SCIM mapped groups are granted access to your SAML provider (if different) to prevent permission mismatches.