Single Sign-On with SAML (AWS SSO)
You can use AWS SSO as a SAML SSO provider. In AWS SSO, you can setup Nirmata as an custom application by following the instructions here: Custom SAML 2.0 applications
Configure AWS SSO as SAML provider for Nirmata
- Got to ‘Applications’ in AWS SSO console and click on ‘Add a new application’ and then click on ‘Add a custom SAML 2.0 application’.
- Set the Display name to ‘Nirmata’.
- Click on the ‘Download’ link next to ‘AWS SSO SAML metadata file’ to Download the AWS SSO SAML Metadata XML.
- In Nirmata, go to Identity & Access -> SAML and click on the button "Enable SAML for federated identity management and single sign-on (SSO)".
- This launches a dialog where you can upload the AWS SSO SAML Metadata XML file that you downloaded in step 2.
- Now, export your Nirmata account’s SAML Service Provider metadata by clicking on the "View SP Metadata" and downloading it.
- Next you can import the SP metadata file into the Nirmata application configuration in AWS SSO by clicking on the ‘Browse…’ button and selecting the file.
- Save the changes to complete the creation of the Nirmata SAML 2.0 application.
- Next, go to the ‘Attribute mappings’ tab in the AWS SSO -> Nirmata configuration and make the following changes:
- For the Subject attribute, add ${user:email} in the Mapping column and select ‘unspecified’ option as the Format
- Also, add a new attribute mapping with attribute name ’email’, Mapping as ${user:email} and Format as ‘unspecified’
- Save changes to complete the AWS SSO setup.
- Finally, you need to once again download the ‘AWS SSO SAML metadata’ XML from the AWS SSO -> Nirmata Configuration tab. Import the AWS SSO SAML metadata XML into Nirmata by clicking on the Edit icon in the “SAML Identity Provider (IdP) Settings” section.
Thats it! You now have SAML fully configured! Next, add users that need access to Nirmata in the AWS SSO console and verify that SAML works.
Note: Please make sure you have at least one user with ‘Local’ authentication in Nirmata to avoid being locked out of your account in case SAML based authentication is not available.