Setting up a space that supports identity federation - Amazon CodeCatalyst

Setting up a space that supports identity federation

You can create a space that supports either of two types of users in CodeCatalyst.

You can create a space that manages users with AWS Builder ID access to CodeCatalyst. This is a CodeCatalyst space for AWS Builder ID users.

Setting up a space in CodeCatalyst includes creating the space, adding users, and assigning CodeCatalyst roles to space members. To set up a AWS Builder ID space and create your first project, use the steps in Sign up to create your first space and your development role in the Amazon CodeCatalyst User Guide.

To set up a space that supports identity federation, you must configure prerequisites in the following services before you create or connect a CodeCatalyst space. Use the planning steps in the following section to help you with planning your space.

The organization administrator creates the management accounts and Organizational Units for the company in AWS Organizations. After the management account is available, the company identity federation administrator works with IAM Identity Center to enable a provider instance where federated identities will be managed.

The company directory will authorize users to federate through SAML with IAM Identity Center as the SSO provider. Mary coordinates with the company identity federation administrator to set up the users and groups in IAM Identity Center. After this is complete, Mary uses the CodeCatalyst page in the AWS console to create or choose a CodeCatalyst space that will support identity federation. As part of the setup process, Mary creates an SSO application to represent the company and map to the identity store ID in IAM Identity Center. Next, Mary uses the CodeCatalyst page in the AWS Management Console to choose one or more groups to which to grant single sign-on access and to add CodeCatalyst roles. Next, Mary wants to create a team for the space. She incorporates the SSO group into a new team on the Teams page in CodeCatalyst.

The following diagram illustrates the flow of tasks for setting up your space.


      Administrator tasks in managing a space that supports identity
        federation

Planning your space that supports identity federation

After you complete the prerequisites here for AWS Organizations and IAM Identity Center, you will use the CodeCatalyst page in the AWS Management Console to create or choose a space and associate it with identity federation. This makes the space a space that supports SSO users and groups. A space that supports identity federation can only manage members through the membership in IAM Identity Center SSO users and groups. These users are maintained in an identity store. When you use the wizard in CodeCatalyst to create or choose a space and enable it for identity federation, you will create an application and give it a name associated with your company. The application is associated with the identity store for your instance in IAM Identity Center. The application associates your company with your space in CodeCatalyst and in IAM Identity Center.

The application name will display in the SSO sign-in portal that your federated identities, the users from your company directory, will use to sign in to CodeCatalyst.

Important

Your application name will represent your company and will be visible for selection as an option where users from a workforce directory will access CodeCatalyst.

Mary Major is a Space administrator who will set up an organization in AWS Organizations that is associated with your company. Mary will need to have the AWS account that is set up a management account for your organization and associate it with the company that will use the space. Additional Organizational Units (OUs) and accounts will be set up for your organization for use with the space.

Mary will work with the Identity federation administrator to set up the directory of users for the company. These are the federated identities that will be set up for the IAM Identity Center instance. The users in the company directory will be set up to sign in to the space using SSO. These users will be defined by the SSO users and groups that the Identity federation administrator sets up in the IAM Identity Center instance.

Note

Users or groups that are added to IAM Identity Center assignments usually appear in CodeCatalyst within two hours. Depending on the amount of data being synchronized, this process might take longer.

Prerequisite 1: Setting up an organization in AWS Organizations

Before you create a space and configure your user membership, complete the following prerequisities for organization and identity federation setup in AWS. You can follow the references in this chapter to get set up.

The AWS Organizations administrator sets up the organization and AWS accounts for your company. The management account for the organization will be specified as the billing account for the space in CodeCatalyst. For more information, see What is AWS Organizations?.

Note

Depending on the type of instance in IAM Identity Center you plan to use in IAM Identity Center, you can choose to create an organization instance or an account instance. If you choose an account instance, then the step to create an organization in AWS Organizations is optional. Choose the instance that best fits your use case. For more information about use cases, see When to use an organization instance and When to use an account instance in the IAM Identity Center User Guide.

Create an organization in AWS Organizations

Create an organization for your company. Create an organization with your current AWS account as the management account in AWS Organizations. See the steps in Creating an organization.

Add member accounts in AWS Organizations

Add member accounts to your organization. See the steps in Add an AWS account to join your organization .

Create organizational units (OUs) in AWS Organizations

Create organizational units (OUs) and add member accounts for those OUs in AWS Organizations. See the steps in Managing organizational units.

Prerequisite 2: Enable an instance for identity federation

Before you create a space that supports identity federation, complete the following prerequisities for enabling your instance. You can follow the references in this chapter to get set up.

Note

For IAM Identity Center resources, choose the same Region as your CodeCatalyst space. While you can choose a different Region, this might impact connectivity and latency.

Enable IAM Identity Center

You must have identity federation administrator permissions and the appropriate IAM permissions in IAM Identity Center to complete these steps. Use the steps to enable an AWS IAM Identity Center instance in IAM Identity Center. For more information about this step in IAM Identity Center, see Step 1: Enable instance.

  1. Sign in to the IAM Identity Center console.

  2. On the welcome page, choose Enable AWS SSO. A success banner displays.

Prerequisite 3: Setting up identity federation in IAM Identity Center

IAM Identity Center helps you securely create or connect your identity federation and manage user access centrally across AWS accounts and applications. IAM Identity Center is the recommended approach for identity federation on AWS for organizations of any size and type.

Note

For IAM Identity Center resources, choose the same Region as your CodeCatalyst space. While you can choose a different Region, this might impact connectivity and latency.

The Identity federation administrator sets up the IAM Identity Center instance and SSO users and groups for the company. This represents the identity provider (IdP) for the company. As the identity federation administrator for your company, complete the following tasks in IAM Identity Center.

In IAM Identity Center, you can choose to create an organization instance or an account instance. Choose the type that best fits your use case. For more information about use cases, see When to use an organization instance and When to use an account instance in the IAM Identity Center User Guide.

Set up your provider in IAM Identity Center

Connect your recently created or existing IAM Identity Center instance to your IdP.

Set up your provider in IAM Identity Center. See the steps in What is IAM Identity Center?.

Note

CodeCatalyst spaces with identity federation can support service providers that are supported by IAM Identity Center. CodeCatalyst inherits the identity source that is managed in IAM Identity Center. For more information, see Manage your identity source.

Set up your portal in IAM Identity Center

Connect your recently created or existing instance in IAM Identity Center to your IdP.

Create an SSO portal login for your provider in IAM Identity Center. See Manage sign-in and attribute use for all identity source types.

Create users and groups in IAM Identity Center

You must create users and groups in IAM Identity Center that you will manage in IAM Identity Center and then specify in CodeCatalyst when you create or view your space. Create and connect groups in IAM Identity Center.

You must have Identity federation administrator permissions and the appropriate IAM permissions in IAM Identity Center to complete these steps. Use the steps to create users and groups who will be the directory users for your space. For more information about this step in IAM Identity Center, see Manage identities in IAM Identity Center.

Tip

Make sure you are signed in with the management account for your space.

Setting up a space for identity federation

Follow these steps to create your Amazon CodeCatalyst space, create and name the application to associate with your space, add a service linked IAM role for viewing your related SSO groups and identity store, and add a developer role for your space to the management account in AWS Organizations for your space.

Note

You can also choose an existing space in CodeCatalyst that you want to create an application for and associate with a management account in AWS Organizations.

You cannot directly add or remove users in your space that supports identity federation. You must work with your Identity federation administrator to manage SSO users and groups in IAM Identity Center. CodeCatalyst syncs on a regular basis with the IAM Identity Center identity store with the latest directory status for your space members.

Note

As a security best practice, only assign administrative access to administrative users and developers who need to manage access to AWS resources in the space.

Before you begin, you must be ready to provide an AWS account ID for an account where you have administrative privileges as the management account in AWS Organizations. Have your 12-digit AWS account ID ready. For information about finding your AWS account ID, see Your AWS account ID and its alias.

You must have completed the prerequisites as follows:

  1. Create an organization in AWS Organizations.

  2. Set up your management account in AWS Organizations.

  3. Enable IAM Identity Center.

  4. Set up your provider in IAM Identity Center.

  5. Create users and groups in IAM Identity Center.

Before you start to set up your space, make sure you are signed in to the AWS Management Console with the AWS account that is the management account for your organization and will be the specified billing account for your space.

Step 1: Create a space

Complete the steps in the wizard to create or choose a space that supports identity federation. In the wizard, you will be able to view the SSO groups you have set up in IAM Identity Center and choose the users and groups that will be able to sign in to the space.

Note

Users or groups that are added to IAM Identity Center assignments usually appear in CodeCatalyst within two hours. Depending on the amount of data being synchronized, this process might take longer.

Part of this includes choosing the Space administrator role for certains users and groups in your space. Note that when you grant the Space administrator role to a group, you can add the group as a team in CodeCatalyst that also has the Space administrator role for your space. When you need to remove the Space administrator role for an SSO user or group, you remove the role in CodeCatalyst while everything else for the user or group is managed in IAM Identity Center.

Note

There can only be one Identity Center application per AWS account. If you already have an application, you must delete it before starting the steps in the wizard.

  1. Sign in to the Amazon CodeCatalyst page in the AWS Management Console with the AWS account that you have set up as the management account for your organization in AWS Organizations.

  2. Open the Amazon CodeCatalyst page in the AWS Management Console at https://us-west-2.console.aws.amazon.com/codecatalyst/home?region=us-west-2#/.

  3. In Spaces, if available, a list of CodeCatalyst spaces associated with your account display.

  4. In the navigation pane, choose IAM Identity Center.

  5. In AWS Region , choose the Region for your space. Make sure to choose the same Region as that where your identity resources are created.

    Note

    For IAM Identity Center resources, choose the same Region as your CodeCatalyst space. While you can choose a different Region, this might impact connectivity and latency.

    Confirm that the prerequisites are done for setting up a space that supports identity federation. Choose Continue.

  6. Under Step 1: Choose application name, in Display name, enter a name that will match your company name for display on login screens and in CodeCatalyst.

    Note

    Identity Center application names must be globally unique.

    Important

    Your application name will represent your company and will be visible for selection as an option where users from a workforce directory will access CodeCatalyst.

  7. In AWS Identity Center application name, provide the name to use when signing in to CodeCatalyst with SSO. This is the name that will represent your company association between your identity provider and your CodeCatalyst space. When you create an application, it is associated with your identity store ID in IAM Identity Center.

  8. In Identity store ID, the ID for the associated identity store in IAM Identity Center displays. To change this, choose go to IAM Identity Center.

  9. Choose Next.

  10. Under Step 2: Choose or create a CodeCatalyst space, do one of the following:

    • To set up an existing CodeCatalyst to support identity federation and create an application for it, choose Existing CodeCatalyst. In the drop-down field for Choose existing CodeCatalyst, choose the existing CodeCatalyst space you want to set up.

      Note

      If you set up an existing space by adding SSO support, only SSO users and groups will be supported. Existing AWS Builder ID users will no longer be supported.

    • To set up a new CodeCatalyst, choose New space.

      In Space name, enter a name for your CodeCatalyst space.

      Note

      Space names must be unique across CodeCatalyst. You cannot reuse names of deleted spaces.

  11. Choose Next.

  12. Under Step 3: Connect groups, in Choose groups, choose the SSO users and groups you want to add to the space. Choose the box next to each group you want to add. These must be already available in IAM Identity Center for your identity provider.

  13. Choose Next.

  14. Under Step 4: Assign users to the CodeCatalyst Space administrator role, choose which users you want to assign the Space administrator role. These users will have Space administrator permissions in CodeCatalyst for your space, to include removing members and deleting the space. For more information about the role, see Working with roles in Amazon CodeCatalyst.

  15. Choose Next.

  16. In the wizard Step 5 page, review the summary for the space.

    Note

    Make sure you are ready to create the space with the space name you have chosen. Once you create the space, you will not be able to reuse the space name, even if the space is deleted. SSO application names can be reassigned to another space, but the space name itself cannot be reused.

Next steps: Create teams, projects, and resources in CodeCatalyst

After you have created your space, you can perform the following tasks.