Amazon EMR
Management Guide

Configure Trust Relationship Between your IdP and Lake Formation

To establish a trust relationship between your organization's Identity Provider (IdP) and AWS, you must do the following:

  • Tell your IdP about AWS as a service provider by adding relying party trust between IdP and AWS.

  • Tell AWS about your external IdP by creating an IAM identity provider and role for SAML access in AWS IAM.

To configure this trust relationship

  1. Register AWS with your IdP. The process of registering AWS with your IdP depends on which IdP you're using. For more information on how to do this for Auth0, Microsoft Active Directory Federation Services (AD FS), and Okta, see Supported Third-Party Providers for SAML.

  2. Using your IdP, generate a metadata XML file that can describe your IdP as an IAM identity provider in AWS. It must include the issuer name, a creation date, an expiration date, and keys that AWS uses to validate authentication responses (assertions) from your organization. Each IdP has a specific way of simply exporting this metadata. For more information, refer to your IdP’s documentation.

    You must upload the metadata XML file to an Amazon S3 bucket. When you launch a cluster that integrates with Lake Formation, you need to specify the path to the S3 bucket.

  3. In the IAM console, create a SAML identity provider entity.

    1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

    2. In the navigation pane, choose Identity Providers, Create Provider.

    3. For Provider Type, choose Choose a provider type, SAML.

    4. Enter a name for the identity provider.

    5. For Metadata Document, click Choose File, specify the SAML metadata document that you downloaded from your IdP in the previous step, and choose Open.

    6. Verify the information that you have provided, and click Create.

  4. In the IAM console, create an IAM role for identity federation.

    1. In the navigation pane of the IAM console, choose Roles, Create role.

    2. Choose the SAML 2.0 federation role type.

    3. For SAML Provider, choose the provider for your role.

    4. Choose Allow programmatic and AWS Management Console access to create a role that can be assumed programmatically and from the console.

    5. Review your SAML 2.0 trust information, then choose Next: Permissions.

    6. Create the permissions policy for the role based on the example in Overview of the IAM Roles for Lake Formation.

    7. Choose Next: Tags.

    8. Choose Next: Review.

    9. For Role name, type a role name. Role names must be unique within your AWS account.

    10. Review the role and then choose Create role.

    11. Click Roles tab, search for the role name created from the last step.

    12. Choose Trust relationships, and then select Edit trust relationship.

    13. Override the existing policy document with the IAM Role for Lake Formation trust policy specified in the Overview of the IAM Roles for Lake Formation section. Then click Update Trust Relationship.

  5. In your organization's IdP, you must configure SAML assertions that map the users in your organization to the Identity Provider and the IAM role for Lake Formation that was just created. You do this by configuring the three attribute elements shown in the following table.

    • Replace account-id with your AWS account ID.

    • Replace IAM_Role_For_Lake_Formation with the name of the IAM role for Lake Formation that you created.

    • Replace IAM_identity_provider_name with the name of the IAM identity provider that you created in previous steps.

    • Replace user_alias with the name of the attribute used to hold the user name defined in your organization.

    Attribute Elements

    Value

    https://aws.amazon.com/SAML/Attributes/Role arn:aws:iam::account-id:role/IAM_Role_For_Lake_Formation,arn:aws:iam::account-id:saml-provider/IAM_identity_provider_name
    https://aws.amazon.com/SAML/Attributes/RoleSessionName user_alias
    https://lakeformation.amazon.com/SAML/Attributes/Username user_alias

    The exact steps for performing the mapping depend on which IdP you're using. For more information, see the next section Supported Third-Party Providers for SAML.

    For more information, see Configuring SAML Assertions for the Authentication Response.