Using trusted identity propagation with customer managed applications - AWS IAM Identity Center

Using trusted identity propagation with customer managed applications

Trusted identity propagation enables a customer managed application to request access to data in AWS services on behalf of a user. Data access management is based on a user’s identity, so administrators can grant access based on users' existing user and group memberships. The user's identity, actions performed on their behalf, and other events are recorded in service-specific logs and CloudTrail events.

With trusted identity propagation, a user can sign in to a customer managed application, and that application can pass the user's identity in requests to access data in AWS services.

Important

To access an AWS service, customer managed applications must obtain a token from a trusted token issuer, which is external to IAM Identity Center. A trusted token issuer is an OAuth 2.0 authorization server that creates signed tokens. These tokens authorize applications that initiate requests for access to AWS services (receiving applications). For more information, see Using applications with a trusted token issuer.

Set up customer managed OAuth 2.0 applications for trusted identity propagation

To set up a customer managed OAuth 2.0 application for trusted identity propagation, you must first add it to IAM Identity Center. Use the following procedure to add your application to IAM Identity Center.

Step 1: Select application type

  1. Open the IAM Identity Center console.

  2. Choose Applications.

  3. Choose the Customer managed tab.

  4. Choose Add application.

  5. On the Select application type page, under Setup preference, choose I have an application I want to set up.

  6. Under Application type, choose OAuth 2.0.

  7. Choose Next to proceed to the next page, Step 2: Specify application details.

Step 2: Specify application details

  1. On the Specify application details page, under Application name and description, enter a Display name for the application, such as MyApp. Then, enter a Description.

  2. Under User and group assignment method, choose one of the following options:

    • Require assignments – Allow only IAM Identity Center users and groups who are assigned to this application to access the application.

      Application tile visibility –Only users who are assigned to the application directly or through a group assignment can view the application tile in the AWS access portal, provided that Application visibility in AWS access portal is set to Visible.

    • Do not require assignments – Allow all authorized IAM Identity Center users and groups to access this application.

      Application tile visibility – The application tile is visible to all users who sign in to the AWS access portal, unless Application visibility in AWS access portal is set to Not visible.

  3. Under AWS access portal, enter the URL where users can access the application and specify whether the application tile will be visible or not visible in the AWS access portal. If you choose Not visible, not even assigned users can view the application tile.

  4. Under Tags (optional), choose Add new tag, and then specify values for Key and Value (optional).

    For information about tags, see Tagging AWS IAM Identity Center resources.

  5. Choose Next, and proceed to the next page, Step 3: Specify authentication settings.

Step 3: Specify authentication settings

To add a customer managed application that supports OAuth 2.0 to IAM Identity Center, you must specify a trusted token issuer. A trusted token issuer is an OAuth 2.0 authorization server that creates signed tokens. These tokens authorize applications that initiate requests (requesting applications) for access to AWS managed applications (receiving applications).

  1. On the Specify authentication settings page, under Trusted token issuers, do either of the following:

    • To use an existing trusted token issuer:

      Select the check box next to the name of the trusted token issuer that you want to use.

    • To add a new trusted token issuer:

      1. Choose Create trusted token issuer.

      2. A new browser tab opens. Follow steps 5 through 8 in How to add a trusted token issuer to the IAM Identity Center console.

      3. After you complete these steps, return to the browser window that you are using for your application setup and select the trusted token issuer that you just added.

      4. In the list of trusted token issuers, select the check box next to the name of the trusted token issuer that you just added.

        After you select a trusted token issuer, the Configure selected trusted token issuers section appears.

  2. Under Configure selected trusted token issuers, enter the Aud claim. The Aud claim identifies the intended audience (recipients) for the token that is generated by the trusted token issuer. For more information, see Aud claim.

  3. To prevent your users from having to reauthenticate when they are using this application, select Automatically refresh user authentication for active application session. When selected, this option refreshes the access token for the session every 60 minutes, until the session expires or the user ends the session.

  4. Choose Next, and proceed to the next page, Step 4: Specify application credentials.

Step 4: Specify application credentials

Complete the steps in this procedure to specify the credentials that your application uses to perform token exchange actions with trusted applications. These credentials are used in a resource-based policy. The policy requires that you specify a principal that has permissions to perform the actions that are specified in the policy. You must specify a principal, even if the trusted applications are in the same AWS account.

Note

When you set permissions with policies, grant only the permissions required to perform a task. You do this by defining the actions that can be taken on specific resources under specific conditions, also known as least-privilege permissions.

This policy requires the sso-oauth:CreateTokenWithIAM action.

  1. On the Specify application credentials page, do either of the following:

    • To quickly specify one or more IAM roles:

      1. Choose Enter one or more IAM roles.

      2. Under Enter IAM roles, specify the Amazon Resource Name (ARN) of an existing IAM role. To specify the ARN, use the following syntax. The Region portion of the ARN is blank because IAM resources are global.

        arn:aws:iam::account:role/role-name-with-path

        For more information, see Cross-account access using resource-based policies and IAM ARNs in the AWS Identity and Access Management User Guide.

    • To manually edit the policy (required if you specify non-AWS credentials):

      1. Select Edit the application policy.

      2. Modify your policy by typing or pasting text in the JSON text box.

      3. Resolve any security warnings, errors, or general warnings generated during policy validation. For more information see Validating IAM policies in the AWS Identity and Access Management User Guide.

  2. Choose Next and proceed to the next page, Step 5: Review and configure.

Step 5: Review and configure

  1. On the Review and configure page, review the choices that you made. To make changes, choose the configuration section that you want, choose Edit, and then make the required changes.

  2. After you're finished, choose Add application.

  3. The application that you added appears in the Customer managed applications list.

  4. After you set up your customer managed application in IAM Identity Center, you must specify one or more AWS services, or trusted applications, for identity propagation. This enables users to sign in to your customer managed application and access data in the trusted application.

    For more information, see Specify trusted applications .

Specify trusted applications

After you set up your customer managed application, you must specify one or more trusted AWS services, or trusted applications, for identity propagation. Specify an AWS service that has data that users of your customer managed applications need to access. When your users sign in to your customer managed application, that application will pass your users' identity to the trusted application.

Use the following procedure to select a service, and then specify individual applications to trust for that service.

  1. Open the IAM Identity Center console.

  2. Choose Applications.

  3. Choose the Customer managed tab.

  4. In the Customer managed applications list, select the OAuth 2.0 application that you want to initiate requests for access. This is the application that your users sign in to.

  5. On the Details page, under Trusted applications for identity propagation, choose Specify trusted applications.

  6. Under Setup type, select Individual applications and specify access, and then choose Next.

  7. On the Select service page, choose the AWS service that has applications that your customer managed application can trust for identity propagation, and then choose Next.

    The service that you select defines the applications that can be trusted. You'll select applications in the next step.

  8. On the Select applications page, choose Individual applications, select the check box for each application that can receive requests for access, and then choose Next.

  9. On the Configure access page, under Configuration method, do either of the following:

    • Select access per application – Select this option to configure different access levels for each application. Choose the application for which you want to configure the access level, and then choose Edit access. In Level of access to apply, change the access levels as needed, and then choose Save changes.

    • Apply same level of access to all applications – Select this option if you don't need to configure access levels on a per-application basis.

  10. Choose Next.

  11. On the Review configuration page, review the choices that you made. To make changes, choose the configuration section that you want, choose Edit access, and then make the required changes.

  12. After you're finished, choose Trust applications.