AWS Partner Network (APN) Blog
Simplifying Sign-In for AWS Managed Services with OneLogin, AWS Single Sign-On, and AWS IAM
By Claudine Morales, Partner Solutions Architect – AWS
By Sunil Ramachandra – Technical Account Manager – AWS
By Roy Rodan, Partner Solutions Architect – AWS
 |
| OneLogin |
 |
OneLogin, an AWS Security Competency Partner, provides an identity platform for secure, scalable, and smart experiences that connects people to technology.
OneLogin’s authentication and role-based user provisioning engine enables you to implement least-privilege access controls and eliminate manual user management workflows for all HAQM Web Services (AWS) users and accounts.
In this post, we recap all of the integrations available between OneLogin and AWS. Through these integrations, OneLogin enables you to seamlessly authenticate into AWS managed services across various domains, including analytics, compute, serverless, security, management and governance, and more.
Workforce Identity
Single Sign-On Using OneLogin and AWS SSO
AWS Single Sign-On (AWS SSO) lets you efficiently manage user identities at scale by establishing a single identity and access strategy across your own applications, third-party software-as-a-service (SaaS) applications, and AWS environments.
Federating access between AWS SSO and OneLogin allows you to sign in to AWS SSO with a single click. Once access federation is set up from OneLogin, end users are able to sign in with OneLogin to gain access to all assigned AWS accounts.
AWS SSO and OneLogin utilizes System for Cross-domain Identity Management (SCIM), which enables automated user provisioning. This blog post walks you through how to connect OneLogin to AWS SSO.
OneLogin also supports session tags with AWS SSO. Using session tags you can pass user attributes into AWS.
Analytics
Federated Access to HAQM Redshift
HAQM Redshift is a fully managed, petabyte-scale data warehouse service in the cloud that allows you to easily gain new insight from all of your data.
Setting up HAQM Redshift user federation from OneLogin allows you to manage access to HAQM Redshift resources centrally. This eliminates the need for separate database users and passwords and improves enterprise security.
HAQM Redshift supports SAML 2.0, and can be easily configured to integrate with OneLogin. This blog post illustrates the necessary steps for setting up HAQM Redshift user federation from OneLogin. It also explains how to pass along group membership from OneLogin into AWS, which enables you to manage user access to HAQM Redshift resources from within your identity provider (IdP).
Monitoring
Federated Access to HAQM Managed Service for Grafana
With HAQM Managed Service for Grafana (AMG), you can visualize and analyze your operational data at scale without having to provision, configure, and update servers.
AMG is a fully managed service based on Grafana, a popular open source tool that allows you to query, visualize, alert on, and understand your metrics no matter where they are stored.
Integrating OneLogin to single sign-on into AMG using AWS SSO lets users without access to the AWS Management Console access an AMG environment. It gives users a unique login URL they can use for direct access into AMG dashboards, where they can monitor and query data from various sources, including HAQM CloudWatch, HAQM OpenSearch Service, and HAQM Timestream.
After a one-time setup to establish the SAML 2.0 trust, you can continue to manage users and groups using your existing IdP, which can be seamlessly synchronized with AWS SSO by using SCIM. This blog post demonstrates how to implement this integration.
Federated Access to HAQM OpenSearch Service
HAQM OpenSearch Service is a fully managed service that lets you deploy and run Elasticsearch at scale.
HAQM OpenSearch Service offers native support for SAML authentication, so you can integrate directly with third-party IdPs like OneLogin to SSO into Kibana. This allows you to leverage existing user credentials and privileges for Kibana access and manage them directly from your IdP.
This blog post has more details on this feature, and the developer guide contains configuration instructions.
Management and Governance
Identity Federation with AWS Control Tower and OneLogin
AWS Control Tower allows organizations with multiple AWS accounts to more easily set up and govern their multi-account AWS environment using AWS best practices.
OneLogin connectors allows you to centrally manage identity and access federation using various user stores, such as Active Directory, LDAP, and Google, as you build and scale your multi-account environment on AWS with Control Tower.
You can integrate OneLogin and Control Tower with either AWS SSO or SAML. This implementation guide walks you through how to set up the integration with AWS SSO using a sample AWS CloudFormation template.
Networking
Federated Access Between AWS Client VPN and OneLogin
AWS Client VPN enables remote users to securely connect to your resources on AWS and in your on-premises network. With the launch of Federated Authentication via SAML 2.0, AWS Client VPN can now be configured as a service provider in your existing IdP.
SAML-based federated authentication becomes a third authentication option for Client VPN, in addition to Active Directory and certificate-based mutual authentication.
OneLogin integrates with AWS Client VPN, enabling remote users connecting to Client VPN to authenticate with the same credentials they are using for any other service already integrated with OneLogin. This implementation guide provides instructions for setting up the connection between your SAML-based IdP and Client VPN.
App Integration
Sending OneLogin Events to HAQM EventBridge
HAQM EventBridge is a serverless event bus that allows you to build event-driven applications using data from all sources, including data from many SaaS applications.
OneLogin for HAQM EventBridge integration allows organizations to stream events data from OneLogin to an event bus and build custom identity workflows that combine OneLogin and AWS events and actions.
You can add OneLogin as a partner event source using the AWS console and complete the setup following instructions provided in the partner’s website.
EventBridge allows you to easily create rules that trigger on events received from OneLogin. For rules that you create, you can define targets, which are services that respond to events.
EventBridge supports many target types. This documentation has the instructions for setting up EventBridge to receive events from OneLogin.
Serverless
AWS Lambda Authorizers with OneLogin to Control HAQM API Gateway Access
HAQM API Gateway is a fully managed service that makes it easy to create, publish, maintain, monitor, and secure APIs at any scale. It supports various mechanisms for API access control, including AWS Lambda authorizers, which are Lambda functions that use bearer token authentication to control who can invoke REST API methods.
If your organization already uses OneLogin as an IdP, you can build Lambda authorizers by using your OneLogin credentials without having to set up additional services. This OneLogin Developer post illustrates how to create and use a OneLogin Lambda authorizer to control access to your APIs.
Customer Engagement
Enabling Federation with AWS SSO and HAQM Connect
HAQM Connect is an omni-channel cloud contact center that helps you improve customer experiences. Designed from the ground up to be omni-channel, HAQM Connect provides a seamless experience across voice and chat for your customers and agents.
OneLogin’s integration with HAQM Connect allows you to enable SAML-based single sign-on into HAQM Connect with RelayState.
RelayState is a parameter in the SAML assertion that’s used to redirect authenticated users to a particular destination. This OneLogin page has more details about this integration and its benefits.
Machine Learning
Onboarding HAQM SageMaker Studio with AWS SSO and OneLogin
HAQM SageMaker Studio is a fully managed service that provides a web-based integrated development environment (IDE) that contains all of the tools needed to build, train, and deploy machine learning solutions. It supports single sign-on with AWS SSO, which you can integrate with OneLogin.
When you federate access between OneLogin and AWS SSO as illustrated in this blog post, you are able to extend federated access into HAQM SageMaker Studio by following these instructions.
This allows you to manage HAQM SageMaker Studio end user authentication from one central place, and your end users can use their existing OneLogin credentials for HAQM SageMaker Studio access.
Customer Identity
Setting Up OneLogin as a SAML IdP with an HAQM Cognito User Pool
HAQM Cognito provides solutions to control access to AWS resources from your app. It lets you add user sign up, sign in, and access control to your web and mobile apps quickly and easily.
This article explains how you can integrate OneLogin as a SAML 2.0 IdP with an HAQM Cognito user pool.
Containers
Introducing OIDC IdP Authentication for HAQM EKS
HAQM Elastic Kubernetes Service (HAQM EKS) gives you the flexibility to start, run, and scale Kubernetes applications in the AWS cloud or on-premises.
This blog post demonstrates how customers can integrate an OIDC identity provider like OneLogin with a new or existing EKS cluster running Kubernetes version 1.16 or later.
With this feature, you can manage user access to your cluster by leveraging existing identity management life cycle through your OIDC identity provider like OneLogin.
Summary
Customers can connect their OneLogin Identity Management Platform (OneLogin) with various AWS managed services to manage access to AWS centrally, and also enable end users to sign in using OneLogin to access all of their assigned AWS applications on AWS.
These integrations helps customers simplify their access management to across multiple AWS services while maintaining familiar OneLogin experiences for administrators who manage identities, and for end users as they sign in.
.
.
OneLogin – AWS Partner Spotlight
OneLogin is an AWS Security Competency Partner and identity platform for secure, scalable, and smart experiences that connect people to technology.
Contact OneLogin | Partner Overview | AWS Marketplace
*Already worked with OneLogin? Rate the Partner
*To review an AWS Partner, you must be a customer that has worked with them directly on a project.