# Post-deployment configuration tasks
After you successfully deployed the stacks, complete the following tasks.
+ [Configure the IAM Identity Center](idc-config.md)
+ [Configure the web application](webapp-config.md)
# Configure IAM Identity Center
Log in to the account where IAM Identity Center is enabled (usually the **Org Management** account) and the Innovation Sandbox IDC stack is deployed. Make sure that you are in the correct home Region.
In this section, you will:
+ [Create a SAML 2.0 application](create-saml-app.md)
+ [Map application attributes](map-application-attributes.md)
+ [Assign groups to your application](assign-groups-application.md)
+ [Assign users to groups](assign-users-groups.md)
# Create a SAML 2.0 application
In this step, you federate your Identity Provider (IdP) to IAM Identity Center through SAML 2.0, and use IAM Identity Center to manage user access to the solution.
1. Log in to the [AWS IAM Identity Center console](https://console.aws.amazon.com/singlesignon/).
1. From the left pane, under **Application assignments**, choose **Applications**.
1. On the Applications page, on the **Customer managed** tab, choose **Add application**.
1. On the **Select application type** page, under **Setup preference**, choose **I have an application I want to set up**.
1. Under **Application type**, choose **SAML 2.0**, and choose **Next**.
1. On the **Configure application** page, under **Configure application**,
+ Enter a **Display name** for the application, such as *MyISBApp*,
+ Enter a description.
1. Under **Application metadata**, choose **Manually type your metadata values**, and provide the **Application ACS URL** and **Application SAML audience** values.
+ **Application ACS URL**: The URL of the CloudFront distribution (or alternate domain name associated with the distribution) from the Compute stack output appended with `/api/auth/login/callback`. For example: `/api/auth/login/callback` where `ISB_WEB_URL` is the CloudFront Distribution URL or alternate domain (for example: https://duyXXXXXXXeh.cloudfront.net/api/auth/login/callback). To view the Compute stack outputs, navigate to the **AWS CloudFormation > Stacks > Outputs** tab, in the account where you have deployed the Compute stack.
+ **Application SAML audience**: The audience used to identify the service provider (in this case, Innovation Sandbox web application) configured to consume the SAML assertion. For example: `Isb--Audience`.
1. Choose **Submit**. The Application details page displays.
# Map application attributes
In this step, you map application attributes to the user attribute in IAM Identity Center, using the email address for authentication.
1. From the list of applications, choose the SAML application you set up in the previous step.
1. Under **Actions**, choose **Edit attribute mappings**.
1. For the *Subject* **User attribute in the application** row, fill in the two corresponding fields:
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/solutions/latest/innovation-sandbox-on-aws/map-application-attributes.html)
1. Choose **Save Changes**.
**Note**
If you have configured IAM Identity Center to use an external identity provider, you need to ensure that the attribute mappings from external identity provider to IAM Identity Center are configured correctly. For more information refer to [Configuring an external identity provider](configuring-external-idp.md).
# Assign groups to your application
**Note**
If you have configured your IAM Identity Center instance to use an external identity provider, you will need to manage user groups through that external provider instead of creating them directly in IAM Identity Center.
The IDC stack creates these three user groups in IAM Identity Center (where `NAMESPACE` is the namespace parameter passed to the stack):
+ `_IsbUsersGroup`
+ `_IsbManagersGroup`
+ `_IsbAdminsGroup`
To assign groups to your application:
1. Sign in to the [AWS IAM Identity Center console](https://console.aws.amazon.com/singlesignon/).
1. From the left pane, under **Application assignments**, choose **Applications**.
1. On the Applications page, from the **Customer managed** tab, choose the application you created in the previous steps.
1. Choose **Assigned users and groups**, and choose the three groups. Manually enter the namespace to find the group, as they are not listed by default.
![\[Assign users and groups\]](http://docs.aws.amazon.com/solutions/latest/innovation-sandbox-on-aws/images/assign-user-groups.png)
1. Choose **Done** to assign these groups to your application.
# Assign users to groups
As you add new users to IAM Identity Center, you will have to assign them to one of the groups for them to access Innovation Sandbox.
**Note**
If you have configured IAM Identity Center to use an external identity provider you must assign group access to users through the external identity provider itself and have the changes synced over to your IAM Identity Center instance.
1. Sign in to the [AWS IAM Identity Center console](https://console.aws.amazon.com/singlesignon/).
1. From the left pane, choose **Users**.
1. On the Users page, choose the user name for the user you want to add to a group. The User details page displays.
1. On the **Groups** tab, choose **Add user to groups**.
1. Choose the groups you want to add the user to. You can choose from one of these relevant groups, depending on user role:
+ `_IsbUsersGroup`
+ `_IsbManagersGroup`
+ `_IsbAdminsGroup`
1. Choose **Add user to group**.
Alternatively, you can choose a group and add users to the group.
1. From the left pane, choose **Groups**.
1. On the Groups page, choose the group name you want to add users to. The Group details page displays. You can choose one of these relevant groups:
+ `_IsbUsersGroup`
+ `_IsbManagersGroup`
+ `_IsbAdminsGroup`
1. On the **Users** tab, choose **Add users to group**.
1. Choose the users you want to add to this group.
1. Choose **Add users to group**.
For more information, refer to the [Manage identities in IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/manage-your-identity-source-sso.html) topic.
# Configure the web application
After setting up SAML 2.0, mapping application attributes, and setting up users and groups, you can configure the web application.
Log in to the AWS account where the solution Hub and data stacks are deployed. Make sure that you are in the correct home Region.
In this section, you will:
+ [Update configuration using AWS AppConfig](update-auth-config.md)
+ [Update values in AWS Secrets Manager](update-values-secrets.md)
# Update configuration using AWS AppConfig
In this step, you will collect several configuration values and use them in the authentication configuration section of the solution’s GlobalConfig in AWS AppConfig.
## Save the IAM Identity Center application configuration values
1. In the IAM Identity Center console in the account where IAM Identity Center is enabled, navigate to the custom SAML 2.0 application created in the [Create a SAML 2.0 application](create-saml-app.md) section.
1. On the custom application’s page, under **Actions**, choose **Edit configuration**. You do not need to edit anything; however, this page contains the authentication configuration values required by the solution.
1. Save the following values to use in the next step:
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/solutions/latest/innovation-sandbox-on-aws/update-auth-config.html)
## Save the IAM Identity Center access portal URL
The IAM Identity Center Access Portal URL is used to provide direct links to access sandbox accounts in the solution UI.
You can locate this value in the IAM Identity Center console in the account where IAM Identity Center is enabled from the **Dashboard** page. This page will contain a **Settings summary** that contains the **AWS access portal URL**. Save this value.
## Save the Web app URL
The Web App URL can be located in the **Hub Account** as an output on the **Compute Stack** in the AWS CloudFormation console. Go to **CloudFormation > Stacks > YourISBComputeStackName** and choose the **Outputs** tab. The Web App URL will be under the output key **CloudFrontDistributionUrl**.
## Updating the global config
After you have collected all the necessary configuration values, you can update the solution’s global config with them.
1. Go to the [AWS AppConfig](https://console.aws.amazon.com/systems-manager/appconfig/) console in the **Hub Account**.
1. From the left pane, choose **Applications**.
1. On the Applications page, choose **InnovationSandboxData-Config-Application-XXXXXXX**. The Application details display.
1. Under **Configuration Profiles and Feature Flags**, choose **InnovationSandboxData-Config-GlobalConfigHostedConfiguration-XXXXX** configuration profile, and choose **View details**.
1. Choose **Create version** to begin modifying the current configuration.
1. Set the `maintenanceMode` to `false`. This will allow **manager** and **user** personas to begin to access the solution.
1. In the **auth** section, copy in the corresponding values that you saved in the previous sections ([Save the IAM Identity Center application configuration values](#save-application-config-values), [Save the IAM Identity Center access portal URL](#save-access-portal-url), [Save the Web app URL](#save-web-app-url)).
```
...
# Authentication Configuration
auth:
idpSignInUrl: " "
idpSignOutUrl: " "
idpAudience: "isb"
webAppUrl: " "
awsAccessPortalUrl: " "
sessionDurationInMinutes: 60
...
```
1. Update the **notification** section. Enter a valid email that can send emails from [Amazon Simple Email Service set up in the pre-requisites](prerequisites.md). If you have not completed this prerequisite step automated email notifications will not be sent.
```
...
# Email Notification controls
notification:
emailFrom: " "
...
```
1. Choose **Create hosted configuration version**.
1. Choose **Start Deployment**, and choose the latest hosted configuration version you just created.
1. Choose **Start Deployment**.
**Note**
When updating these configuration values, be mindful of the formatting, white space, and capitalization; otherwise, the solution may not function properly.
# Update values in AWS Secrets Manager
You must sign the SAML requests and responses with SAML certificates to establish trust and verify authenticity. The certificate is created when you create the SAML 2.0 custom application. You will need to configure the solution application with the public key of this certificate.
1. From your AWS console, navigate to [AWS Secrets Manager](https://console.aws.amazon.com/secretsmanager/).
1. From the list of secrets, choose the secret named **/InnovationSandbox//Auth/IDPCert**.
1. On the secret details page, on the **Overview** tab, in the **Secret value** section, choose **Retrieve secret value** and choose **Edit**.
1. Choose **Plaintext**.
1. Copy the value of the IAM Identity Center certificate file (.pem) you downloaded. For more information, refer to the [Save application configuration values](update-auth-config.md#save-application-config-values) *Certificate* section.
1. Paste it into the Secrets Manager secret **Plaintext** field and choose **Save**. This will ensure that the application can use SAML authentication.
**Note**
The Innovation Sandbox on AWS solution is now ready for use. You can now [log in to the web UI](log-in-webui.md) and start using the solution.