# Configuring federation to the AMS console (SALZ) The IAM roles and SAML identity provider (Trusted Entity) detailed in the following table have been provisioned as part of your account onboarding. These roles allow you to submit and monitor RFCs, service requests, and incident reports, as well as get information on your VPCs and stacks. **** | Role | Identity Provider | Permissions | | --- | --- | --- | | Customer\$1ReadOnly\$1Role | SAML | For standard AMS accounts. Allows you to submit RFCs to make changes to AMS-managed infrastructure, as well as create service requests and incidents. | | customer\$1managed\$1ad\$1user\$1role | SAML | For AMS Managed Active Directory accounts. Allows you to login to the AMS Console to create service requests and incidents (no RFCs). | For the full list of the roles available under different accounts see [IAM user role in AMS](defaults-user-role.md). A member of the onboarding team uploads the metadata file from your federation solution to the pre-configured identity provider. You use a SAML identity provider when you want to establish trust between a SAML-compatible IdP (identity provider) such as Shibboleth or Active Directory Federation Services, so that users in your organization can access AWS resources. SAML identity providers in IAM are used as principals in an IAM trust policy with the above roles. While other federation solutions provide integration instructions for AWS, AMS has separate instructions. Using the following blog post, [ Enabling Federation to AWS Using Windows Active Directory, AD FS, and SAML 2.0](https://aws.amazon.com/blogs/security/enabling-federation-to-aws-using-windows-active-directory-adfs-and-saml-2-0/), along with the amendments given below, will enable your corporate users to access multiple AWS accounts from a single browser. After creating the relying party trust as per the blog post, configure the claims rules in the following way: + **NameId**: Follow the blog post. + **RoleSessionName**: Use the following values: + **Claim rule name**: RoleSessionName + **Attribute store**: Active Directory + **LDAP Attribute**: SAM-Account-Name + **Outgoing Claim Type**: https://aws.amazon.com/SAML/Attributes/RoleSessionName + Get AD Groups: Follow the blog post. + Role claim: Follow the blog post, but for the Custom rule, use this: ``` c:[Type == "http://temp/variable", Value =~ "(?i)^AWS-([^d]{12})-"] => issue(Type = "https://aws.amazon.com/SAML/Attributes/Role", Value = RegExReplace(c.Value, "AWS-([^d]{12})-", "arn:aws:iam::$1:saml-provider/customer-readonly-saml,arn:aws:iam::$1:role/")); ``` When using AD FS, you must create Active Directory security groups for each role in the format shown in the following table (customer\$1managed\$1ad\$1user\$1role is for AMS Managed AD accounts only): **** | Group | Role | | --- | --- | | AWS-[AccountNo]-Customer\$1ReadOnly\$1Role | Customer\$1ReadOnly\$1Role | | AWS-[AccountNo]-customer\$1managed\$1ad\$1user\$1role | customer\$1managed\$1ad\$1user\$1role | For further information, see [ Configuring SAML Assertions for the Authentication Response](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_assertions.html). **Tip** To help with troubleshooting, download the SAML tracer plugin for your browser. # Submitting the federation request to AMS If this is your first account, work with your CSDM(s) and/or Cloud Architect(s) to provide the metadata XML file for your identity provider. If you are onboarding an additional account or Identity Provider and have access to either the management account or the desired application account, follow these steps. 1. Create a service request from the AMS console, provide the details necessary to add the identity provider: + AccountId of the account where the new identity provider will be created. + Desired identity provider name, if not provided, the default will be **customer-saml**; typically, this must match the settings configured in your federation provider. + For existing accounts, include whether the new identity provider should be propagated to all existing console roles or provide a list of roles that should trust the new identity provider. + Attach the metadata XML file exported from your federation agent to the service request as a file attachment. 1. From the same account where you created the service request, create a new RFC using CT-ID ct-1e1xtak34nx76 (Management \$1 Other \$1 Other \$1 Create) with the following information. + Title: "Onboard SAML IDP for Account ". + AccountId of the account where the identity provider will be created. + Identity provider name. + For Existing Accounts: Whether the identity provider should be propagated to all existing console roles, or the list of roles which should trust the new identity provider. + Case ID of service request created in Step 1, where the metadata XML file is attached.