Google Workspace (formerly known as GSuite) is a typical first service for companies embracing the cloud, especially startups. Google Workspace provides out-of-the-box services like email, calendar, file storage, and user identity. Google also provides a service called Google Cloud Service (GCP) for business logic or computing workloads; however, companies prefer to use other vendor offerings.
Then here comes Amazon Web Services (AWS), one of the prominent cloud computing vendors with various service offerings. The challenge is using the user identity from Google Workspace to use Amazon Web Services (AWS).
In this post, we walk you through setting up the Google Workspace IdP for the AWS IAM Identity Center.
Created with mermaid.js
- A user with a
Google Workspaceaccount opens the link
AWS access portalURL for an
AWS IAM Identity Centerenabled.
- The user will be redirected to
Google Workspaceif not yet authenticated; the user will log in using the
- A response created if successfully logged in and sent to
AWS IAM Identity Centercontains
SAML assertion, the
Authentication, Authorization, and User Profiles.
- The response from
AWS IAM Identity Centerdetermines the user to use the portal, and successful login shows.
- The user can select the
AWS Organization Accountand
Permission Seton the
AWS user portalpage.
For initially setting AWS Account, enable or create first the AWS Organization.
From the Account Menu (upper right corner of AWS Console, which appears to be your Account Name), open the Organization.
If the organization successfully enabled or created, you will list your AWS Accounts; for now, we have the main account.
Enable the AWS IAM Identity Center.
From the Services Menu (upper left corner of AWS Console, next to the AWS Logo), select Security, Identity, & Compliance and open the IAM Identity Center (successor to AWS Single Sign-On)
Once enabled, select the Choose your identity source.
By default, AWS uses the
Internal Identity as the source.
External identity provider as our new source.
metadata file or take note of the
IdP metadata, as we will use it later on
Google Workspace Custom SAML App.
Let’s partially move to Google Workspace for Custom SAML App.
Google Workspace Admin Console, select the
Apps, then open the
Web and mobile apps.
Add custom SAML app from the
Add app menu.
Provide meaningful details for the app.
Google Workspace IdP metadata or take note of the
IdP details as we will use it to complete the configuration for
AWS external identity provider.
From the AWS external identity provider, downloaded IdP metadata provides the following details as our service provider.
Skip the attribute mapping and finish the custom
SAML App creation.
Configure the application
Change the service status
ON for everyone.
Let’s move back to AWS’s external identity provider configuration.
Google Workspace Custom SAML app downloaded
IdP Metadata as our
AWS IdP provider to establish trust.
Review the changes, and confirm with
ACCEPT to complete the change IdP source.
To test if the External IdP setup works, create groups and users based on the Google Workspace directory.
Create a set of permissions to serve as a role for the group of users and the policy attached to it.
AWS access portal URL
We now have a fully working External IdP provided by Google Workspace Directory for our AWS Users.