- \n
- A JumpCloud administrator account<\/li>\n\n\n\n
- JumpCloud SSO Package or higher or SSO add-on feature<\/li>\n\n\n\n
- AWS Admin account (AWS root user)<\/li>\n\n\n\n
- AWS organization <\/li>\n<\/ul>\n\n\n\n
Important Considerations<\/strong><\/p>\n\n\n\n
- \n
- Single sign-on for AWS IAM Identity Center is recommended, but not required, when creating an Identity Management integration with AWS IAM Identity Center<\/li>\n\n\n\n
- SAML is the recommended method for managing secure user authentication into AWS IAM Identity Center<\/li>\n\n\n\n
- For the connector to work, usernames in AWS IAM Identity Center need to match email addresses in JumpCloud<\/li>\n\n\n\n
- If you need to renew your token, you must deactivate the Identity Management integration<\/a> first, update your token<\/a> and then reactivate the integration<\/li>\n\n\n\n
- If you deactivate Identity Management integration on an AWS IAM Identity Center application connector, you will need to generate a new access token if you want to activate it again<\/li>\n\n\n\n
- If you delete an integrated AWS IAM Identity Center application from your Applications list, the application is removed from JumpCloud, but any previously bound users remain active in AWS IAM Identity Center. These users will be able to log in to AWS IAM Identity Center with the password they used prior to enablement of SSO to the AWS IAM Identity Center application from your JumpCloud account<\/li>\n\n\n\n
- When a user is deleted in JumpCloud, the user is deleted from AWS IAM Identity Center<\/li>\n\n\n\n
- Once the Identity Source is changed to \u201cExternal Identity Provider\u201d and SCIM Provisioning is enabled in AWS IAM Identity Center, you can no longer create or update users and groups in AWS IAM Identity Center:\n
- \n
- To manage AWS IAM Identity Center users who were created before SCIM provisioning was enabled, you need to add them in JumpCloud and add them to a User Group that is associated with the AWS IAM Identity Center application connector<\/li>\n\n\n\n
- To manage AWS IAM Identity Center groups that were created before SCIM provisioning was enabled, in JumpCloud, you have to select the Enable management of User Groups and Group Membership in this application. Then, create user groups with the same name as your existing AWS IAM Identity Center groups, and add those groups to the AWS IAM Identity Center application connector<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- AWS IAM Identity Center is only capable of returning 50 groups from their ListGroups API<\/li>\n\n\n\n
- Group names in JumpCloud cannot have a \u2018:\u2019 character. Otherwise, they won’t sync<\/li>\n\n\n\n
- The username in AWS IAM Identity Center must match the email address in JumpCloud. If users were manually created in AWS IAM Identity Center before JumpCloud was configured as the external identity source, the username must be updated to the email address specified for that user in JumpCloud. If the username is not a valid JumpCloud email, then the following will occur:\n
- \n
- Jumpcloud won’t be able to take over management of the user in AWS IAM Identity Center<\/li>\n\n\n\n
- The user won’t be able to log in via SSO<\/li>\n\n\n\n
- The user encounters an invalid MFA credentials error<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
Attribute Considerations<\/strong><\/p>\n\n\n\n
- \n
- A default set of attributes are managed for users. See the Attribute Mappings<\/a> section for more details<\/li>\n\n\n\n
- If the display name is updated in JumpCloud, AWS IAM Identity Center won’t overwrite it<\/li>\n\n\n\n
- When you update a Group name in the JumpCloud administrator portal, it will update in AWS IAM Identity Center as well<\/li>\n\n\n\n
- When a new user is provisioned to AWS IAM Identity Center, the value of the displayName attribute is set to combine the firstName and lastName attributes. For example, the attribute displayName = firstName + lastName:\n
- \n
- firstName = \u201cJohn\u201d<\/li>\n\n\n\n
- lastName = \u201cDoe\u201d<\/li>\n\n\n\n
- displayName = \u201cJohn Doe\u201d<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
Creating a new JumpCloud Application Integration<\/strong><\/h2>\n\n\n\n
- \n
- Log in to the JumpCloud Admin Portal<\/a>.<\/li>\n\n\n\n
- Go to\u00a0USER AUTHENTICATION\u00a0<\/strong>>\u00a0SSO<\/strong> Applications<\/strong>.<\/li>\n\n\n\n
- Click + Add New Application<\/strong>.<\/li>\n\n\n\n
- Type the name of the application in the Search <\/strong>field and select it.<\/li>\n\n\n\n
- Click Next<\/strong>.<\/li>\n\n\n\n
- In the Display Label<\/strong>, type your name for the application. Optionally, you can enter a Description<\/strong>, adjust the User Portal Image and choose to hide or Show in User Portal<\/strong>.<\/li>\n<\/ol>\n\n\n\n
![](\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/note-icon.png\")
<\/p><\/div>Note:<\/strong> \nIf this is a Bookmark Application, enter your sign-in URL in the Bookmark URL<\/strong> field.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
- \n
- Optionally, expand Advanced Settings<\/strong> to specify a value for the SSO IdP URL<\/strong>. If no value is entered, it will default to https:\/\/sso.jumpcloud.com\/saml2\/<applicationname><\/kbd>.<\/li>\n<\/ol>\n\n\n\n
![](\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/warning-icon.png\")
<\/p><\/div>Warning:<\/strong> \nThe SSO IdP URL<\/strong> is not editable after the application is created. You will have to delete and recreate the connector if you need to edit this field at a later time.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
- \n
- Click Save Application<\/strong>.<\/li>\n\n\n\n
- If successful, click:\n
- \n
- Configure Application<\/strong> and go to the next section <\/li>\n\n\n\n
- Close<\/strong> to configure your new application at a later time <\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n
Configuring the SSO Integration<\/strong><\/h2>\n\n\n\n
To configure AWS IAM Identity Center 1<\/strong><\/h3>\n\n\n\n
- \n
- Log in to the AWS IAM Identity Center management console. <\/li>\n\n\n\n
- Under Enable<\/strong> IAM Identity Center, <\/strong>choose Enable.<\/strong><\/li>\n\n\n\n
- If there is not an existing AWS organization, click Create AWS organization<\/strong> to create<\/a> one. <\/li>\n\n\n\n
- Under Recommended setup steps<\/strong>, select Choose your identity source<\/strong>.<\/li>\n\n\n\n
- Next to Identity Source<\/strong>, click Change<\/strong>. <\/li>\n\n\n\n
- Select External identity provider<\/strong>.<\/li>\n\n\n\n
- In the Service provider metadata<\/strong> section, click download metadata file<\/strong>. <\/li>\n\n\n\n
- Keep the AWS console open because you need to access it for To configure AWS IAM Identity Center 2<\/a>. <\/li>\n<\/ol>\n\n\n\n
To configure JumpCloud<\/strong> <\/h3>\n\n\n\n
![](\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/important-icon.png\")
<\/p><\/div>Important:<\/strong> \nDo not <\/strong>select Amazon Web Services (IAM) for this connector.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
- \n
- Create a new application<\/a> or select it from the Configured Application<\/strong>s list.<\/li>\n\n\n\n
- Select the SSO <\/strong>tab.<\/li>\n\n\n\n
- Under Service Provider Metadata<\/strong>, click Upload Metadata.<\/strong><\/li>\n\n\n\n
- Browse to the location of the Service Provider Metadata downloaded from the previous section and click Open<\/strong>.<\/li>\n\n\n\n
- Once this file is uploaded, all fields should populate automatically.<\/li>\n\n\n\n
- Click Export Metadata<\/strong> under JumpCloud Metadata<\/strong>. <\/li>\n<\/ol>\n\n\n\n\n\n
- \n
- Optionally, if you want to force SP Initiated Authentication, in the Login URL<\/strong> field, replace the value with your Login URL. <\/li>\n<\/ol>\n\n\n\n
![](\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/tip-icon.png\")
<\/p><\/div>Tip:<\/strong> \nThis is the URL provided by Amazon to log directly into your company-specific AWS access portal. <\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
- \n
- Click save<\/strong>. <\/li>\n<\/ol>\n\n\n\n
To configure AWS IAM Identity Center<\/strong><\/strong> 2<\/strong><\/h3>\n\n\n\n
- \n
- Go back to the AWS IAM Identity Center management console.<\/li>\n\n\n\n
- In the Identity provider metadata<\/strong> section, click Choose file<\/strong>, and upload the JumpCloud metadata file. <\/li>\n\n\n\n
- Click Next: Review<\/strong>.<\/li>\n\n\n\n
- In the text box, type ACCEPT<\/em> to change your identity source. <\/li>\n\n\n\n
- Click Change identity source<\/strong>.<\/li>\n<\/ol>\n\n\n\n
Authorizing User SSO Access<\/strong><\/h2>\n\n\n\n
Users are implicitly denied access to applications. After you connect an application to JumpCloud, you need to authorize user access to that application. You can authorize user access from the Application Configuration<\/strong> panel or from the Groups Configuration<\/strong> panel. <\/p>\n\n\n\n
To authorize user access from the Application Configuration panel<\/strong><\/h3>\n\n\n\n
- \n
- Log in to the <\/a>JumpCloud Admin Portal<\/a>.<\/li>\n\n\n\n
- Go to USER AUTHENTICATION > SSO<\/strong> Applications<\/strong>, then select the application to which you want to authorize user access.<\/li>\n\n\n\n
- Select the User Groups<\/strong> tab. If you need to create a new group of users, see Get Started: User Groups<\/a>.<\/li>\n\n\n\n
- Select the check box next to the group of users you want to give access.<\/li>\n\n\n\n
- Click save<\/strong>. <\/li>\n<\/ol>\n\n\n\n
To learn how to authorize user access from the Groups Configuration<\/strong> panel, see Authorize Users to an SSO Application<\/a>.<\/p>\n\n\n\n
Validating SSO user authentication workflow(s)<\/strong><\/h2>\n\n\n\n
IdP-initiated<\/strong> user workflow<\/strong><\/h3>\n\n\n\n
- \n
- Access the JumpCloud User Console<\/a><\/li>\n\n\n\n
- Go to\u00a0Applications<\/strong> and click an application tile to launch it<\/li>\n\n\n\n
- JumpCloud asserts the user’s identity to the SP and is authenticated without the user having to log in to the application<\/li>\n<\/ul>\n\n\n\n
SP-initiated<\/strong> user workflow<\/strong><\/h3>\n\n\n\n
- \n
- Go\u00a0to the SP application login – generally, there is either a special link or an adaptive username field that detects the user is authenticated through SSO<\/li>\n<\/ul>\n\n\n\n<\/p><\/div>Note:<\/strong> \n
This varies by SP.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
- \n
- Login redirects the user to JumpCloud where the user enters their JumpCloud credentials<\/li>\n\n\n\n
- After the user is logged in successfully, they are redirected\u00a0back to the SP and automatically logged in<\/li>\n<\/ul>\n\n\n\n
Configuring the Identity Management Integration <\/strong><\/h2>\n\n\n\n
- \n
- Create a new application<\/a> or select it from the Configured Application<\/strong>s list.<\/li>\n\n\n\n
- Select the Identity Management<\/strong> tab.<\/li>\n\n\n\n
- Click configure<\/strong>, and keep the window available. <\/li>\n\n\n\n
- In a new window, log in to the AWS administrator console. <\/li>\n\n\n\n
- Go to All Services > Security, Identity & Compliance<\/strong>, and select AWS Single Sign-On<\/strong>.<\/li>\n\n\n\n
- Under Recommended setup steps<\/strong>, select Choose your identity provider<\/strong>.<\/li>\n\n\n\n
- In the Identity source<\/strong> section, select Enable automatic provisioning<\/strong>.<\/li>\n\n\n\n
- Copy the SCIM Endpoint URL<\/strong> from the Inbound automatic provisioning<\/strong> modal.<\/li>\n\n\n\n
- Go back to the AWS IAM Identity Center application connector in JumpCloud.\n
- \n
- Click Enable management of User Groups and Group Membership in this application<\/strong> if you want to provision, manage, and sync groups.<\/li>\n\n\n\n
- *SP Base URL<\/strong>: Paste the SCIM Endpoint URL you copied from AWS. <\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Go back to the AWS IAM Identity Center Inbound automatic provisioning modal. Click Show token<\/strong>, then copy the token. Important: When you click Show token, you have to keep the window open until you have copied and entered the token into JumpCloud. After you close the Inbound automatic provisioning modal, it doesn\u2019t show you this information again.<\/li>\n\n\n\n
- Go back to the AWS IAM Identity Center application connector in JumpCloud. *SP SPI Token: Paste the Access token you copied from AWS.<\/li>\n\n\n\n
- Click Activate<\/strong>. <\/li>\n\n\n\n
- You receive a confirmation that the Identity Management integration has been successfully verified and a Public Certificate is created. You can download the certificate from here.<\/li>\n\n\n\n
- Click save<\/strong>.<\/li>\n\n\n\n
- After the application is saved, it appears in the SSO Applications list. You can now connect users to the application in JumpCloud to provision them in AWS IAM Identity Center. Learn how to Authorize Users to an SSO Application<\/a>.<\/li>\n<\/ol>\n\n\n\n
To configure Attribute Based Access Control (ABAC)<\/strong><\/h3>\n\n\n\n
AWS IAM Identity Center supports the use of attributes to control access to your AWS resources across multiple AWS accounts. This authorization strategy is known as attribute-based access control (ABAC). Within the AWS IAM Identity Center console, you can define fine-grained permissions and policies based on attributes sent from JumpCloud. Attributes used for ABAC are called tags in AWS. Using user attributes as tags in AWS helps you simplify the process of creating and managing permissions in AWS and allows you to extend your zero trust security model to your AWS resources. <\/p>\n\n\n\n
Configuring ABAC in AWS IAM Identity Center is done through the Attributes for access controls page in the AWS IAM Identity Center console. There are two ways to configure ABAC. You can use SCIM user attributes or SAML attributes. <\/p>\n\n\n\n
Important: In scenarios where the same attributes are sent to AWS IAM Identity Center through SAML and SCIM, the SAML attributes values take precedence in access control decisions.<\/p>\n\n\n\n
To enable ABAC in AWS IAM Identity Center<\/strong><\/h3>\n\n\n\n
To use attributed based access control (ABAC), you need to enable the Attributes for access control feature in AWS IAM Identity Center console. For more information about how to do this, see Enable and configure attributes for access control<\/a><\/p>\n\n\n\n
- \n
- Log in to the AWS IAM Identity Center console. <\/li>\n\n\n\n
- Click Settings <\/strong>from the left hand navigation panel.<\/li>\n\n\n\n
- On the Settings <\/strong>page, under Identity source<\/strong>, next to Attributes for access control, click Enable<\/strong>.<\/li>\n<\/ol>\n\n\n\n
To configure ABAC Using SCIM User Attributes<\/strong><\/h3>\n\n\n\n
You can select user attributes sent to AWS IAM Identity Center via the JumpCloud SCIM Identity Management integration to be used as attributes to manage access (ABAC) to your AWS resources. Then, you create a permission set in AWS IAM Identity Center to manage access based on the attributes you passed from JumpCloud. For more information about which user attributes are passed from JumpCloud, see Attribute Mappings<\/a>, below. For more information about configuring attributes for access controls, see Enable and configure attributes for access control<\/a>.<\/p>\n\n\n\n
- \n
- Log in to the AWS IAM Identity Center console.<\/li>\n\n\n\n
- Click Settings <\/strong>from the left hand navigation panel.<\/li>\n\n\n\n
- On Settings > Identity source<\/strong>, next to Attributes for access control, click View details<\/strong>.<\/li>\n\n\n\n
- Enter a Key value.\n
- \n
- Note: You can provide any name you want. Key<\/em> represents the name you are giving to the attribute for use in policies and is case sensitive. You need to specify that exact name in the policies you author for access control. The Key must also be named exactly the same in your aws:PrincipalTag condition key (i.e., “ec2:ResourceTag\/CostCenter”: “${aws:PrincipalTag\/CostCenter}”)<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- On Settings > Identity source<\/strong>, next to Attributes for access control, click View details<\/strong>.<\/li>\n\n\n\n
- On the Settings <\/strong>page, under Identity source<\/strong>, next to Attributes for access control, click Enable<\/strong>.<\/li>\n<\/ol>\n\n\n\n
- *SP Base URL<\/strong>: Paste the SCIM Endpoint URL you copied from AWS. <\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Select the Identity Management<\/strong> tab.<\/li>\n\n\n\n
- Create a new application<\/a> or select it from the Configured Application<\/strong>s list.<\/li>\n\n\n\n
- Go to\u00a0Applications<\/strong> and click an application tile to launch it<\/li>\n\n\n\n
- Go to USER AUTHENTICATION > SSO<\/strong> Applications<\/strong>, then select the application to which you want to authorize user access.<\/li>\n\n\n\n
- Click Next: Review<\/strong>.<\/li>\n\n\n\n
- Click save<\/strong>. <\/li>\n<\/ol>\n\n\n\n
- Select the SSO <\/strong>tab.<\/li>\n\n\n\n
- If there is not an existing AWS organization, click Create AWS organization<\/strong> to create<\/a> one. <\/li>\n\n\n\n
- Close<\/strong> to configure your new application at a later time <\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n
- If successful, click:\n
- Click Save Application<\/strong>.<\/li>\n\n\n\n
- Go to\u00a0USER AUTHENTICATION\u00a0<\/strong>>\u00a0SSO<\/strong> Applications<\/strong>.<\/li>\n\n\n\n
- Log in to the JumpCloud Admin Portal<\/a>.<\/li>\n\n\n\n
- A default set of attributes are managed for users. See the Attribute Mappings<\/a> section for more details<\/li>\n\n\n\n