< Back
You are here:

HOW TO CONFIGURE OCTOPUS AUTHENTICATOR FOR AWS

This page shows you how to add multifactor authentication to your Amazon Web Services (AWS) using the Octopus Authenticator to gain more control and security over how users log into your network.

  • Login to Octopus Authenticator Console
  • Select Services from the left pane
  • Select Add Service
  • Click Amazon Web Services (AWS) service template

 


Tab 1 – General Information

The following fields and values are displayed

Fields name Fields Value
Service name Amazon Web Services (AWS) (default)
Issuer Amazon (default)
Description
Service status Enable (default)
Display icon
Login page URL <https://<Enterprise Base URL>/aws-saml/<No.>/login>

Note: Secret Double Octopus recommendation is to leave the default field values as displayed.

 


 Tab 2 – Parameters   

The following fields and values are displayed

 

Field name Field value
Login Select the Login method for Octopus Authenticator server
Role Session Name AWS email
Role ARN     Enter AWS role’s ARN string. Please refer to How to configure AWS’s role and enter the Role ARN string you copied.
Trusted entities Enter AWS provider’s ARN.  Please refer to How to configure 3rd party Identity Provider at AWS and enter the Provider ARN string you copied.
+Add parameter Do not add any parameters

 


Tab 3 – Sign On

The following fields and values are displayed

Field name Field value
Multi Factor Authentication (MFA) Off (default)
Sign-on Method SAML 2.0
X.509 Certificate
SAML signature algorithm SHA-1 (default)
Single Sign On (SSO) Off (default)
Issuer URL http://<Enterprise base URL>/aws-saml/<No.>
SAML 2.0 Endpoint (HTTP) http://<Enterprise base URL>/aws-saml/<No.>/login
Custom message

Note: Secret Double Octopus recommendation is to leave the default field values as displayed.

 


Step 4 – Users

To configure the users of the service

  • Select users from either “Local Users” or “LDAP Users” lists
  • You can select either:
    • A group of users to import, by clicking on the dot next to one of the folders
    • An individual user to import, by clicking on the dot next to that user

The corresponding dot will then be colored blue. When you select only some of the users in the group, the dot adjacent to the group will be colored partially.

After you click SAVE SETTINGS, the selected users will be enrolled in the service

  • Click SAVE SETTINGS

 


How to Create AWS Role and Provider’s ARNs

  • Login to your Amazon Web Services account
  • Click Services

  • Under “Security, Identity & Compliance” -> Select “IAM

  • On the “Identity and Access Management” -> From the left pane select “Identity Providers
  • Click “Create Provider to create a new provider


Octopus Authenticator AWS SAML Service Sing-on’s Metadata

To retrieve the Octopus Authenticator AWS service’s SAML Metadata, login to the Octopus Authenticator Management Console:

  • Select Services from the left pane
  • Select Add Service
  • Click “Amazon Web Services (AWS)” service template
  • In the “Sign On” tab click SAML Metadata button to download the FederationMetadata.xml file


How to Configure 3rd Party Identity Provider at AWS

  • Step-1: Configure Provider
    • Select “SAML” for the Provider Type
    • Provider Name – Set the name of the Octopus Authenticator as the 3rd party Identity Provider
    • Metadata Document – Upload the Octopus Authenticator AWS Service Sign-On’s Metadata file (FederationMetadata.xml)
    • Click “Create”

  • Step-2: Verify Provider information

  • Click Next Step

  • Identity Provider Summary
    • Copy the “Provider ARN” string

 


How to Configure AWS Identity’s Role

  • Click “Select Roles” from the left pane
  • Create new role

  • Step-1 Select role type:
    • Choose “SAML 2.0 Federation
    • From a drop-down menu, select the “SAML provider” server
    • Check “Allow programmatic and AWS Management Console Access
    • Attribute: “SAML: aud
    • Value: https://signin.aws.amazon.com/saml
    • Click “Next Permissions” button

  • Step-2 Select permissions policies:
    • Check one or more permissions policy for the created AWS role
    • Click “Next: Review

  • Step-3 Role Review:
    • Type “Role name*
    • Type “Role description
    • Trusted entities – Verify the correction of the Identity Provider arn string
    • Click “Create role

  • Step-4 Role Summary:
    • Copy “Role ARN” string

 


Octopus Authenticator AWS Service Parameters Setup

To complete the Octopus Authenticator AWS SAML service integration, login to the Octopus Authenticator Management Console:

  • Select “Services” from the left pane
  • Select the “Amazon Web Service (AWS)” service
  • Go to “Parameters” tab:
    • Set the “Role ARN” with the created AWS Role ARN string
    • Set the “Trusted entity” with the creates AWS Provider ARN string