< Back
You are here:

HOW TO CONFIGURE OCTOPUS AUTHENTICATOR FOR AWS

This page shows you how to add multifactor authentication to your Amazon Web Services (AWS) using the Octopus Authenticator to gain more control and security over how users log into your network.

  • Login to Octopus Authenticator Console
  • Select Services from the left pane
  • Select Add Service
  • Click Amazon Web Services (AWS) service template

 


Tab 1 – General Information

The following fields and values are displayed

Fields name Fields Value
Service name Amazon Web Services (AWS) (default)
Issuer Amazon (default)
Description
Service status Enable (default)
Display icon
Login page URL <https://<Enterprise Base URL>/aws-saml/<No.>/login>

Note: Secret Double Octopus recommendation is to leave the default field values as displayed.

 


 Tab 2 – Parameters   

The following fields and values are displayed

 

Field name Field value
Login Select the Login method for Octopus Authenticator server
Role Session Name AWS email
Role ARN     Enter AWS role’s ARN string. Please refer to How to configure AWS’s role and enter the Role ARN string you copied.
Trusted entities Enter AWS provider’s ARN.  Please refer to How to configure 3rd party Identity Provider at AWS and enter the Provider ARN string you copied.
+Add parameter Do not add any parameters

 


Tab 3 – Sign On

The following fields and values are displayed

Field name Field value
Multi Factor Authentication (MFA) Off (default)
Sign-on Method SAML 2.0
X.509 Certificate  
SAML signature algorithm SHA-1 (default)
Single Sign On (SSO) Off (default)
Issuer URL http://<Enterprise base URL>/aws-saml/<No.>
SAML 2.0 Endpoint (HTTP) http://<Enterprise base URL>/aws-saml/login
Custom message

Note: Secret Double Octopus recommendation is to leave the default field values as displayed.

 


Step 4 – Users

To configure the users of the service

  • Select users from either “Local Users” or “LDAP Users” lists
  • You can select either:
    • A group of users to import, by clicking on the dot next to one of the folders
    • An individual user to import, by clicking on the dot next to that user

The corresponding dot will then be colored blue. When you select only some of the users in the group, the dot adjacent to the group will be colored partially.

After you click SAVE SETTINGS, the selected users will be enrolled in the service

  • Click SAVE SETTINGS

 


How to create AWS role and provider’s ARNs

  • Login to your Amazon Web Services account
  • Click Services

  • Under “Security, Identity & Compliance” Select IAM

  • On the “Identity and Access Management” page select Identity Providers from the left pane
  • Click Create Provider to create a new provider

[Back to Secret Double Octopus Management Console]

To download Secret Double Octopus services’ SAML Metadata:

  • Select Services from the left pane
  • Select Add Service
  • Click Amazon Web Services (AWS) service template
  • In the Sign On tab click SAML Metadata button to download the SAML_Metadata file


How to configure 3rd party Identity Provider at AWS

  • Step-1: Configure Provider
    • Select “SAML_Metadata” details, in Metadata Document while creating AWS’s OctopusAuthenticator Provider
    • Click Create

  • Step-2: Verify Provider information

  • Click Next Step

  • Identity Provider Summary
    • Copy the “Provider ARN” string


How to configure AWS’s role

  • Click Select Roles from the left pane
  • Create new role

  • Step-1 Select role type:
    • Choose “Role for identity provider access
    • Select “Grant Web Single Sign-On (WebSSO) access to SAML provider”

  • Step-2: Established trust

  • Select the SAML provider you createdues
  • Do not modify Value
  • Click Next Step
  • Verify role trust

  • Click Next Step

 

 

  • Step-3: Attach policy

  • Select a Policy
  • Click Next Step

 

  • Step-4: Set role name and review

  • Click Create Role
  • AWS Role Summary
    • Copy the “Role ARN” string