Protecting AWS IAM Identity Center Access with SGNL and an IdP

Introduction

Protected Systems are applications, services, or infrastructure that you want to protect with SGNL. In this guide, we’ll describe how to achieve fine-grained access control inside of AWS Identity Center with SGNL, enabling dynamic, contextual access to infrastructure and data inside of AWS. 

AWS Identity Center (formerly AWS Single Sign-On) provides a central place to manage access to multiple AWS accounts and business applications. When integrated with SGNL, you can implement attribute-based access control (ABAC) that dynamically assigns permissions based on user attributes, group memberships, and other contextual factors. Note that this guide is for AWS Identity Center integrations — if you’re using AWS IAM instead, please see this documentation.

With this integration, AWS Identity Center needs not know about the policies, systems of record, or any of the data in SGNL - it simply needs to pass to SGNL:

  • Who/What is requesting the access (The Principal)
  • (Optional) What is attempting to be accessed (The Asset)
  • (Optional) What operation is being attempted on the asset (The Action)
  • An access token that ensures the Protected System is a legitimate caller into SGNL

Prerequisites

  • An AWS Organization with AWS Identity Center enabled
  • An Identity Provider (Okta, Entra ID, PingFederate, or other supported IdP)
  • A SGNL Client
  • A SGNL User Account with Admin privileges
  • At least 1 system of record integrated to SGNL, containing principals and (optionally) assets that will be evaluated in access evaluations
  • (Optional) 1 or more policies that you want assigned to the integration

Creating a Protected System in SGNL

  1. Login to your SGNL Client with an Admin Account
  2. From the left navigation pane, select Protected Systems and Add, or simply click Add from the SGNL Dashboard
  3. Select ‘AWS’ from the Infrastructure category in the list of integrations
  4. Give your integration a descriptive display name and description
  5. Specify the Default Policy to be applied to your App
    • Allow: If no policies provide a decision for an access request, SGNL will respond to the access request with an Allow decision
    • Deny: If no policies provide a decision for an access request, SGNL will respond to the access request with a Deny decision
  6. Next, you’ll need to configure which identifier your IdP is using to describe your user/principal
    • This is likely your IdP user’s email address or login name. This should be in the format of the Principal ID of the user that will request access to the Protected System.
    • e.g. If an IdP user will be requesting access to this Protected System, AWS, with the Principal ID as their email address, the principal identifier should be the IdP email address.
  7. You’ll also need to define the identifiers for the types of Assets that you are looking to protect
    • This might be customer identifiers sourced your CRM system, or products that your customers are buying
  8. Once configured, click Continue to save your configuration and move on to other configuration steps

Configuring Authentication

  1. Authentication ensures that only authorized systems can make requests into SGNL, as well as verifying the identity of an integration in order to effectively evaluate Policies - to access Authentication settings, open your AWS protected system and select the Authentication tab

    SGNL - Authentication

  2. Click Generate Token

  3. Give your token a descriptive name so that you know how it’s being used in the future and click to Generate Token

    SGNL - Generate Token

  4. On the next screen, copy the token - this will be used by your IdP to make access requests to SGNL using the SGNL Access Service API

    Note: The value of this token is not available again after this screen, so ensure you securely store it for steps later in this guide

    SGNL - Token

Setting Up AWS Identity Center

  1. In the AWS Identity Center console, click on Permission Sets.
  2. Select Create permission set and choose Custom permission set.
  3. Select Inline policy to expand it, then create a policy for the permission set using the aws:PrincipalTag condition key. Here, we will set the value of the attribute https://aws.amazon.com/SAML/Attributes/AccessControl:{AttributeName} through SGNL — dynamically applies permissions depending on the tags passed in by your IdP. Here is more information on Conditions in AWS Policies with aws:PrincipalTag. Here is an example policy that assigns Allow_All, Deny_All, or Allow_S3_Only access based on SGNL’s dynamic access control response, where sgnlRole is the tagValue that SGNL will pass in values for:
{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": [
				"*"
			],
			"Resource": "*",
			"Condition": {
				"StringLike": {
					"aws:PrincipalTag/sgnlRole": "Allow_All"
				}
			}
		},
		{
			"Effect": "Deny",
			"Action": [
				"*"
			],
			"Resource": "*",
			"Condition": {
				"StringLike": {
					"aws:PrincipalTag/sgnlRole": "Deny_All"
				}
			}
		},
		{
			"Effect": "Allow",
			"Action": "s3:*",
			"Resource": "*",
			"Condition": {
				"StringLike": {
					"aws:PrincipalTag/sgnlRole": "Allow_S3_Only"
				}
			}
		}
	]
}
  1. Review and create the permission set.
  2. Assign this permission set to the AWS accounts you want to protect.
  3. Ensure that Attribute-Based Access Control (ABAC) is enabled within AWS Identity Center. Follow this AWS guide to enable it.

Integrating Your Identity Provider with SGNL Transforms

SGNL integrates with Identity Providers at sign-in time to dynamically assign permissions, roles, tags, or other permission granting objects for AWS Identity Center Access. We provide support across Okta, Entra ID, and Ping Identity to dynamically assign these permissions.

Before setting up your Transforms in SGNL:

  1. Start by going to the Settings tab, and ensure that the Asset(s) being returned in the Request Configuration section are those that you want handed back to your IdP (e.g. Okta or Entra) during SSO
    • Note: Transforms only manipulate the response provided by the asset search API for the chosen Protected System, they don’t allow additional querying/extraction of data from the request, from the SGNL Graph, or other sources
  2. At this time, you might want to make a request to the asset search API to ensure that you’re returning the data you expect (or that your users actually have access to the data you expect)
  3. You’re ready to configure your SGNL Transform!

Configuring Okta with SGNL for AWS Identity Center

This guide assumes you already have Okta integrated with AWS Identity Center for SAML SSO. If that’s not the case, refer to AWS Documentationto get that configured.

Once configured, SGNL integrates with Okta via Inline Hooks on the Okta side, and SGNL Transforms (and optionally, Provider Hooks) on the SGNL side.

SGNL Transforms are available on the Protected System you created above, within the ‘Transforms’ Menu. To create a transform suitable for an Okta Inline Hook, you’ll want to:

  1. Navigate to ‘Transforms’ in the SGNL Protected System and choose ‘Select a Search Transform’
  2. Select ‘Okta SAML’
  3. (Optional) Give the Transform a new Display Name
  4. Configure the ‘Request’ section, defining fields from the Okta Inline Hook Payload (Sample) that you want to map to a SGNL Search API Request
    1. Id refers to the Principal Id, so you’ll want to select an attribute from the Inline Hook Payload the refects the Principal Id you’ve configured in the Request config for the Protected System, this is commonly Okta login ({$.data.context.user.profile.login}) or email ({$.data.context.user.profile.email}) other common options are available in the + menu
    2. You can add the IP Address from the payload, if useful for policy decisions or simply for access log metadata, IP Address is available using {$.data.context.request.ipAddress}
    3. Finally, choose the action you want to use, this is commonly a static string such as access or assumeRole, but it could be any of the attributes in the hook payload, using a method similar to the above
  5. Next, you’ll want to configure how the SGNL Search API response should be formatted to return data to the Okta Inline Hook within the Response section. Pay special attention to the required Path value, which is required to configure ABAC with AWS Identity Center.
    1. Select an ‘Add’ operation to add assertions to the resulting SAML Payload from Okta
    2. Next, select an Asset from the SGNL search API response that you want to turn into a claim in the Okta token, this could represent an AWS Role, Tag, or something else, optionally – choose to give that Asset a custom name, for simplified explainability in the following steps
    3. Set the ‘Path’ to be /claims/https:~1~1aws.amazon.com~1SAML~1Attributes~1AccessControl:{tagValue}, where tagValue matches the principal tag you specified in the permission set created in AWS Identity Center (e.g. sgnlRole in the above example for the aws:PrincipalTag condition key). This enables AWS Identity Center’s ABAC you enabled above to assign dynamic access based on the value returned by SGNL.
    4. Lastly, you’ll want to specify the value – this is likely to be an attribute on your asset response. Based on the example permission set provided in the Setting Up AWS Identity Center section, this value will typically be one of the following: "Allow_All", "Deny_All", or "Allow_S3_Only". The specific value determines the level of access granted when a user matches the SGNL policy. Note that this field supports parameters from your asset response, so this value can be returned using a parameter like {$.SNOWCI.correlationId} where the ServiceNow correlationID contains the value dynamically as retrieved from ServiceNow.
  6. Continue to add more responses as you might need, or hit save to finalize the configuration
  7. You can now (optionally) configure a Provider Hook and associate with this Transform – Provider Hooks have the benefit of requiring only a single Okta Inline Hook for multiple Protected Systems inside of SGNL

Once your SGNL Transform is configured, you can proceed to configure the Inline Hook within Okta, using the Token you copied from your Protected System above. Steps to create the Okta Inline Hook are available in Okta’s Help Documentation, ensuring that you specify HTTP Header Authentication with a Header name of ‘Authorization’ and a value that contains ‘Bearer ’ and then the token you copied from your Protected System.

Configuring Entra ID with SGNL for AWS Identity Center

This guide assumes you already have Entra ID integrated with AWS Identity Center for SAML SSO. If that’s not the case, refer to AWS Documentation to get that configured.

First, configure SGNL Transforms for Entra ID:

  1. Follow the steps outlined in this guide to configure Transforms with Entra ID. When you get to step 3 on configuring the Name, make sure that whatever Claim Name you return, you must have a matching Claim Name configured in the Entra ID Custom Claim Provider, you’ll get to that as part of the Provider Hook Configuration. For instance, this could be sgnlClaim if you create an Entra custom Claims Provider with a matching claim name.
  2. In the Value field, specify the value of the claim that you want passed in this path – this is likely to be an attribute on your asset response. Based on the example permission set provided in the Setting Up AWS Identity Center section, this value will typically be one of the following: "Allow_All", "Deny_All", or "Allow_S3_Only". The specific value determines the level of access granted when a user matches the SGNL policy. Note that this field supports parameters from your asset response, so this value can be returned using a parameter like {$.SNOWCI.correlationId} where the ServiceNow correlationID contains the value dynamically as retrieved from ServiceNow.
  3. Once you’re done configuring, you can hit save, this will allow you to proceed to configuring a Provider Hook for Entra ID

Next, configure a custom attribute in Entra ID using your Custom Claims Provider:

  1. Follow this AWS Documentation to create a new claim with the Name set to AccessControl:AttributeName as specified. For instance, with the example permission set provided in the Setting Up AWS Identity Center section, your attribute name would be sgnlRole as this is the principal tag you want passed in to determine access. Your configuration should look like this:
    1. Set the Name of the attribute to AccessControl:{attribute-name} where you define {attribute-name} following your needs. E.g. AccessControl:sgnlRole
    2. Set the Namespace to https://aws.amazon.com/SAML/Attributes
    3. Set the Source to Attribute
    4. Set your Source attribute to be the custom claims provider (e.g. customclaimsprovider.sgnlClaim) you created when setting up your Provider Hook for Entra ID above.
      • Note: This is important as your Source attribute must point to your custom claims provider to pull in information from SGNL through the Provider Hook you configured.

Assigning Policies

  1. Once the AWS integration is created, you can start assigning versions of Policies - to get started, select Policies from the tabs in your newly created integration

    SGNL - Policies

  2. Select ‘Assign Policies’

  3. Select:

    • The Policies you want to apply to the integration with the check box
    • The version of the Policy you want applied

    SGNL - Select Policies

  4. Click Next once you have the Policies and Versions configured as is appropriate

  5. Select the Enforcement mode for the Policies you chose in the previous step

    • Simulated: Policy Versions that are being simulated will only log their access decision in the SGNL logs and will not impact the access decision that SGNL hands back to an integration. Simulated policies are useful for performing what-if analysis of new policy versions as well as debugging policy changes.

      Note: It’s considered best practice to start with policies in Simulated mode, to verify that policies have been created an applied as expected

    • Enforced: Policy Versions that are being enforced will impact the access decisions that SGNL hands back to an integration. Enforced Policies will determine access for an integration

    SGNL - Set Enforcement

  6. Select your desired Enforcement mode and select Assign

  7. Versions of Policies will now be Assigned to your integration

    SGNL - Policy Assignments

Testing the Integration

  1. Log in to your Identity Provider portal (e.g. https://myapps.microsoft.com/ for Entra ID)
  2. Access the AWS Identity Center application.
  3. Verify that permissions are applied based on SGNL policies. Check SGNL Access Logs to see that an Allow decision is returned when your test user complies with SGNL policies. In the Transforms tab in the Access Logs, you can also see the Transformed request/response from your IdP.