SSO - Amazon Web Services (AWS)

Allow Foxpass users to log in to AWS via SSO

SSO Configuration

Configuring AWS as a service provider

  1. Click the 'enable' button for Amazon Web Services on the SSO - Service Providers page.
  2. Click on the 'IDP Metadata XML' button to download the Foxpass IDP Metadata XML file.
  3. Log in to your AWS account, go to IAM Management console, and under Access Management, click on Identity Providers. Click 'Add Provider' button on the top right, select provider type as "SAML", enter provider name as "Foxpass" and for the Metadata document, select the metadata file downloaded from step 3.
  1. In your AWS account, go to the Identity Providers page, select 'foxpass'. In the next screen, click on the 'Assign Role' button on the top right and select the "Create a new role" option.

Select foxpass as your SAML provider and select the option "Allow programmatic and AWS Management Console access". Click on Next: Permissions.

Select any necessary permissions or Administrator access depending on your requirements. Click on the Next: tags button, add any tags you want, and then click on the 'Next: review' button. Give a role name such as foxpass-sso-role and then click on the 'Create role' button.

  1. A. Go to your AWS roles page, select the newly created role such as foxpass-sso-role and copy the Role ARN as shown on the top.
    B. Go to your AWS identity providers page, select foxpass, and copy the ARN as shown under the Summary section.

  2. Go to Foxpass Console, SSO Service providers settings page, click on the 'Configure' button under Amazon Web Services to open the configuration dialog. In the Custom fields, add the following key-value pair (note the comma between the ARNs):

key: aws_iam_info
value: ARN_ROLE_FROM_STEP_5A,ARN_IDENTITY_PROVIDER_FROM_STEP_5B

Optionally select any specific Users or Groups to be allowed for SSO and then click the Save button.

SSO Terminal Login / utility

Users can use the Foxpass SSO command-line utility to log in or get temporary tokens from their configured service providers such as obtaining temporary AWS credentials. Copy your SSO API key from the Foxpass Console's Service Provider page and then install the Command line utility via the command shown below.

curl https://foxpass-sso.s3.amazonaws.com/1.0/install.sh --output install.sh && sudo bash install.sh <SSO_API_KEY>
[email protected] % python3 foxpass_sso.py
Enter Foxpass Login Email ([email protected]):       
Enter Foxpass Password: 
Password: 
Enter Foxpass MFA code: 123456
List of available Service Providers: "Amazon Web Services (AWS)"
Enter Service Provider (Amazon Web Services (AWS)): 
----------------------------------------------------------------------------------------------------
Your AWS configuration file /Users/user/.aws/credentials has been updated with the STS token and will expire at 2021-04-08T19:07:44Z.
Example usage: aws --profile foxpass-profile s3 ls
----------------------------------------------------------------------------------------------------
[email protected] % aws --profile foxpass-profile s3 ls
2020-10-03 19:34:27 test-file

Do not hesitate to reach out to us if you have any feedback or issues.