Open in app

Sign in

Write

Sign in

Mastodon

AWS Multiple Accounts SAML based User Federation using Keycloak

Karanbir Singh
3 min readNov 20, 2020

Introduction

Continuing from the previous blog only which is here. This one will cover the same thing only but for multiple AWS accounts. And it is better that you go through the previous article to co-relate the things.

Prerequisites

  1. You should have the real urge to do federation between an identity provider and AWS Multiple Accounts using SAML based setup.
  2. Have some knowledge of — AWS, AWS IAM, SAML, Access and Identity Management as general topic, Keycloak, etc.

Scope.

  1. Configuration setup of Identity Provider on the AWS side.
  2. Role management on the AWS IAM side.
  3. Configuration setup on the Keycloak side.
  4. And mapping of the users/ groups/ roles etc. on the Keycloak side.

Out of Scope.

  1. Setting up Keycloak server is strictly out of scope! We are only supposed to configure it in this article!
  2. Setting up AWS account is also out of scope! 😃

Steps

  1. Repeat this step on all the AWS accounts, this will take you to the previous blog’s that particular section — AWS Add & Setup Identity Provider, Create Role(s). In nutshell the important parts are as below:-
    - Configuring the same Identity Provider on all AWS accounts
    - Configuring the roles individually on all the AWS accounts (Role names can be same or different). We will need the Role ARN and Identity Provider ARN for all these accounts.
  2. Next we need to map multiple roles from multiple accounts, most of the things can be referred from — Keycloak Role mapping, Group, user setup, etc. The important parts are as below:-

Add multiple roles(repeated process) from the different AWS accounts as in the image below and also on the previous blog.

Role Mapping as previous but multiple roles here as below see the role belongs to different accounts with different account number in the roles value:-

Demo

Now, since you have reached here at this very step, the link for your IDP should look like below. Here the name of the realm is demo. Could be something different for your setup.

https://YOUR_DOMAIN/auth/realms/demo/protocol/saml/clients/amazon-aws

And then the screen after login for selecting the role should be like below:-
It shows multiple accounts in the case

Please feel free to contact me on LinkedIn or reply on this article

Karanbir Singh - Technology Analyst - Infosys | LinkedIn

Full Stack Developer with 8+ years experience in analysis, design, development and deployment of web based…

www.linkedin.com

AWS
Keycloak
Saml
Aws Iam
Identity

--

--

Karanbir Singh

Written by Karanbir Singh

97 Followers

API developer + Web Application developer + Devops Engineer = Full Stack Developer

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams