Getting started

Creating an Organization

Creating Audit and Log Archive AWS Accounts

Management

Creating an AWS Account

Initial Setup

Billing Alerts

Configuring AWS SSO (IAM Identity Center)

Generating As-Built-Documentation

Environments

Configuring AWS Client VPN

Configuring Private Bastion

Deleting an Environment

Compliance

Configuring a standard

Reference

Choosing Email Addresses for your AWS Accounts

Checklist end-of-deployment

Configuring SSO for Microsoft Azure

Configuring SSO for G-Suite

Deploying Applications

Notification History

Removing Citadel Access from AWS Accounts

What’s deployed in my account

Troubleshooting

Common Issues

Finding the Root Cause of a Failed Job

Creating new environment failed

Fixing Network Access is not connecting to RDS

SSO G-Suite - Deploy Lambda Error

Common issues

Configure G-Suite single sign-on (SSO) integration with Amazon Web Services (AWS) - Lambda

⚠️

Before going through these steps, make sure you have followed the instructions to configure AWS SSO (IAM Identity Center).

Create Admin SDK API

First, you have to setup your API in the project you want to use:

Go to the Google console (https://console.cloud.google.com/);
Make sure you are managing the correct project. If don’t have a project, create one follow this instructions;
Create or select your project;
Select API & Services > Enable APIs and Services;

Search for Admin SDK and Enable the API;

Create a Service Accounts

Navigate to Google Cloud Admin at (https://console.cloud.google.com/);
Find IAM and admin in the left menu;
Select Service Accounts then Create Service Accounts;

Enter the following parameters:

Service account name;
Service account ID (mandatory);
Service account description (optional).

Click Create and Continue;
Click Done to finish the creation.

Service account created

Click the actions button (three dots on the right side of the account created) and select Manage keys;
Select ADD KEY and select Create new key;
Select JSON file and then CREATE;
The file will be saved to your computer. Store the file in a secure location;

For more information, look at the Google documentation about Service Accounts: https://developers.google.com/workspace/guides/create-credentials#service-account.

Set Domain-Wide Delegation

In the Admin console, go to Menu ""and then"" Securityand thenAccess and data controland thenAPI controls.
Click Manage Domain Wide Delegation.
Click Add new and enter your service account client ID.
Enter these parameters:

Click Save.

Deploy Lambda for SSO

AWS Single Sign-On (SSO) makes it easy to centrally manage access to multiple AWS accounts and business applications and provide users with single sign-on access to all their assigned accounts and applications from one place.

With AWS SSO, you can create and manage user identities in AWS SSO’s identity store, or easily connect to your existing identity source including Microsoft Active Directory and Azure Active Directory (Azure AD).

AWS Identity Center (SSO) can use other Identity Providers as well, such as Google Apps for Domains. Although AWS SSO supports a subset of the SCIM protocol for populating users, it currently only has support for Azure AD.

This is the reason to use a Lambda project which will pull users and groups from Google and push them into AWS SSO.

Login to the AWS console;
Go to this link https://us-east-1.console.aws.amazon.com/lambda/home?region=us-east-1#/create/app?applicationId=arn:aws:serverlessrepo:us-east-2:004480582608:applications/SSOSync to install the Lambda application;
Enter the details for the fields:

‣

Application settings

Application name	Enter the name of your Application
GoogleAdminEmail	Enter the Google Admin Email
GoogleCredentials	Copy and paste the whole content of the credential json file to this field
IdentityStoreID	Get the ID in the AWS Identity Center (SS)
Region	AWS Region where AWS SSO is enabled
SCIMEndpointAccessToken	SCIM Endpoint Access Token is generated when you enable Automatic provisioning on AWS Identity Provider (SSO)
SCIMEndpointUrl	SCIM Endpoint URL is generated when you enable Automatic provisioning on AWS Identity Provider (SSO)
SSOSyncFunction	Google Workspace group filter query parameter, example: 'name:Admin* email:aws-*', see: https://developers.google.com/admin-sdk/directory/v1/guides/search-groups
GoogleUserMatch	Google Workspace user filter query parameter, example: 'name:John* email:admin*', see: https://developers.google.com/admin-sdk/directory/v1/guides/search-users
IgnoreGroups	Enter “n/a” if you won’t use this parameter
IgnoreUsers	Enter “n/a” if you won’t use this parameter
IncludeGroups	Enter “n/a” if you won’t use this parameter
LogFormat	Enter “n/a” if you won’t use this parameter
LogLevel	Enter “n/a” if you won’t use this parameter
ScheduleExpression	Enter “n/a” if you won’t use this parameter
SyncMethod	Enter “n/a” if you won’t use this parameter

Select “I acknowledge that this app creates custom IAM roles”.

Click Deploy.

You have to perform this tutorial to create a service account that you use to sync your users. Save the JSON file you create during the process and rename it to credentials.json.

People also view

Configuring SSO for Microsoft Azure

On this page