Helping you populate AWS SSO directly with your Google Apps users
Runs on any platform that Go can build for.
As per the AWS SSO Homepage:
AWS Single Sign-On (SSO) makes it easy to centrally manage access to multiple AWS accounts and business applications and provide users with single sign-on access to all their assigned accounts and applications from one place.
Key part further down:
With AWS SSO, you can create and manage user identities in AWS SSO’s identity store, or easily connect to your existing identity source including Microsoft Active Directory and Azure Active Directory (Azure AD).
AWS SSO supports other Identity Providers as well... such as Google Apps for Domains. Although, AWS SSO supports the SCIM protocol for populating users, it currently only has support for Azure AD. However, SCIM is SCIM, right?
Unfortunately not, so this project provides a CLI tool (and in the future, an AWS Lambda function) to pull users and groups from Google and push them into AWS SSO. We deal with removing users as well. The heavily commented code provides you with the detail of what it is going to do.
- SCIM Protocol RFC
- AWS SSO - Connect to Your External Identity Provider
- AWS SSO - Automatic Provisioning
You can go get github.com/leepac/ssosync
or grab a Release binary from the release page.
You need a few items of configuration. One side from AWS, and the other from Google Cloud / Apps to allow for API access to each. You should have configured Google as your Identity Provider for AWS SSO already.
Head to the Google Cloud Console for your Domain (Specifically API & Services -> Credentials) and Create a Project.
Creating a project will take a few seconds. Once it is complete, you can then Configure the Consent Screen (there will be a clear warning and button for it). Click Through and select Internal. Give a name and press Save as you don't need the rest.
Now go back to Credentials, Click Create Credentials and then select OAuth client ID. Select the type of Other and provide a name. You will be displayed credentials, just press okay and then use the download button, and a JSON file will download.
THIS FILE IS SUPER IMPORTANT AND SECRET - KEEP IT SAFE
With this done, you can log in and generate a token.json file. This is done using thessosync google
command. With help output it looks like this:
Log in to Google - use me to generate the files needed for the main command
Usage:
ssosync google [flags]
Flags:
-h, --help help for google
--path string set the path to find credentials (default "credentials.json")
--tokenPath string set the path to put token.json output into (default "token.json")
When you run the command properly, it will give a URL to go to. Go to it, and you'll get a string to paste back and enter. This will then generate the token.json file.
The Token file is useless without the Credentials File - but keep it safe.
Back in the Console go to the Dashboard for the API & Services and select "Enable API and Services".
In the Search box type Admin
and select the Admin SDK
option. Click the Enable
button.
Go to the AWS Single Sign-On console in the region you have set up AWS SSO and select
Settings. Click Enable automatic provisioning
.
A pop up will appear with URL and the Access Token. The Access Token will only appear
at this stage. You want to copy both of these into a text file which ends in the extension
.toml
.
Token = "tokenHere"
Endpoint = "https://scim.eu-west-1.amazonaws.com/a-guid-would-be-here/scim/v2/"
Usage:
The default for ssosync is to run through the sync. process
A command line tool to enable you to synchronise your Google
Apps (G-Suite) users to AWS Single Sign-on (AWS SSO)
Usage:
ssosync [flags]
ssosync [command]
Available Commands:
google Log in to Google
help Help about any command
Flags:
-d, --debug Enable verbose / debug logging
-c, --googleCredentialsPath string set the path to find credentials for Google (default "credentials.json")
-t, --googleTokenPath string set the path to find token for Google (default "token.json")
-h, --help help for ssosync
-s, --scimConfig string AWS SSO SCIM Configuration (default "aws.toml")
Use "ssosync [command] --help" for more information about a command.