Skip to content

Instantly share code, notes, and snippets.

@leepa

leepa/SSOSYNC.md

Created May 8, 2020 10:57
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save leepa/adf897241dc4161f09c215aed98aa23e to your computer and use it in GitHub Desktop.
Save leepa/adf897241dc4161f09c215aed98aa23e to your computer and use it in GitHub Desktop.
Download ZIP
Raw
SSOSYNC.md

SSO Sync

Helping you populate AWS SSO directly with your Google Apps users

Runs on any platform that Go can build for.

Why?

As per the AWS SSO Homepage:

AWS Single Sign-On (SSO) makes it easy to centrally manage access to multiple AWS accounts and business applications and provide users with single sign-on access to all their assigned accounts and applications from one place.

Key part further down:

With AWS SSO, you can create and manage user identities in AWS SSO’s identity store, or easily connect to your existing identity source including Microsoft Active Directory and Azure Active Directory (Azure AD).

AWS SSO supports other Identity Providers as well... such as Google Apps for Domains. Although, AWS SSO supports the SCIM protocol for populating users, it currently only has support for Azure AD. However, SCIM is SCIM, right?

Unfortunately not, so this project provides a CLI tool (and in the future, an AWS Lambda function) to pull users and groups from Google and push them into AWS SSO. We deal with removing users as well. The heavily commented code provides you with the detail of what it is going to do.

References

Installation

You can go get github.com/leepac/ssosync or grab a Release binary from the release page.

Configuration

You need a few items of configuration. One side from AWS, and the other from Google Cloud / Apps to allow for API access to each. You should have configured Google as your Identity Provider for AWS SSO already.

Google

Head to the Google Cloud Console for your Domain (Specifically API & Services -> Credentials) and Create a Project.

Creating a project will take a few seconds. Once it is complete, you can then Configure the Consent Screen (there will be a clear warning and button for it). Click Through and select Internal. Give a name and press Save as you don't need the rest.

Now go back to Credentials, Click Create Credentials and then select OAuth client ID. Select the type of Other and provide a name. You will be displayed credentials, just press okay and then use the download button, and a JSON file will download.

THIS FILE IS SUPER IMPORTANT AND SECRET - KEEP IT SAFE

With this done, you can log in and generate a token.json file. This is done using thessosync google command. With help output it looks like this:

Log in to Google - use me to generate the files needed for the main command

Usage:
  ssosync google [flags]

Flags:
  -h, --help               help for google
      --path string        set the path to find credentials (default "credentials.json")
      --tokenPath string   set the path to put token.json output into (default "token.json")

When you run the command properly, it will give a URL to go to. Go to it, and you'll get a string to paste back and enter. This will then generate the token.json file.

The Token file is useless without the Credentials File - but keep it safe.

Back in the Console go to the Dashboard for the API & Services and select "Enable API and Services". In the Search box type Admin and select the Admin SDK option. Click the Enable button.

AWS

Go to the AWS Single Sign-On console in the region you have set up AWS SSO and select Settings. Click Enable automatic provisioning.

A pop up will appear with URL and the Access Token. The Access Token will only appear at this stage. You want to copy both of these into a text file which ends in the extension .toml.

Token    = "tokenHere"
Endpoint = "https://scim.eu-west-1.amazonaws.com/a-guid-would-be-here/scim/v2/"

Usage:

The default for ssosync is to run through the sync. process

A command line tool to enable you to synchronise your Google
Apps (G-Suite) users to AWS Single Sign-on (AWS SSO)

Usage:
  ssosync [flags]
  ssosync [command]

Available Commands:
  google      Log in to Google
  help        Help about any command

Flags:
  -d, --debug                          Enable verbose / debug logging
  -c, --googleCredentialsPath string   set the path to find credentials for Google (default "credentials.json")
  -t, --googleTokenPath string         set the path to find token for Google (default "token.json")
  -h, --help                           help for ssosync
  -s, --scimConfig string              AWS SSO SCIM Configuration (default "aws.toml")

Use "ssosync [command] --help" for more information about a command.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment