Associating Cloudivize to your AWS Account

Cross-Account IAM Role for Access Management

To create a role in the owning account to be managed by Cloudivize, follow these steps 

Single-Sign-On Configuration

 

This feature requires Enterprise Subscription

Organizations managing Users and Roles at AWS SSO (see AWS SSO Features) can configure Cloudivize to directly connect to their AWS SSO, and inherit the users & permissions from there. At such mode, customer does not need to provide IAM Roles to associate with his AWS accounts, since the accounts credentials are pulled from AWS SSO service.

By connecting Cloudivize to use your AWS SSO, Cloudivize will know how to authenticate users from your AWS account, and can pull the authorization (permission) definitions from AWS SSO too.Thus, any permission granted to the SSO user to access AWS account will be automatically reflected to Cloudivize.

 

A recommended reading before configuring Cloudivize AWS SSO: 

https://aws.amazon.com/blogs/security/introducing-aws-single-sign-on/

To configure Cloudivize to use AWS SSO, there are two sides you need to handle.

1. AWS Management Console

  • Go to AWS Single-Sign-On services

  • From Dashboard copy the User portal URL as you will need it later when configuring your Cloudivize account

  • Define Cloudivize as application (Applications -> “Add a new application” -> “Add a custom SAML 2.0 application”)

  • At “Display name” type “Cloudivize” (or any other name you want to give. Please notice that users at your account need to identify this as Cloudivize application)

  • At the AWS SSO metadata section, download the AWS SSO SAML metadata file since you will need it later when configuring Cloudivize

  • At Application metadata click the “manually” link to continue your configuration

  • At the Application ACS URL type https://login.cloudivize.com/CloudivizeSAML/racs/sso

  • At Application SAML audience type https://login.cloudivize.com/CloudivizeSAML/racs

  • Click Save

  • When saved it opens the application page, then switch to Attribute mappings

  • At Subject value type ${user:subject}

  • Add attribute named firstname with value ${user:givenName}

  • Add attribute named email with value ${user:email}

By this you defined the SAML application, and you can now assign (grant) users to use this application from Assign users tab

2. Cloudivize Account Settings:

  • Check the SSO Account check box

  • Start URL type the "User portal URL" you had at the steps above (format https://d-XXXX.awsapps.com/start)

  • At Start Region select the AWS Region where you installed your AWS SSO directory

  • Import the metadata file (AWS SSO SAML metadata file) you downloaded above

You are ready to go, and users defined at your organization AWS SSO can use Cloudivize.

 

 

Critical Details:

  • First Administrator who signed-up to Cloudivize and configured the AWS SSO settings, have to logout and login back with his SSO credentials. The root account during signup to Cloudivize will remain active for Administration actions. Later, you can use this account to grant Administrator role and permissions to other SSO users

  • SSO configuration will disable any other configuration you may have done to associate Cloudivize to your AWS account. Once SSO configured, users defined at your AWS SSO can use this Cloudivize account.

  • SSO Users need to login first in order to appear at the account users (Manage Users). After that Administrator can change their roles if needed. Please notice, the Manage Users changes are not impacting AWS SSO, it is at Cloudivize side only.

  • White Twitter Icon

Copyright © Cloudivize Technologies LTD. 2020. All Rights Reserved

See & Operate Cloud Like Never Before