AWS SSO
This document will walk you through the steps to add Incident Response to AWS SSO Dashboard and configure SSO with SAML 2.0.
Users can use their AWS SSO credentials to sign in to Incident Response via Single Sign-On (SSO).
Points to Note:
-
Only an Account Owner/Administrator can enable and configure SSO for an Organisation in Incident Response.
-
Once SSO is enabled, only the Account Owners can use email-password-based login by default, although it can be configured to allow Administrators to use enable email-password-based login as well.
Setup Instructions
-
Login to
app.squadcast.comand navigate to Settings > Extensions. Click the Configure button under SSO. -
Select the Custom SAML 2.0 tab and click Show configuration guide for Custom SAML 2.0
-
In your AWS account, navigate to AWS Single Sign-On
-
Click on Add a new application
-
Search for Incident Response, select it and click on Add application
-
Next:
Here, copy the ACS URL to use it in your AWS SSO configuration next
From the sidebar, select Applications
-
In the Application Details section, provide a suitable Name and an optional Description
-
In the Application Metadata section, click on If you do not have a metadata file, you can manually type your metadata values
Here, in the placeholders for both Application ACS URL and Application SAML audience, paste the previously copied ACS URL from Incident Response
-
In the AWS SSO metadata section, copy the AWS SSO sign-in URL and download the AWS SSO certificate
-
Click on Save changes
-
Back in Incident Response, in the previously opened modal:
-
Paste the copied AWS SSO sign-in URL under SAML 2.0 Endpoint
-
Copy the contents of the downloaded AWS SSO certificate and paste it under X.509 Certificate
-
Enter the domain name of your Organization
Make sure to add the Domain Name of your Organization, for SSO login to work
-
Pick the Default New User Role that a newly provisioned user in Incident Response should be assigned by default. This could be either
User,AdminorStakeholder
If required, the User Role attribute can be modified manually for users later on from the Users page in Incident Response
-
If you want the Account Owner and/or Admins to be able to login to Incident Response using email-password aside from SSO, enable the checkboxes accordingly
-
Click on Save
-
Enable the toggle to activate the SSO integration
-
Finally, in AWS SSO:
-
On the Applications page, click on Incident Response
-
Switch to the Attribute mappings tab and create mappings as shown in the screenshot below and click on Save changes
If you can send a custom key,
rolefrom here, with one of these valuesAdmin,UserorStakeholder, the new user will be added with these roles instead of the defaultUser Roleconfigured in Incident Response
-
Switch to Assigned users and add your users here
Members trying to login to Incident Response through AWS SSO and are not already added as users of Incident Response, will be added to Incident Response by default with User Role: User.
By default, all new users added to Incident Response via AWS SSO will be added with User Role: User anyway. You can add an Attribute Mapping to provision all new users as Admins or Stakeholders if you wish to do that. In addition to the previous Attribute Mappings, you can add User Role as an Attribute Mapping here, in the same manner, and Save changes.
-
User attribute in the application: role
-
Maps to this string value or user attribute in AWS SSO: either
AdminorStakeholder -
Format: basic
-
From the sidebar, now navigate to Dashboard. Here, you will be able to see your User portal URL that you can use to login into Incident Response
That is it, your AWS SSO configuration with Incident Response is now complete!