Follow these steps for integrating with AWS after completing the steps in Kolide's SAML / SSO Sign-in document.
Navigate to the AWS SSO page, and click ‘Applications’ in the side navigation bar:
Next, click ‘add a new application’:
Select the ‘custom application’ option:
Fill out the form as follows:
From the Settings -> SAML/SSO page in Kolide, copy:
the value labeled ‘Kolide SSO URL’ into the field labeled ‘Application ACS URL’ in the AWS SSO setup form.
The value labeled ‘Kolide Issuer URL’ into the field labeled ‘Application SAML Audience’ in the AWS SSO application setup form
NOTE: Please use https://k2.kolide.com/signin as the ‘Application Start URL’. If you use the the value from the ‘Kolide SSO URL’, the SSO process is not correctly initiated from the AWS SSO Dashboard.
After clicking ‘save changes’, you’ll need to navigate to the ‘Attribute Mappings’ tab to further configure the custom SSO application.
Click ‘Add a new attribute mapping’, and fill out the fields as follows (see also the screenshot below):
User Attribute in the application: nameid
Maps to this string value or user attribute: ${user:email}
Format: basic
Once you click ‘Save Changes’, you can copy the ‘AWS SSO Issuer URL’ into the field labeled ‘IDP SSO Target URL’ in the Kolide SAML/SSO setting screen.
Additionally, you’ll need to download the AWS SSO certificate from the same screen:
Copy the contents of the downloaded certificate into the `X.509 Certificate` field in the Kolide SAML/SSO settings screen.
Make sure that the appropriate users/groups are assigned to the new SSO application from the ‘Assigned users’ tab in the AWS SSO screen above.
Once the Issuer URL and certificate values are populated into the Kolide SAML setup form, click ‘Save & Test SSO’, and you are ready to enable SAML authentication for your users!
For further details and documentation, https://docs.aws.amazon.com/singlesignon/latest/userguide/samlapps.html is a good resource.