Getting started
Prerequisites
Creating an Organization
Creating Audit and Log Archive AWS AccountsManagement
Creating an AWS Account
Initial Setup
Billing Alerts
Configuring AWS SSO (IAM Identity Center)
Generating As-Built Documentation
Alliance ModeEnvironments
Environments
Configuring AWS Client VPN
Configuring Private Bastion
Deleting an Environment
Domains
Service RolesCompliance
Compliance standards
Compliance status
Configuring a standardReference
Choosing Email Addresses for your AWS Accounts
Checklist end-of-deployment
Configuring SSO for Microsoft Azure
Configuring SSO for G-Suite
Deploying Applications
Notification History
Removing NX1 Access from AWS Accounts
Reduce permission access for NX1
What’s deployed in my accountTroubleshooting
Troubleshooting
Common Issues
Finding the Root Cause of a Failed Job
Creating new environment failed
Fixing Network Access is not connecting to RDS
SSO G-Suite - Deploy Lambda ErrorConfigure G-Suite single sign-on (SSO) integration with Amazon Web Services (AWS) - Lambda
Create Admin SDK API
First, you have to setup your API in the project you want to use:
- Go to the Google console (https://console.cloud.google.com/);
- Make sure you are managing the correct project. If don’t have a project, create one follow this instructions;
- Create or select your project;
- Select API & Services > Enable APIs and Services;
- Search for Admin SDK and Enable the API;
Create a Service Accounts
- Navigate to Google Cloud Admin at (https://console.cloud.google.com/);
- Find IAM and admin in the left menu;
- Select Service Accounts then Create Service Accounts;
- Enter the following parameters:
- Service account name;
- Service account ID (mandatory);
- Service account description (optional).
- Click Create and Continue;
- Click Done to finish the creation.
Service account created
- Click the actions button (three dots on the right side of the account created) and select Manage keys;
- Select ADD KEY and select Create new key;
- Select JSON file and then CREATE;
- The file will be saved to your computer. Store the file in a secure location;
For more information, look at the Google documentation about Service Accounts: https://developers.google.com/workspace/guides/create-credentials#service-account.
Set Domain-Wide Delegation
- In the Admin console, go to Menu ""and then"" Securityand thenAccess and data controland thenAPI controls.
- Click Manage Domain Wide Delegation.
- Click Add new and enter your service account client ID.
- Enter these parameters:
- https://www.googleapis.com/auth/admin.directory.group.readonly
- https://www.googleapis.com/auth/admin.directory.group.member.readonly
- https://www.googleapis.com/auth/admin.directory.user.readonly
- Click Save.
Deploy Lambda for SSO
AWS Single Sign-On (SSO) makes it easy to centrally manage access to multiple AWS accounts and business applications and provide users with single sign-on access to all their assigned accounts and applications from one place.
With AWS SSO, you can create and manage user identities in AWS SSO’s identity store, or easily connect to your existing identity source including Microsoft Active Directory and Azure Active Directory (Azure AD).
AWS Identity Center (SSO) can use other Identity Providers as well, such as Google Apps for Domains. Although AWS SSO supports a subset of the SCIM protocol for populating users, it currently only has support for Azure AD.
This is the reason to use a Lambda project which will pull users and groups from Google and push them into AWS SSO.
- Login to the AWS console;
- Go to this link https://us-east-1.console.aws.amazon.com/lambda/home?region=us-east-1#/create/app?applicationId=arn:aws:serverlessrepo:us-east-2:004480582608:applications/SSOSync to install the Lambda application;
- Enter the details for the fields:
- Click Deploy.
You have to perform this tutorial to create a service account that you use to sync your users. Save the JSON file you create during the process and rename it to credentials.json.
People also view
Configuring SSO for Microsoft Azure