Connecting Keycloak to AWS IAM Identity Center (SSO)

Disclaimer: Do not take the information here as a good or best practice. The purpose of this site is to post my learnings in somewhat real-time.

AWS IAM Identity Center (previously and more commonly known as AWS SSO) allows you to control access to your AWS accounts through centrally managed identities. You can choose to manage these identities through IAM Identity Center, or through external Identity Providers (IdPs) such as Okta, Azure AD, and so on. AWS already has good documentation for all these sources. I have my identities on Keycloak which was a little bit difficult to set up for the first time, hence this post.

Keycloak can function as a SAML 2.0 Identity Provider but does not have SCIM out of the box, this means users from Keycloak will not be automatically provisioned with AWS IAM Identity Center. In this post, I will be manually creating the users in AWS.

Configure your IdP in AWS IAM Identity Center

From the AWS console, go to the IAM Identity Center service, enable it, and select Add Identity Source. Select External identity provider and download the AWS service provider metadata.

With this file, we can go to your Keycloak realm and create a Client. For the protocol, select SAML and import the downloaded file. Once that’s done click Save. Within the client settings and turn off Client Signature Required (I was unable to get it working with this on). Now go to your Realm settings and download the SAML 2.0 Identity Provider Metadata under General then Endpoints.

Return back to the AWS console and upload the recently downloaded Keycloak IdP file under IdP SAML metadata. Finally, you can review your configuration and accept.

Create your users and groups

Now create your users and groups within AWS IAM Identity Center. After some trial and error, I discovered the username field within AWS had to be identical to the email address field in Keycloak. There are probably ways around this with Keycloak client mappers but I was unable to figure this out. This meant my username and email fields in AWS were the same.

Wrap-up

After you have the IdP source created, client configured and users and groups replicated over, you are good to go. From here on out you can create your permission sets, assign them to your users and groups and access your AWS accounts through your identities.

Improvements

1. Getting the client mapper setup to properly add the username and email to the correct fields.
2. I would really like to get a SCIM plugin to move users and groups across to AWS. If you have a list of the user and group details you can programmtically add them to AWS with the SDK or CLI.
3. I would like to fully understand the implications of Client Signatures and how to get that working between Keycloak and AWS.

: )