Configure AWS-IAM Identity Center with Google Workspace

Akshay Bhadange
6 min readJun 19, 2024

--

Video Tutorial & Guide

Introduction

In this tutorial, I will guide you through establishing a SAML connection between Google Workspace and AWS Identity Center. Later, you will synchronize users from Google Workspace using SCIM. To verify that everything is configured correctly, you will sign in as a Google Workspace user and verify access to AWS resources. This tutorial is based on a small Google Workspace directory test environment and does not include directory structures such as groups and organizational units. After completing this tutorial, your users will be able to access the AWS access portal using their Google Workspace credentials by altering your Identity Center to an external identity provider.

Understanding IAM Identity Center

IAM Identity Center is the recommended AWS service for managing human user access to AWS resources. It provides a single place to manage users, groups, and consistent access to multiple AWS accounts and applications. The best part is that IAM Identity Center is offered at no additional cost.

Why Integrate Google Workspace with IAM Identity Center?

Integrating Google Workspace with AWS SSO streamlines user management and enhances security. It allows for seamless single sign-on, reducing the need for multiple passwords and improving user convenience. Additionally, it centralizes access control, making it easier to enforce security policies and manage permissions across both platforms.

How It Works

User information from Google Workspace is synchronized into IAM Identity Center using the System for Cross-domain Identity Management (SCIM) v2.0 protocol. You configure this connection in Google Workspace using your SCIM endpoint for IAM Identity Center and an IAM Identity Center bearer token. This involves setting up Google Workspace as an IAM identity provider and an IAM Identity Center identity provider.

Prerequisites

  1. Access to the Google Workspace admin portal to configure the SAML app.
  2. Access to IAM Identity Center.

Considerations

  1. Before configuring SCIM provisioning, review the considerations listed here.
  2. Currently, SCIM automatic synchronization from Google Workspace is limited to user provisioning. Automatic group provisioning is not supported at this time. Group creation and user management will be covered in the next tutorial.

Steps to Configure the SAML Application

Step 1: Configure the SAML Application in Google Workspace

  • Sign in to your Google Admin Console using an account with administrator permissions.
  • Navigate to Apps → Web and Mobile Applications.
  • From the Add App dropdown, search for “Amazon Web Services” and select the Amazon Web Services (SAML) app from the list.
  • Download the IdP metadata.
  • Leave this page open and move to the IAM Identity Center console.

Step 2: Enable IAM Identity Center

  • Go to the IAM Identity Center console page and select the Enable button if it is not enabled.
  • Select your organization to allow access to multiple AWS accounts using IAM Identity Center.
  • After a few minutes, the IAM Identity Center will be ready to use.
  • In the left navigation pane, choose Settings.
  • On the Settings page, choose Actions and then Change Identity Source.
  • On the Choose Identity Source page, select External Identity Provider, and then choose Next.
  • On the Configure External Identity Provider page, complete the following:
  • Upload the Google SAML metadata as the IdP SAML metadata in the IAM Identity Center console.
  • Confirm the change and click Next, then ACCEPT the Change request.
  • After providing the Google metadata, copy the AWS access portal sign-in URL, IAM Identity Assertion Consumer Service (ACS) URL, and IAM Identity Center issuer URL. Provide these URLs in the Google Admin console.
  • On the next page, you will get the SAML Authentication metadata.
  • Map the AWS URLs in Google Workspace.
  • On the Service Provider Details page, complete the fields under Name ID:
  • For Name ID format, select EMAIL.
  • For Name ID, select Basic Information > Department
  • Choose Finish.
  • On the Attribute Mapping page, choose ADD MAPPING and configure these fields under Google Directory attribute.
  • Choose Finish.

Step 3: Google Workspace: Enable the App

  • Return to the Google Admin Console and locate the AWS IAM Identity Center application under Apps → Web and Mobile Apps.
  • In the User Access panel, expand User Access to display the Service Status panel.
  • In the Service Status panel, choose ON for everyone, and then choose SAVE.

Step 4: Set Up IAM Identity Center Automatic Provisioning

  • Return to the IAM Identity Center console.
  • On the Settings page, enable Automatic provisioning.
  • Copy the SCIM endpoint and Access token information displayed.
  • Close the dialog box.

Step 5: Configure Auto Provisioning on Google Workspace

  • Return to the Google Admin Console, Select Apps → Web and Mobile Apps → Amazon Web Services (SAML)
  • In the Auto Provisioning section, choose Configure Auto Provisioning.
  • Paste the Access token and SCIM endpoint values copied earlier.
  • Verify that all mandatory IAM Identity Center attributes are mapped to Google Cloud Directory attributes.
  • In the Provisioning Scope section, optionally choose a group to provide access to the Amazon Web Services app.
  • In the Deprovisioning section, specify how to respond to different events that remove access from a user.
  • Choose Finish and turn on the auto-provisioning toggle switch.
  • To verify user synchronization, return to the IAM Identity Center console → Users.

Access AWS Management Console using Google Workspace

  • Go to IAM Identity Center → Settings → Identity Source
  • Click on the AWS access portal URL
  • This will open a window and then you can select your Google Workspace ID.

Conclusion

You have successfully set up a SAML connection between Google Workspace and AWS and verified that automatic provisioning is working.

What’s Next

In the next blog, I will teach how to create and manage groups in IAM Identity Center with Google Workspace as the external identity provider and how to assign users and permissions for different AWS accounts.

If you liked this blog and are interested in similar tutorials, please follow me on Medium and YouTube. Thank you in advance!

--

--