Google Workspace as an external IdP for AWS IAM Identity Center

Posted Jan 27, 2023 Updated Apr 22, 2023

By Nathaniel Varona 3 min read

Introduction

Google Workspace (formerly known as GSuite) is a typical first service for companies embracing the cloud, especially startups. Google Workspace provides out-of-the-box services like email, calendar, file storage, and user identity. Google also provides a service called Google Cloud Service (GCP) for business logic or computing workloads; however, companies prefer to use other vendor offerings.

Then here comes Amazon Web Services (AWS), one of the prominent cloud computing vendors with various service offerings. The challenge is using the user identity from Google Workspace to use Amazon Web Services (AWS).

In this post, we walk you through setting up the Google Workspace IdP for the AWS IAM Identity Center.

Authentication Flow Diagram

Created with mermaid.js

How the Authentication Works

A user with a Google Workspace account opens the link AWS access portal URL for an AWS Organization with AWS IAM Identity Center enabled.
The user will be redirected to Google Workspace if not yet authenticated; the user will log in using the Google Workspace account.
A response created if successfully logged in and sent to AWS IAM Identity Center contains SAML assertion, the Authentication, Authorization, and User Profiles.
The response from AWS IAM Identity Center determines the user to use the portal, and successful login shows.
The user can select the AWS Organization Account and Permission Set on the AWS user portal page.

Prepare the AWS IAM Identity Center

AWS Organization

For initially setting AWS Account, enable or create first the AWS Organization.

From the Account Menu (upper right corner of AWS Console, which appears to be your Account Name), open the Organization.

If the organization successfully enabled or created, you will list your AWS Accounts; for now, we have the main account.

AWS IAM Identity Center

Enable the AWS IAM Identity Center.

From the Services Menu (upper left corner of AWS Console, next to the AWS Logo), select Security, Identity, & Compliance and open the IAM Identity Center (successor to AWS Single Sign-On)

Configure the AWS IAM Identity Center

Once enabled, select the Choose your identity source.

Change the Identity Source

By default, AWS uses the Internal Identity as the source.

Choose identity source

Choose the External identity provider as our new source.

Configure external identity provider

Download the metadata file or take note of the IdP metadata, as we will use it later on Google Workspace Custom SAML App.

Let’s partially move to Google Workspace for Custom SAML App.

Google Workspace Custom SAML App

Add Custom SAML App

From the Google Workspace Admin Console, select the Apps, then open the Web and mobile apps.

Select the Add custom SAML app from the Add app menu.

Google App Details

Provide meaningful details for the app.

Google Identity Provider Details

Download the Google Workspace IdP metadata or take note of the IdP details as we will use it to complete the configuration for AWS external identity provider.