Enable SSO on AWS with Google

This guide outlines the process for establishing single sign-on between AWS and Google Workspace through a series of configuration steps.

Step 1: Create AWS User Groups

Begin by establishing an "AWS Users" group within Google Workspace. Additional groups may be created as needed, with permissions allocated on a group-by-group basis within AWS.

Step 2: Configure Google Workspace Integration

Follow the official AWS documentation at https://docs.aws.amazon.com/singlesignon/latest/userguide/gs-gwp.html through step 3. The key modification involves restricting access to the "AWS Users group" rather than enabling it organization-wide.

Step 3: Set Up Google Cloud Project

Within a new Google Cloud project, complete the following:

• Enable the Admin SDK API
• Create a service account and export JSON credentials (no additional roles required)
• Configure domain-wide delegation with these scopes:
  • https://www.googleapis.com/auth/admin.directory.group.readonly
  • https://www.googleapis.com/auth/admin.directory.group.member.readonly
  • https://www.googleapis.com/auth/admin.directory.user.readonly

Step 4: Enable AWS Identity Center Provisioning

Navigate to AWS Identity Center and activate automatic provisioning. Document the SCIM endpoint URL and access token for later use.

Step 5: Deploy SSOSync Application

Deploy the AWS Serverless Application Repository (SAR) application via: https://console.aws.amazon.com/lambda/home#/create/app?applicationId=arn:aws:serverlessrepo:us-east-2:004480582608:applications/SSOSync

Configure the following parameters:

• GoogleAdminEmail: An email with full Google Workspace administrative privileges
• GoogleGroupMatch: name:AWS*
• DeployPattern: App + secrets
• SyncMethod: groups
• SCIMEndpointAccessToken: Your token from Step 4
• SCIMEndpointUrl: Your endpoint from Step 4
• IdentityStoreID: Your Identity Store ID
• GoogleCredentials: JSON credentials from Step 3