AWS IAM Identity Center is a great tool for managing access to multiple AWS accounts in one centralized location. Users can assume roles in the AWS accounts they have access to and work in the AWS console or CLI.
It also supports single sign-on (SSO) capabilities to log in to some AWS services or third-party applications. One example of these applications is Confluence, which is widely used in enterprises. This blog post shows how to set up SSO in Confluence using AWS IAM Identity Center.
In what situations would you find this blog post useful?
- You want to use Identity Center's SSO capabilities in Confluence.
- You want to configure a source application for Amazon Q to test Q's security features (Q only uses information when a specific user has access to it)
- You want to learn more about SSO and SAML.
In my case, I want to set up the Confluence integration to get familiar with Amazon Q. I chose the Confluence data sources because Confluence supports page-specific permissions, which should also be handled in Q. I'm using the trial version of Confluence for my tests and this blog post.
Getting started: AWS IAM Identity Center
I assume that AWS IAM Identity Center is already configured. To integrate Confluence as an application, open AWS IAM Identity Center in the AWS console and select "Applications" in the navigation. Then, add a new application.
AWS offers a catalog of out-of-the-box integrations for more than 300 applications. Confluence is one of them, so choose it.
Search for Confluence and select the result:
The next page provides a button to open step-by-step instructions for additional configuration assistance. Select this button to view these instructions. There are also options to change the name or description used in Identity Center.
In the step-by-step instructions, you will find application-specific instructions to configure the integration. For example it shows which values have to be configured in Confluence and in Identity Center. Download the certificate and copy the URL (both URLs are the same). You will need this information later again when setting up the identity provider in Confluence.
Now proceed with the necessary steps in Confluence. Later, we will need to perform some additional configurations in AWS IAM Identity Center.
Confluence: Adding a domain
Open the Atlassian Admin by navigating to the URL https://admin.atlassian.com/. In Atlassian Admin, you can manage the settings required for Identity Center integration.
First, add the domain used by your users. Accounts in your domain can become managed accounts, which means you can use the SSO capabilities of Identity Center.
Enter the domain name.
Before the domain can be associated, the ownership must be verified. I used DNS verification - feel free to use any of the other methods. For DNS validation, create the TXT record in the DNS management for your domain.
Ensure that the status is set to verified. If it is not verified, check the domain verification again. Next, select "Claim accounts" to automatically claim new accounts under this domain.
Use the recommended "Automatically claim" option to claim new accounts from your domain.
Now "claim setting" is set to "Automatically".
Confluence: Create a identity provider
In the next step, we will create a identity provider and link it to AWS IAM Identity Center. In the security settings, select "Identity providers" and use "Other provider" as there is no specific integration for Identity Center.
Confirm to start the free trial for Atlassian Guard to enable enterprise grade features.
Enter a name for the identity provider, e.g. "AWS IAM Identity Center".
Proceed with the SAML single sign-on integration.
Read the notes, then continue to the next step.
Now paste the certificate and URL you copied during the application configuration in AWS IAM Identity Center.
In case you didn't copy the values, you can display them again.
After you have configured the values in Confluence, the Confluence wizard will display two URLs that need to be copied to AWS IAM Identity Center.
In the Identity Center configuration, enter the URL of your Confluence instance and paste the two URLs you copied earlier.
Now continue in Confluence again. Select the previously created domain.
Stop the configuration wizard and save the SAML settings.
Confluence: Update authentication policy
As the final configuration step in Confluence, open the authentication policies and edit the newly created configuration (in my case, it is named "AWS IAM Identity Center").
Select the option "Enforce single sign-on".
AWS Identity Center: Assign users or groups
In Identity Center, add the users or groups that will be allowed to use the new application. I created a group and assigned all users to it.
Testing the integration
Log in to the AWS IAM Identity Center with one of the users. You should see the newly created Confluence application. Open the application.
Your browser will open a new window and you will be automatically signed in to Confluence.
Summary
If everything is set up correctly, the Confluence integration with AWS IAM Identity Center works well. The step-by-step instructions are useful, but read the documentation provided by Atlassian if you encounter any issues. Be careful when copying configuration values/URLs. Don't mix up the different URLs - this can cause errors and SSO won't work.
The integration of Confluence with AWS IAM Identity Center is just one example - many other applications can be integrated as well. AWS IAM Identity Center can also be used if you need a free SAML or OAuth 2.0 identity provider for software development or any other use case.
Top comments (1)
This is an amazing Guide