To configure your IdP on your own IdP, follow these steps.
Open a new tab in your browser.
-
Add your portal metadata to your SAML IdP.
Either upload the SP metadata document that you downloaded in the previous step to your IdP, or copy and paste the metadata values into the correct fields in your IdP. Some providers do not allow file upload.
The details of this process can vary between providers. Find your provider's documentation in Guidance for using specific IdPs with Amazon WorkSpaces Secure Browser for help on how to add the portal details to your IdP configuration.
-
Confirm the NameID for your SAML assertion.
Make sure your SAML IdP populates NameID in the SAML assertion with the user email field. NameID and user email are used for uniquely identifying your SAML federated user with the portal. Use the persistent SAML Name ID format.
-
Optional: Configure the Relay State for IdP-initiated authentication.
If you chose Accept SP-initiated and IdP-initiated SAML assertions in the previous step, follow steps in step 2 of Configuring your identity provider on Amazon WorkSpaces Secure Browser to set the default Relay State for your IdP application.
-
Optional: Configure Request signing. If you chose Sign SAML requests to this provider in the previous step, follow steps in step 3 of Configuring your identity provider on Amazon WorkSpaces Secure Browser to upload the signing certificate onto your IdP and enable request signing. Some IdPs such as Okta might require your NameID to belong to the “persistent” type to use Request signing. Make sure to confirm your NameID for your SAML assertion by following the steps above.
-
Optional: Configure Assertion encryption. If you chose Require encrypted SAML assertions from this provider, wait until portal creation is complete, then follow step 4 in "Upload metadata" below to upload the encryption certificate onto your IdP and enable assertion encryption.
-
Optional: Configure Single Logout. If you chose Single Logout, follow the steps in step 5 of Configuring your identity provider on Amazon WorkSpaces Secure Browser to upload the signing certificate onto your IdP, fill in Single Logout URL, and enable Single Logout.
-
Grant access to your users in your IdP to use WorkSpaces Secure Browser.
-
Download a metadata exchange file from your IdP. You will upload this metadata to WorkSpaces Secure Browser in the next step.