How to configure AWS single sign-on
The provisioning part of BCD is now deprecated and will be removed ! We do not recommend using it.
AWS allows to integrate numerous Third-Party SAML Solution Providers to implement single sign-on.
If you implement this kind of authentication, when you start the BCD Controller container it will no longer be necessary to mount the
$ docker run --rm -t -i --name bcd-controller \ -v <host_path_to_bonita-continuous-delivery_folder>:/home/bonita/bonita-continuous-delivery \ -v <host_path_to_ssh_private_key>:/home/bonita/.ssh/<ssh_private_key> \ bonitasoft/bcd-controller /bin/bash
Indeed you will use
~/.aws directory instead.
Single Sign-On to AWS Using G Suite
In this step we will provide you an example using G Suite from Google.
First, set up a Single Sign-On to AWS using G Suite as described in AWS website.
In this previous documentation you have seen how to create an IAM role in your AWS account. It implies that for BCD usage you should have created the corresponding role with proper rights. To do so you just have to follow the How to configure Amazon Web Services (AWS) for BCD and in
AWS Setup for BCD section replace the point 5
Create an IAM Group by a creation of the corresponding role attached to the IAM Policies created previously.
The BCD Controller already embeds aws-google-auth to manage the authentication.
You will need to know Google’s assigned Identity Provider ID (idp-id) and the ID assigned to the SAML service provider (sp-id).
idp-id can be found on Google Admin
Security > Set up single sign-on (SSO) page in the SSO url provided. For instance:
sp-id can be found into the URL of your browser when viewing Google Admin
Apps > SAML Apps > Amazon Web Services page. For instance:
After launching the BCD Controller you will have to authenticate yourself as below:
aws-google-auth --idp-id Abc012345 --sp-id 123456789012 -p default -u email@example.com
aws-google-auth will store the credentials into
~/.aws directory through the
default AWS profile
If you want to use a different profile, you will have to export the variable accordingly:
aws-google-auth --idp-id Abc012345 --sp-id 123456789012 -p test -u firstname.lastname@example.org export AWS_PROFILE=test