Add to collection(s) Add to saved
  1. No category
Uploaded by david

AzureSelfServiceIntegrationGuide

advertisement 
Single Sign-On
Integration
Microsoft Azure AD
Table of Contents
•
•
•
•
•
•
Overview & Benefits
Initial Setup Steps in Microsoft Azure
Initial Setup Steps in Amazon Business
Metadata Exchange
Testing & Activation
Things to Know:
• Disabling SSO (if needed)
• Direct Access vs. Punchout
• Custom Group Mapping
AMAZON CONFIDENTIAL
Overview & Benefits
Why integrate your IdP with Amazon Business?
• This deck provides guidance for setting up a single sign-on (SSO) integration with Amazon Business.
SSO with Amazon Business works the same way as SSO integrations you may have completed for
other applications (Concur, Tableau, ADP, eProcurement systems, etc.).
• Key benefits:
• Streamlined Onboarding
• Remove the need to manually invite users via Just-in-Time (JIT) provisioning
• Increased Security
• Remove the possibility of user credentials leakage
• Reduced Risk
• Control permission to access Amazon Business in your IdP
• Smoother UX
• Simplify access for all users (direct access & punchout)
AMAZON CONFIDENTIAL
Initial Setup Steps in Microsoft Azure
AMAZON CONFIDENTIAL
Microsoft Azure AD Setup
1. Sign into Azure and click Azure Active Directory.
AMAZON CONFIDENTIAL
Microsoft Azure AD Setup
2. Click Enterprise Applications.
AMAZON CONFIDENTIAL
Microsoft Azure AD Setup
3. Click New Application > Amazon Business.
NOTE: If you can’t find the Amazon Business application, you can add it using New Application.
AMAZON CONFIDENTIAL
Microsoft Azure AD Setup
4. Within the Amazon Business app, go to Overview > 2. Set up single sign on.
AMAZON CONFIDENTIAL
Initial Setup Steps in Amazon Business
AMAZON CONFIDENTIAL
Amazon Business SSO Setup
1. Hover over your name in the main menu and click System Integrations > Setup. You can also access
by clicking Business Settings > Single Sign-on (SSO).
AMAZON CONFIDENTIAL
Amazon Business SSO Setup
2. Choose Microsoft Azure AD and hit Next. Then choose the default group and role for new users.
Note: The default group applies to users who register by JIT-provisioning into your
account using an IdP- or SP-initiated SSO link. Direct access users who join the
account via an email invitation will land in the group they were invited to. If most of
your users will access Amazon from an eProcurement system (punchout), we
recommend choosing the production punchout group (and role) as the defaults.
AMAZON CONFIDENTIAL
Metadata Exchange
AMAZON CONFIDENTIAL
Microsoft Azure AD Setup
1. Provide Azure’s metadata to Amazon using either* of the below methods:
A. Download the Federation Metadata XML from the application in Azure, or
B. Copy the App Federation Metadata Url from the application in Azure.
*Option B will save you some
time, since it doesn’t require
you to save a file locally.
B
A
AMAZON CONFIDENTIAL
Amazon Business SSO Setup
2. Complete either of the below, depending on whether you chose Option A or B on the previous slide:
A. Upload the XML file into in the Connection
Data section in Amazon Business.
B. Paste the App Federation Metadata Url
into the Connection data section.
AMAZON CONFIDENTIAL
Microsoft Azure AD Setup
3. Copy your Azure AD user attributes and paste them into the Amazon Business SAML AttributeName fields.
Note: Use the full “claim names” as shown in the above screenshots. If you
use the attribute names (e.g. user.mail) in Amazon Business, the integration
will not work. Azure AD sends the full claim name in the SAML response.
AMAZON CONFIDENTIAL
Amazon Metadata
4. Download the Metadata XML file from Amazon Business and upload it into Microsoft Azure AD.
NOTE: For UK AB accounts, the identifier is expected to be Amazon.de. This is partly why we recommend uploading
the metadata instead of manually adding it.
AMAZON CONFIDENTIAL
Update the ACS (Reply) URL
5. Replace the ACS URL in Azure AD with the URL from your Amazon Business account.
AMAZON CONFIDENTIAL
Testing & Activation
AMAZON CONFIDENTIAL
Test in Microsoft Azure AD
1. Test the SSO connection. If successful, you will be redirected to your Amazon Business account.
AMAZON CONFIDENTIAL
Test & Activate in Amazon Business
AMAZON CONFIDENTIAL
Things to Know
AMAZON CONFIDENTIAL
Things to Know
Disabling SSO (If Needed)
If you ever need to turn off SSO, return to the SSO configuration page and click Disable SSO. You’ll need to do this
to update the default group/role. We recommend doing this off-hours to avoid causing confusion in your user base;
once SSO is turned off, any users who joined the account via SSO will need to use the “Forgot Password” workflow
to sign into the account, which can be a confusing end-user experience.
AMAZON CONFIDENTIAL
Things to Know
Direct Access vs. Punchout
Instructions for Direct Access Users
• SP-Initiated URL: You can host the SSO SP link (provided on the connection page) anywhere in your network.
You can also distribute it via instant message or email. This allows users to find the URL and federate to
Amazon Business.
• IdP initiated URL: You can also access an IdP-initiated URL from the SSO configuration page in Amazon. To use
IdP-initiated SSO, replace the Assertion Consumer Service (ACS) URL in Azure with this one.
• Direct Access: If existing users on your Amazon Business account sign in either on www.amazon.com or
business.amazon.com with their work email, they’ll be redirected once they enter their email address. SSO is
connected to your Amazon account, not to your email domain, so employees who are not registered users yet
will not be redirected if they try to sign in this way.
Instructions for Punchout Users
• Punchout users will always access Amazon Business by punching out from your eProcurement system,
regardless of whether SSO is active or not. SSO simplifies end-user navigation, however, by removing the need
to enter a password when accessing a “non-purchasing” page.
• Users accessing Amazon Business through your eProcurement system and SSO will still have to authenticate
with your IdP. Ensure users have permission to access the Amazon Business application in your IdP.
AMAZON CONFIDENTIAL
Things to Know
Custom Group Mapping (Direct Access Only)
You can provision new users into different groups using data passed to Amazon Business in the SAML assertion.
This is called “custom group mapping” or “group attribute mapping.”
Prerequisites
• You’ll need to use/create an attribute in Azure and ensure it is sent to AB in the SAML assertion for each user.
Each value passed in this attribute should align with a group in Amazon Business.
• Punchout customers will need to send a User Business Unit (UBU) value as an extrinsic field in the punchout
setup request (POSR). Please discuss with your Amazon Business POC if needed.
Other Details
• Only available after SSO is active
• Only impacts where net new users land during JIT-provisioning. Amazon Business currently does not support
ongoing user management (this requires manual intervention by an admin).
• Users who join via an email invitation will land in the invited group (invited groups are prioritized over custom
group mapping).
• If a user does not pass over a valid value in the selected attribute, the user will be provisioned in the default SSO
group/role.
AMAZON CONFIDENTIAL
Things to Know
Custom Group Mapping Setup
•
•
•
Custom group mapping can be completed on the SSO configuration page.
First, enter the name of the attribute (e.g. “Department” or “Division”) sent by Azure that will contain the group
alias for each user.
Second, enter each group alias (i.e. each possible value that may be passed in the selected attribute), then select
the Amazon Business group it corresponds to.
AMAZON CONFIDENTIAL
Related documents
6.1 Feedback For Students.docx
6.1 Feedback For Students.docx
Anthropology
Anthropology
AS5 Assignment: Latin Geo
AS5 Assignment: Latin Geo
Amazon Con
Amazon Con
amazon requirements
amazon requirements
Reading Assignment #4
Reading Assignment #4
Download
advertisement