Configuring AWS SSO(SAMLv2) to work with Harness

Most SAML v2 providers will work with Harness out of the box, however there is always an exception to the rule, and in this case it is AWS SSO.

First, we need to create a new application in AWS SSO for harness(AWS SSO->Applications->Add New Application->“Add a custom SAML 2.0 application”)

On this screen, download the metadata and save it locally, then at the bottom, click:


For ‘Application ACS URL’, provide the URL from the harness UI when setting up the SAML Provider(Setup->Authentication Settings->Add SSO Provider):


Then for ‘SAML Audience’, enter:

Some quick technical background information:

Our current SAML implementation expects the host that the SAML response is originating from to match the host that is in the SingleSignOnService URL in the metadata provided to harness. In the case of AWS, the SAML response originates from the ‘user portal’ address and not the host contained in the default metadata export AWS provides, for example:

So to workaround this, we need to login to the AWS console, and goto AWS SSO->Settings, and you should see the user portal section:

Copy this URL, and open the metadata in a text editor, and update the two SingleSignOnService URL’s with the user portal address(including /start), as such:

Now, upload this metadata to harness, and you should have AWS SSO working with harness.

1 Like