This is a demo for my Hands-on SSO with Terraform and Authentik blog post. We are going to create the following infrastructure:

Running this Demo

Make sure you are running this demo from the management AWS account (the one that contains the AWS Identity Center configured). Also, you should have Route53 with a hosted zone configured.

1. Install dependencies of the repository

devbox shell

2. Initialize Terraform

terraform init

3. Create a file to define variables

You can check the README below to see the variables that are required (or check variables.tf file directly).

Here is one example of a valid file (modify it for your use case)

# vars.tfvars
aws_region = "us-east-1"
domain = "mydomain.com"
use_staging_certificate = true
authentik_email = "me@mail.com"

4. Apply Terraform and create the infrastructure

Remember to have valid AWS credentials in your terminal!

terraform apply --var-file=vars.tfvars

This command will provision the VPC, and EC2 with elastic (static) IP and create the record in Route53 to allow Let's Encrypt to validate we own the domain (Caddy will manage and create this certificate for us). The EC2 will run the user_data script to configure Authentik and Grafana.

5. Wait for infrastructure to get ready Open your browser and keep checking if the Authentik server is already ready (check the endpoint by running terraform output authentik_endpoint). It will take a couple of minutes (most likely less than 10) to be available because the user_data script needs to take a couple of minutes to install Authentik and expose using Caddy. Also, the DNS to reach the DNS needs to propagate to the network.

You can check how the progress is going by connecting via Session Manager (AWS Console) to the EC2 and running the following command:

sudo su
echo "Check Cloud Init Script"
cat /var/log/cloud-init-output.log
echo "Check Caddy Status"
systemctl status caddy

6. Go to AWS Console to get Identity Center URL Now, open the AWS Console and navigate to the IAM Identity Center. Go to Settings and click Change Identity source

7. Select External Identity Source We will be using Authentik as the IdP of AWS (our SP).

8. Copy the SP metadata provided We are going to use these values in the Terraform Authentik configuration soon so do not close this window yet!

9. Get credentials to Authentik Soon we are going to configure Authentik using Terraform. Authentik Terraform provider requires a Token to execute HTTP calls to execute actions and configure it. Also, we will need to configure Grafana's OAuth provider using the created client ID and client secret. We can get these values from the outputs of the main Terraform code we just executed.

Run the Terraform command to get these values:

terraform output authentik_endpoint
terraform output authentik_token
terraform output grafana_oauth_client_id
terraform output grafana_oauth_client_secret

If you would like to log in as admin you will use the email used to configure Authentik and the password available in the authentik_password output (terraform output authentik_password).

10. Initialize the Authentik Terraform module

cd authentik
terraform init

11. Create a file to define variables The Authentik terraform module needs some variables to be defined. Here is an example:

# authentik/vars.tfvars
authentik_url = "https://sso.mydomain.com/" # Use the Terraform output
authentik_token = "123ABC" # Use the Terraform output
authentik_insecure = true # Set to true if you set use_staging_certificate to true

grafana_url = "https://monitoring.mydomain.top" # Use the Terraform output
grafana_client_id = "1a2b3c" # Use the Terraform output
grafana_client_secret = "123abc" # Use the Terraform output

aws_sign_in_url = "https://ABC.awsapps.com/start" # Use the AWS value
aws_acs_url ="https://us-east-1.signin.aws.amazon.com/platform/saml/acs/DEF" # Use the AWS value
aws_issuer_url = "https://us-east-1.signin.aws.amazon.com/platform/saml/GHI" # Use the AWS value

set_scim = false
aws_scim_url = ""
aws_scim_token = ""

We are not setting SCIM yet. We need to first set up the external Identity Provider for the Identity Center before configuring the SCIM.

12. Apply Authentik configuration If Authentik is already available you can now configure it using Terraform

terraform apply --var-file=vars.tfvars

Here we are going to create:

• SAML provider for AWS
• OIDC provider for Grafana
• AWS and Grafana application

Some important things to mention:

• Grafana documentation specifies the redirect URI
• AWS Identity Center does not support encrypted SAML assertion
• AWS Identity Center supports post binding

13. Upload SAML metadata and IdP Cert to AWS External Identity Provider configuration You will notice that when applying the module two files were generated: authentik/cert.pem and authentik/metadata.xml. These files can be obtained in the Authentik but for simplicity, we extracted them via Terraform. Upload these to the AWS Console:

• authentik/metadata.xml should be uploaded in the "IdP SAML metadata" field
• authentik/cert.pem should be uploaded in the "IdP certificate" field

PS: I noticed a bug that I couldn't fix that it might happend here. The first Terraform apply execution of the authentik module can generate and empty the metadata.xml file. If this happens simply rerun the terraform apply --var-file=vars.tfvars command and the file will be created correctly. If the file is empty AWS will complain (of course!).

14. Enable SCIM Go to AWS Console on the Identity Center Settings page. You will see a message to enable SCIM. Click to enable. An endpoint and a token will be generated. Copy these values because we are going to need it the next step.

15. Deploy SCIM via Terraform Modify the authentik/vars.tfvars file to enable SCIM. The SCIM variables should look like this:

set_scim = true # This should have "true" value now!
aws_scim_url = "https://scim.AWS_REGION.amazonaws.com/ABCDEF/scim/v2"
aws_scim_token = "GIANT_TOKEN"

Rerun the apply

terraform apply --var-file=vars.tfvars

This will create:

• SCIM provider for AWS. AWS says that even when using an external identity provider you still need to provision all applicable users and groups into AWS Identity Center. This is very tedious, but here SCIM comes to the rescue! SCIM is a standard to simplify the exchange of user identity information between identity centers. Since AWS supports SCIM we can use and take advantage of it! In other words, every time a user (that is from the AWS group) is created, Authentik will do an API call to the AWS SCIM server to also create this user there. The AWS SCIM implementation requires some specification and has some constraints so that's why we carefully used a Python script to specify the fields we need to pass to the AWS SCIM provider. Also, another important thing to mention is that the AWS external Identity Center requires us to use email as the NameID to identify the user.
• Two users: "dev" (that should only have ReadOnly permissions in the AWS account and Viewer permission in Grafana) and "admin" (should have AdministratorAccess in the AWS account and Admin permission in Grafana). We are creating passwords for these users using Terraform, this is not ideal in a real-world scenario: once again, this is a demo.
• Groups: AWS groups (all users that need AWS access should be placed here since in a real-world scenario we don't want to create users that do not need AWS access to be created there), Admin AWS group, Dev AWS group, Grafana Admin group, Granafa Viewer group.

16. Manually sync the SCIM In case SCIM was not synced (i.e. users were not created in AWS IAM Identity Center) we should manually sync before moving on. Log in as admin (the email you set up and password of authentik_password in the main terraform code) and go to Applications > Providers > aws-scim > hit the sync button. Now, you can see in the AWS IAM Identity Center console (Users and Groups section) the users and groups created by the Authentik Terraform module.

17. Initialize the AWS Organizations Terraform module In the previous module, we created the users and groups. Now, from the AWS side, we need to configure this group to access the AWS account and configure their permissions. First, let's initialize the Terraform module.

cd ../organizations
terraform init

18. Create a file to define variables

# organizations/vars.tfvars
aws_region = "us-east-1"
instance_arn = "arn:aws:sso:::instance/ssoins-abc123"
identity_store_id = "GHI"

The instance_arn and identity_store_id variables can be obtained in the settings page of the Identity Center.

19. Deploy Organizations module

terraform apply --var-file=vars.tfvars

Here we create the permission sets (for administrators and developers) and assign these permission sets to the management account.

20. Log in using admin or dev user Log in using the dev or admin user. The credentials are available in the Authentik Terraform module!

You should be able to see the following application on the Authentik home screen:

Now, let's log in the AWS using the Dev and Admin to see the differences. First, let's use the Dev user:

Now let's check with the Admin user:

We will see the same behavior when using accessing Grafana. First, let's use Dev user:

Then, admin user: