Skip to content

Example of Single Sign-On via AWS IAM Identity Center (OIDC)

OIDC is a protocol based on OAuth 2.0 that allows users to log in to TrueWatch directly with their AWS account, without the need for repeated passwords. After AWS verifies the user, it generates an ID Token, TrueWatch verifies it and automatically logs in. Compared to traditional protocols, OIDC is more lightweight, simplifying cross-platform authentication processes, making it suitable for cloud-native applications.

Note

The OAuth 2.0 single sign-on feature of AWS IAM Identity Center is only available on AWS international sites.

1. Enable IAM Identity Center

For more details, refer to Enable Service.

2. Add an Application

  1. On the application management page, select "Customer Managed" and click "Add Application";
  2. Select the application type as "I want to set up an application";
  3. Continue to select OAuth 2.0 and proceed to the next step.

Configure Application

  1. Define the display name for this application, such as gc_oidc;
  2. Enter a description as needed;
  3. Select "Require Assignment";
  4. Enter the URL that users can access the application: https://auth.truewatch.com/login/sso;
  5. Select "Visible" for this application in the AWS access portal.
  6. Proceed to the next step.

3. Specify Authentication Settings

To add a customer-managed application that supports OAuth 2.0 to IAM Identity Center, you need to specify a trusted token issuer. It is the OAuth 2.0 authorization server that creates signed tokens. These tokens are used to authorize the requesting application to access the AWS-hosted application (the receiving application).

If there is no trusted token issuer in the application, you need to create one first.

  1. Fill in the issuer URL: https://auth.truewatch.com/login/sso;
  2. Define the name of the trusted token issuer, such as GC;
  3. Select the identity provider attribute email to map to email;
  4. Click Create;
  5. After successful creation, you will automatically enter the authentication page, where you can modify related settings as needed;
  6. Return to the "Specify Authentication Settings" page, refresh, and select the trusted token issuer;
  7. Fill in the Aud claim;
  8. Proceed to the next step.

//Not available

For more details, refer to Using Applications with a Trusted Token Issuer.

4. Specify Application Credentials

An IAM role is an identity you create with specific permissions, and its credentials are valid for a short period.

  1. Select "Enter one or more IAM roles";
  2. Select "View IAM roles", and on the new page, click to enter the role page;
  3. Copy its ARN;
  4. Fill in the ARN of this role;
  5. Proceed to the next step.

5. Review and Configure

After confirming the configuration is correct, submit. A page indicating the successful addition of the application will appear.

6. Assign User and Group Access Permissions

For more details, refer to Assign User and Group.

7. Login Verification

  1. Log in to the TrueWatch single sign-on page: https://auth.truewatch.com/login/sso;
  2. Select the application created on the AWS side from the list;
  3. Login address;
  4. Enter username, password;
  5. You can log in successfully.