Add a doc for setting up SAML SSO using AWS

[praneetloke]

...it would also be nice to have a doc that explains the various attributes that users are asked to configure.

[lukehoban]

@praneetloke Do you mean using AWS SSO with Pulumi, like as a fourth entry in https://www.pulumi.com/docs/guides/saml/?

[praneetloke]

Do you mean using AWS SSO with Pulumi, like as a fourth entry in https://www.pulumi.com/docs/guides/saml/?

@lukehoban yep that's right. However, I do think the SAML SSO overview doc should help users figure out the values in the absence of an AWS specific configuration doc.

[susanev]

@praneetloke is this still an issue?

[interurban]

hiya; We've created specific docs guides now for https://www.pulumi.com/docs/pulumi-cloud/oidc/ providers, and a specific guide for AWS https://www.pulumi.com/docs/pulumi-cloud/oidc/aws/ and example code to make this easy to configure : https://github.com/pulumi/examples/tree/master/aws-py-oidc-provider-pulumi-cloud . thank you!

[ericrudder]

@interurban ... I don't think this is at all what @praneetloke was asking for ... I think this request is for SAML settings

[praneetloke]

That's right. My comment above clarifies this a bit. Admittedly, the issue title wasn't clear that this was for SAML. I've updated it now.

Glad that a doc exists for configuring AWS for OIDC though. That's very helpful!

[thoward]

After some internal inquiry, it looks like this is still a gap in our documentation coverage that should be documented (both how to wire up AWS SAML, and better documentation of the required SAML attributes. Assigned @GeoffMillerAZ to pick this one up and get it over the finish line.

[GeoffMillerAZ]

Sorry. I'm having a lot of trouble on this one. I actually don't think it's possible. I wasn't super familiar with SAML to start and by failing a few times at this I think I've got it much better and I believe the confusion is that AWS does offer SAML integration and can be a SAML service provider. This can be done with AWS SSO and AWS Cognito. But it does not have the capability to act as a SAML Identity Provider (IdP). It can, however, act as a OIDC IdP. As such, the docs can get confused between these two protocols leading someone to believe it's possible. The AWS Q copilot/ai will also tell you explicitly that no AWS service has the capability of being a SAML IdP. It does seem like AWS have hinted that they may one day offer this capability.

But until AWS offers this SAML IdP capability, you have to provide an existing third-party and external IdP into AWS SSO and AWS Cognito.

I also looked at other major tools that might have SSO SAML integration guides with AWS and I found they also don't have guides on this topic -- which helped me to be more confident with my research. There are also plenty of forums stating that AWS doesn't yet have this capability even though the posts were years old, which is why I kept researching incase the capability was added more recently.