AWS IAM Identity Center and Datadog SSO

When you join a company it’s very common to get access to many applications like slack, sentry, Datadog, Cloudflare, etc. but Have you thought about it? How is it possible? how to manage the increasing number of users across a whole ecosystem of applications and services?

Single Sign On, also known as SSO, allows users to have access to multiple applications by signing in with only one existing account and SAML is an open standard based on XML that can empower SSO implementation, It consists of two parts, namely the SAML identity provider (IdP) and the SAML service provider (SP).

IdP examples:

- Jumpcloud

- Okta - AWS IAM Identity Center

SP examples:

- Datadog

- Slack

- Sentry - AWS Resources

Whether you are starting to grow a team or looking for more IdP options, here we are going to show an integration using AWS IAM Identity Center as IdP and DataDog as SP.

Why AWS IAM Identity Center?

One important concern in my opinion is to save money so we are looking for the best pricing solutions, here comes AWS IAM Identity Center, a service that makes it easy for you to centrally manage IAM Identity Center access to multiple AWS accounts and business applications.

AWS IAM Identity Center is available to you at no additional cost. IAM Identity Center APIs are available in all regions supported by IAM Identity Center.

So since we are running servers on AWS and IAM Identity Center it's free and it supports many application integrations we decided to go for it and DataDog is the first service we want to integrate with new team members and since there is not clear information on the internet about this integration we are going to share it step by step.

Setup

1. You have an administrator account/root on AWS

2. Login into your aws console

3. Go to IAM Identity Center

4. Enable IAM Identity Center and choose Enable with AWS Organizations

   
   
   

5. Go to Applications and then click Add Application

6. Select “I want to select an application from the catalog” and search for Datadog

   
   
   

7. Download IAM Identity Center SAML metadata file and keep the window open for configurations

   
   
   

8. You have an administrator account on Datadog

9. Login into your Datadog dashboard

10. In the Datadog app, hover over your username in the bottom left corner and select Organization Settings. Select Login Methods and click on Configure under SAML.

    
    
    

11. Upload the IdP metadata file we downloaded from IAM Identity Center SAML metadata file by clicking the Choose File button. After choosing the file, click Upload File.

    
    
    

12. After uploading the IdP metadata, return to the Login Methods page and turn SAML on by default

13. Now copy Single Sign-on URL from Datadog and paste it on the AWS Identity Center window at Application Start URL

    
    
    

14. Then go back to Datadog Service Provider Details and download the Service Provider Metadata file named sp_metadata.xml

    
    
    

15. Also add your domain to the Just In Time Provisioning 

    
    
    

16. Go back to AWS AWS Identity Center and at Application Metadata select

Upload application SAML metadata file

17. Upload sp_metadata.xml from Datadog and submit

    
    
    

18. Verify your Datadog application is active on AWS

    
    
    

19. Click on you Datadog application find the Action button and select Edit Attribute mappings

    
    
    

20. Verify you have givenName, sn and probably you are missing eduPersonPrincipalName then save changes.
    

    It’s very important to map correctly the attributes since each Service Provider has its own attributes and most of the time it’s a source of Authentication errors.
    You also can see these attributes at the sp_metadata.xml from Datadog.

    
    
    

21. After that the IdP and SP are configured and we need to assign users

22. Go to Users and Add User on IAM Identity Center

23. Create an user with your domain email, name, etc

    
    
    

24. After create the user he will receive an invitation email from AWS IAM Identity Center

    
    
    

25. Accept the invitation from the email

26. Then the user will need to create a password and set MFA

27. At this moment the invited user is logged in on the AWS Access Porta but without applications

28. Now back to the AWS administrator account go to the Application and find Datadog

29. Click on Assign Users & Groups, select the user we just created and assign users

    
    
    

30. Back to the new user AWS Access Portal he should see the Datadog application

    
    
    

31. Click on the Datadog application and the user now should have access to Datadog

    
    
    
    

Do you know that you RoR application can support SAML client authorization? You just need https://github.com/SAML-Toolkits/ruby-saml but that is another history.

Conclusion

Each Service Provider has its own caveats whether it's a optional start URL, attributes mapping, certificates, etc, here we setup a Datadog integration that is not very clear on the DD documentation. We did not cover IAM Identity groups or Datadog mapping roles FYI. I hope it helps to anyone to start using SSO or to discover a new IdP as AWS IAM Identity Center to manage users and access more easily and in a secure manner... you can find me at X as @torukmnk. Cheers!

Sources

https://docs.aws.amazon.com/singlesignon/latest/userguide/manage-your-applications.html?icmpid=docs_sso_console

https://aws.amazon.com/about-aws/whats-new/2023/11/aws-iam-identity-center-apis-automate-access-applications/#:~:text=AWS%20IAM%20Identity%20Center%20is,IAM%20Identity%20Center%20User%20Guide.

https://aws.amazon.com/about-aws/whats-new/2018/11/aws-single-sign-on-adds-more-pre-integrated-business-applications/

    z

https://docs.datadoghq.com/account_management/saml/