Documentation
SupportStatusCommunitySign Up

AWS SAML SSO

Requirements

1. Initial Doppler SAML SSO Configuration

Go to the Doppler dashboard and from the menu click Team, then select the Roles tab from the top menu. Choose the Default Roles for users who login via SSO.

📘

The Workplace Role controls the initial permissions a user will receive when their account is created. We recommend keeping it at Collaborator access to follow the principle of least privilege. The Project Role is the role granted to a user when they're added to a project, so set this to the role most commonly used. Users with the Owner role can adjust these after the user has logged in once. If you scroll down further on the Roles page, you'll see a breakdown of what permissions each Role has.

Screenshot of Team section in Doppler UI

After setting the Default Roles, we need to enable SAML SSO in Doppler to get access to the URLs needed to configure the third party SAML SSO application.

Select the SSO tab from the top menu and scroll down to the SAML Single Sign-On section. Click the Add SAML button.

Screenshot of Doppler UI showing Add SAML button

Next, choose a verified domain from the dropdown menu and click Save.

Screenshot of modal in Doppler UI to create SAML SSO connection

📘

SAML SSO configuration requires having a domain associated with it because users login using their email address and the domain of that address is mapped back to your SAML SSO login. Verification is required when you add the domain to your account to confirm your ownership of the domain.

The domain you selected should show up now in the Inactive state. Click on the three dot menu and choose the Edit option.

Screenshot of Doppler UI showing edit option in dropdown menu

Copy the ACS URL and Entity ID URLs in the edit drawer that appears for use when configuring the third party SAML SSO application.

Screenshot of modal in Doppler UI showing configuration of SAML connection

2. Create SAML Application

In a separate window, browse to your AWS IAM Identity Center dashboard and select Applications under Application Assignments from the main menu on the left, then click the Add application button.

Screenshot of AWS Identity Center UI

Select the Add custom SAML 2.0 application option and then click the Next button at the bottom of the page.

Screenshot of AWS Identity Center UI

Next, provide a name (required) and description (optional) for your custom application.

Screenshot of AWS Identity Center UI

Scroll down and download the SAML metadata XML file in the IAM Identity Center metadata section. The contents of this XML metadata file will be used when configuring Doppler in a later step.

Screenshot of AWS Identity Center UI metadata section

Scroll down to the Application properties section and set the Application start URL to https://dashboard.doppler.com.

Screenshot of AWS Identity Center UI showing application properties

Scroll down to the Application metadata section, choose Manually type your metadata values and then add the ACS and Entity ID URLs you got from Step 1 above. Finally, click Submit.

Screenshot of AWS Identity Center UI

On the application details page you end up at after submitting, click the Actions button and choose Edit attribute mappings.

Screenshot of AWS Identity Center UI

Set the Subject attribute mapping so it maps to ${user.email} and has its format set to emailAddress. Click the Add new attribute mapping button and set its attributes to name, ${user:name} and unspecified. Finally, click Save changes.

Screenshot of AWS Identity Center UI showing attribute mappings

3. Update Doppler SAML SSO Configuration

Navigate to the Doppler Team page and click on the SSO tab.

Scroll down to the SAML Single Sign-On section, click on the three dot menu, and choose the Edit option. Paste in the IDP XML metadata, check the Enabled field, then click the Save button.

Screenshot of Doppler UI for SAML configuration modal

You're now ready to test the AWS SAML application!

4. Testing

As an AWS administrator, it's presumed you'll know how to sufficiently test a new AWS SSO application, but here is a general guide.

📘

Test sign-in flow using incognito window

Be sure to stay signed in to the Doppler dashboard until you've verified the AWS sign-in flow from an incognito window.

Staying signed in to the dashboard will allow you to update the SAML settings or disable SAML SSO in the event of misconfiguration.

From the application details page for your newly created Doppler SAML application, click the Assign Users button in the Assigned users section.

Screenshot of AWS Identity Center UI showing assigned users

Now select any users or groups you want to add and click the Assign Users button.

Screenshot of AWS Identity Center UI showing where to assign users

Now test the Doppler SAML sign-in flow by opening an incognito window, browsing to https://dashboard.doppler.com and sign-in using the AWS user you assigned from the previous step.

This will redirect you to the AWS login page and you should then get redirected to the Doppler dashboard for the assigned user.

Once you've verified the Doppler SAML application is configured correctly, you can then apply your standard organization policies for people and groups assignment.

Troubleshooting

Here are some general troubleshooting tips:

  • Double-check that the Application ACS URL and Application SAML audience values match exactly what is displayed in the Doppler SAML section.
  • Check that your user attribute mappings are entered correctly.

If you're still running into issues, the error page should present you with a requestId value that can be used by our support team for further diagnosis.

👍

Awesome Work!

Your custom AWS Doppler SAML 2.0 application is now set up!

Updated about 2 months ago