Panfactum LogoPanfactum
Infrastructure ModulesDirect ModulesAuthentikauthentik_aws_sso
authentik_aws_sso
Stable
Direct
Source Code Link

AWS SSO with Authentik

Providers

The following providers are needed by this module:

  • authentik (2024.8.4)

  • kubectl (2.1.3)

  • kubernetes (2.34.0)

  • random (3.6.3)

  • tls (4.0.6)

Required Inputs

The following input variables are required:

authentik_domain

Description: The domain name of the authentik instance

Type: string

authentik_namespace

Description: The kubernetes namespace where Authentik is deployed

Type: string

aws_acs_url

Description: The ACS url provided by AWS when configuring an external identity provider

Type: string

aws_issuer

Description: The Issuer url provided by AWS when configuring an external identity provider

Type: string

aws_sign_in_url

Description: The sign-in url provided by AWS when configuring an external identity provider

Type: string

media_configmap

Description: The configmap holding the static media that Authentik will use

Type: string

organization_name

Description: The name of your organization

Type: string

Optional Inputs

The following input variables are optional (have default values):

allowed_groups

Description: Only members of these groups can access AWS

Type: set(string)

Default: []

aws_scim_enabled

Description: Whether to enable SCIM with AWS

Type: bool

Default: false

aws_scim_token

Description: The SCIM token provided by AWS

Type: string

Default: ""

aws_scim_url

Description: The SCIM endpoint provided by AWS

Type: string

Default: ""

ui_description

Description: The description to display in the Authentik web dashboard

Type: string

Default: "Amazon Web Services - IAM Identity Center SSO Login"

ui_group

Description: The section in the Authentik web dashboard that this will appear in

Type: string

Default: "Amazon Web Services"

Outputs

The following outputs are exported:

saml_metadata

Description: n/a

Usage

  1. You have to enable AWS SSO in the root account via the web console before applying this module for the first time.

  2. The SAML metadata document from the IdP needs to be uploaded to AWS MANUALLY.

  3. SCIM provisioning must be configured MANUALLY. Group assignments won't work until this step is completed.

  4. The user portal URL needs to be configured MANUALLY in the aws web console in the SSO settings.