document Google G Suite SSO support (BCD-195) (#37)

eabb7d1b · JeremJR · Truc Nguyen · 758bf5ac · eabb7d1b · eabb7d1b
Commit eabb7d1b authored Mar 27, 2018 by JeremJR Committed by Truc Nguyen Mar 27, 2018
--- a/md/aws_prerequisites.md
+++ b/md/aws_prerequisites.md
@@ -8,7 +8,8 @@ If you do not have an Amazon Web Services (AWS) account yet, first sign up as de
 ## AWS Setup for BCD

 In order to use Amazon EC2 instances, some configuration steps need to be performed as a prerequisite.  
-The following steps are required to set up AWS credentials for Ansible automation.
+The following steps are the basic requirements to set up AWS credentials for Ansible automation.  
+Further configuration instructions for **AWS SIngle Sign-On** can be found [on this page](aws_sso.md).

 1. [Create an IAM Policy](http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html) to grant full access to Amazon EC2 on a specific region (eg. us-west-2)
    - **Policy name**: EC2FullAccess_us-west-2

--- a/md/aws_sso.md
+++ b/md/aws_sso.md
+# AWS Single Sign-On
+
+AWS allows to integrate [numerous Third-Party SAML Solution Providers](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml_3rd-party.html).
+
+If you implement this kind of authentication, when you start the BCD Controller container it will no longer be necessary to mount the `boto` file.
+
+```
+$ docker run --rm -t -i --name bcd-controller \
+    -v <local_path_to_bonita-continuous-delivery_folder>:/home/bonita/bonita-continuous-delivery \
+    -v <local_path_to_ssh_private_key>:/home/bonita/.ssh/<ssh_private_key> \
+    bonitasoft/bcd-controller /bin/bash
+```
+
+Indeed you will use `~/.aws` directory instead.
+
+## Single Sign-On to AWS Using G Suite
+
+In this step we will provide you an example using G Suite from Google.
+
+First, set up a Single Sign-On to AWS using G Suite as described in [AWS website](https://aws.amazon.com/es/blogs/security/how-to-set-up-federated-single-sign-on-to-aws-using-google-apps/).
+
+The BCD Controller already embeds [aws-google-auth](https://github.com/cevoaustralia/aws-google-auth) to manage the authentication.
+
+You will need to know Google's assigned Identity Provider ID (idp-id) and the ID assigned to the SAML service provider (sp-id).  
+`idp-id` can be found on Google Admin `Security > Set up single sign-on (SSO)` page in the SSO url provided. For instance: `https://accounts.google.com/o/saml2/idp?idpid=123456789012`  
+`sp-id` can be found into the URL of your browser when viewing Google Admin `Apps > SAML Apps > Amazon Web Services` page. For instance: `#AppDetails:service=123456789012`  
+
+After launching the BCD Controller you will have to authenticate yourself as below:
+```
+aws-google-auth --idp-id Abc012345 --sp-id 123456789012 -p default -u john.doe@acme.com
+```
+`aws-google-auth` will store the credentials into `~/.aws` directory through the `default` AWS profile
+
+If you want to use a different profile, you will have to export the variable accordingly:
+```
+aws-google-auth --idp-id Abc012345 --sp-id 123456789012 -p test -u john.doe@acme.com
+export AWS_PROFILE=test
+```
--- a/md/release_notes.md
+++ b/md/release_notes.md
@@ -10,5 +10,6 @@
 ### Enhancements
 - Handle REST_API_DYN_AUTH_CHECKS environment variable of Bonita docker image
 - Deactivate by default the Bonita [HTTP API](https://documentation.bonitasoft.com/bonita/${bonitaDocVersion}/rest-api-authorization#toc9)
+- Add Google G Suite SSO support

 ### Bugfixes
--- a/md/taxonomy.md
+++ b/md/taxonomy.md
@@ -7,6 +7,7 @@
    * [Bonita container custom initialization](_custom_init.md)
        * [Custom initialization overview](custom_init.md)
        * [How to configure REST API authorization](how_to_configure_rest_api_authorization.md)
+    * [AWS Single Sign-On](aws_sso.md)
 * [Scenario variables reference](scenarios.md)
 * [BCD Controller Docker image](_docker.md)
    * [Docker image overview](docker.md)