AWS IAM Identity Center — Shielda SSO Setup

Phase 11 fast-follow. Lets enterprise customers SSO into Shielda using AWS IAM Identity Center (formerly AWS SSO).

Prerequisites

Shielda org with the Enterprise plan (or trial). IAM Identity Center enabled in your AWS Organization. Permission to create custom SAML 2.0 applications (IAM IC admin / sso:CreateApplication). The Shielda org id of the workspace you're enabling SSO for.

Pull the Shielda metadata

In Shielda → Settings → Authentication → Single Sign-On → AWS IAM Identity Center, click Show Setup Values. You'll see:

Field Value ACS URL https://app.shielda.io/api/auth/saml/acs SP entity ID https://app.shielda.io/saml/<org-id Metadata URL https://app.shielda.io/api/auth/saml/metadata

Or fetch them programmatically:

Create the IAM IC application

Open AWS Console → IAM Identity Center → Applications → Add application. Choose Add custom SAML 2.0 application. Name it Shielda Security, optionally upload the logo. Under IAM Identity Center metadata, click Download to get the IdP metadata XML — you'll paste pieces of this into Shielda in step 4. Under Application metadata, choose Manually type your metadata values and enter: - Application ACS URL → ACS URL from step 1. - Application SAML audience → SP entity ID from step 1. Save.

Configure attribute mappings (claims)

In the application → Actions → Edit attribute mappings:

User attribute in app Maps to Format Subject ${user:email} emailAddress https://aws.amazon.com/SAML/Attributes/PrincipalTag:Email ${user:email} unspecified https://aws.amazon.com/SAML/Attributes/PrincipalTag:Name ${user:displayName} unspecified https://aws.amazon.com/SAML/Attributes/PrincipalTag:Groups ${user:groups} unspecified https://aws.amazon.com/SAML/Attributes/PrincipalTag:Department ${user:department} unspecified https://aws.amazon.com/SAML/Attributes/PrincipalTag:Title ${user:title} unspecified

Save. Only Subject and the Email claim are strictly required; the others enable richer in-app personalisation.

Connect Shielda to IAM IC

Back in Shielda Settings → Authentication → Single Sign-On → AWS IAM Identity Center:

Click Use IAM Identity Center preset — Shielda pre-fills the attribute mapping with the AWS-side claim URIs. Paste from the IdP metadata XML (step 2.4): - IdP entity ID → entityID="…" from <EntityDescriptor. - IdP SSO URL → Location="…" from the <SingleSignOnService Binding="…HTTP-POST"/ element. - IdP signing certificate → contents of the <X509Certificate element (base64, no BEGIN CERTIFICATE framing). Set Default role for first-time JIT-provisioned users (recommended: member). Click Save & enable.

Map IAM IC groups → Shielda roles

By default Shielda maps groups by name (case-insensitive, ignoring - and ):

IAM IC group name Shielda role shielda-owners owner shielda-admins admin shielda-members member shielda-viewers / shielda-readers viewer

Assign the appropriate IAM IC group(s) to the Shielda application under Application → Assigned users and groups. Groups not on the list above fall through to the Default role you set in step 4.

For custom mapping rules, override the table from Settings → Authentication → Group mapping.

(Optional) Enable SCIM provisioning

Shielda exposes a fully SCIM 2.0–compliant provisioning endpoint at /api/scim/v2. To turn on automatic user lifecycle:

In Shielda → Settings → Provisioning → Enable SCIM, copy the bearer token. In IAM IC → Application → Provisioning → Enable. - SCIM endpoint URL → https://app.shielda.io/api/scim/v2 - Access token → token from above. IAM IC will sync user adds, attribute updates, and de-provisioning within ~5 minutes.

Test

Sign out of Shielda in your browser. Click the Shielda tile in your AWS access portal (https://<your-id.awsapps.com/start). You should land in the Shielda dashboard with the role mapped from your IAM IC group memberships.

Troubleshooting

Symptom Fix acssignatureinvalid on first sign-in Re-paste the IdP signing certificate; AWS sometimes wraps the base64 with whitespace. User signs in but lands in viewer despite being in shielda-admins Confirm the Groups attribute mapping is forwarding ${user:groups} (multi-valued) and not ${user:group}. emailclaimmissing 400 from /api/auth/saml/acs The Subject mapping must resolve to an email, not a UUID. Set it to ${user:email}. SCIM users created but groups not synced Group sync requires an additional toggle in IAM IC → Application → Provisioning → Sync groups.

Security notes

Shielda always requires WantAssertionsSigned="true" (see metadata.ts). Unsigned assertions are rejected with HTTP 400. The signing certificate fingerprint is logged on every successful login as auth.saml.idpcertfp. Set up an alert if the fingerprint ever changes unexpectedly. Both the SAML and the SCIM bearer tokens can be rotated independently from Settings → Authentication.