From this blog post I’ll walk through how to enable SSO (Single Sign on ) between Azure and AWS with Azure AD integration.
Integrating AWS with Azure AD provides you with the following benefits:
- You can control in Azure AD who has access to Amazon Web Services (AWS)
- You can enable your users to automatically get signed-on to Amazon Web Services (AWS) (Single Sign-On) with their Azure AD accounts
- You can manage your accounts in one central location – the Azure classic portal
Before we go through steps following are the prerequisite
- Azure AD enable subscription
- AWS subscription
High level overview what we are going to do.
- Adding Amazon Web Services (AWS) from the gallery
- Configuring and testing Azure AD single sign-on
NOTE :- For this I used the old Azure AD portal.
Login to Azure ASM portal using https://manage.windowsazure.com
Click the Azure AD icon
Select the Azure AD and click the Application tab on top
In Application tab click Add at the bottom of the page
Select add from the gallery.
From Application Gallery search for AWS and select Amazon Web Service (AWS), give a display name add click the check mark.
After adding it it will show on the application tab.
Click the Amazon Web Service application and it navigate you to the application home page. In the home page click Configure Single sign-on.
When you click Configure Single sign-on ,then it will take you to a configuration wizard. In the first page select Microsoft Azure AD Single Sign-On
In the Configure App Setting we don’t have to do any modification so click next.
Next Step download the metadata file. We need this in future step.
NOTE:- Don’t click next until we configure the AWS side
Next we have to configure the AWS IAM (Identity Access Manager).
Login to AWS.
On top select Services–> Security Identity & Compliance Click IAM
In the IAM navigate to Identity Provider and Create Provider
Next configure provide select SAML as provide type, give a provider name and upload the metadata document download
Verify the provide information and click create
We can see the provider as below
Next we need to create a IAM role. Navigate to Roles tab,click Create New Role
Give a Role Name
Select a Role Type
In Establish Trust it will automatically populate the SAML provider created previously click next.
Next we can verify the Role Trust in SAML
Next Attached an Policy to the Role. For this I select AdministratorAccess, if you want to specify any other access policy you can define from here
Review the settings and copy them to notepad because we want them in future step
You can see the role as below
Next go to the Azure AD and click next to continue the configuration
Next it shows the email address sent the SSO configuration confirmation.
Next click Attribute tab in the application then click add user attribute
Add following two attributes
Attribute Name – https://aws.amazon.com/SAML/Attributes/Role
Attribute Value – [the Role ARN value],[the Trusted Entity ARN value] We can find it from the saved notepad content in previous step.
Attribute Name – https://aws.amazon.com/SAML/Attributes/RoleSessionName
Attribute Value – user.userprincipalname
Click Apply changes below of the page
Next we have to create a AWS user. Login to AWS console in IAM click user and Add User
For the user name enter the users UPN as bellow. For the Access tipe select Programmatic Access
In Set Permission select Attach existing policies directly
For this example I used SystemAdministrator Policy
Review the Permissions, create the user
Now login to Azure AD navigate the AWS application, in users tab select the user and assign access by clicking Assign bottom of the page
Open a new tab and type http://myapps.microsoft.com/ to access the application assign to user.
When you click the AWS application it use SSO to login to the AWS web console as below