Configure SSO between Azure & AWS (Amazon Web Service)

From this blog post I’ll walk through how to enable SSO (Single Sign on ) between Azure and AWS with Azure AD integration.

Integrating AWS with Azure AD provides you with the following benefits:

  • You can control in Azure AD who has access to Amazon Web Services (AWS)
  • You can enable your users to automatically get signed-on to Amazon Web Services (AWS) (Single Sign-On) with their Azure AD accounts
  • You can manage your accounts in one central location – the Azure classic portal

Before we go through steps following are the prerequisite

  • Azure AD enable subscription
  • AWS subscription

High level overview what we are going to do.

  • Adding Amazon Web Services (AWS) from the gallery
  • Configuring and testing Azure AD single sign-on

NOTE :- For this I used the old Azure AD portal. 

Login to Azure ASM portal using

Click the Azure AD icon

Select the Azure AD and click the Application tab on top

In Application tab click Add at the bottom of the page

Select add from the gallery.

From Application Gallery search for AWS and select Amazon Web Service (AWS), give a display name add click the check mark.

After adding it it will show on the application tab.

Click the Amazon Web Service application and it navigate you to the application home page. In the home page click Configure Single sign-on.

When you click Configure Single sign-on ,then it will take you to a configuration wizard. In the first page select Microsoft Azure AD Single Sign-On 


In the Configure App Setting we don’t have to do any modification so click next.

Next Step download the metadata file. We need this in future step.

NOTE:- Don’t click next until we configure the AWS side

Next we have to configure the AWS IAM (Identity Access Manager).

Login to AWS.

On top select Services–> Security Identity & Compliance Click IAM

In the IAM navigate to Identity Provider and Create Provider

Next configure provide select SAML as provide type, give a provider name and upload the metadata document download

Verify the provide information and click create

We can see the provider as below

Next we need to create a IAM role. Navigate to Roles tab,click Create New Role

Give a Role Name

Select a Role Type

In Establish Trust it will automatically populate the SAML provider created previously click next.

Next we can verify the Role Trust in SAML

Next Attached an Policy to the Role. For this I select AdministratorAccess, if you want to specify any other access policy you can define from here

Review the settings and copy them to notepad because we want them in future step

You can see the role as below

Next go to the Azure AD and click next to continue the configuration

Next it shows the email address sent the SSO configuration confirmation.

Next click Attribute tab in the application then click add user attribute

Add following two attributes

Attribute Name –

Attribute Value – [the Role ARN value],[the Trusted Entity ARN value] We can find it from the saved notepad content in previous step.

Attribute Name –

Attribute Value – user.userprincipalname

Click Apply changes below of the page

Next we have to create a AWS user. Login to AWS console in IAM click user and Add User

For the user name enter the users UPN as bellow. For the Access tipe select Programmatic Access 

In Set Permission select Attach existing policies directly

For this example I used SystemAdministrator Policy

Review the Permissions, create the user

Now login to Azure AD navigate the AWS application, in users tab select the user and assign access by clicking Assign bottom of the page

Open a new tab and type to access the application assign to user.

When you click the AWS application it use SSO to login to the AWS web console as below