- Reserved EC2 Instances vs. AWS Savings Plans - Thu, Oct 21 2021
- Amazon EC2 on-demand Capacity Reservations: A step-by-step guide - Thu, Oct 7 2021
- Delete the Amazon Machine Image (AMI) and its associated snapshots - Tue, Oct 5 2021
Before we get started, make sure you have the following prerequisites in place:
- An Azure AD tenant
- An AWS organization with all features enabled
- At least one user in Azure AD directory to use for testing
Enable AWS Single Sign-On ^
In the AWS master account console, search for AWS Single Sign-On (SSO) and open it. You are redirected to a new console from which you can enable AWS SSO by clicking on Enable AWS SSO.
Once enabled, you can navigate to AWS SSO settings, where you can change the identity source.
Choose the External identity provider option and then click Download metadata file.
Create an enterprise application in Azure AD ^
The next step is to create an enterprise application in Azure AD for AWS Single Sign-On. To do so, perform the following steps:
- Navigate to the Azure portal and search for Enterprise Applications.
- On the All Applications blade, click New application.
- Search for AWS Single Sign-on.
- Click it and specify a name for the application in the new blade that is opened.
- Click Create.
Once the application is created, navigate to Single sign-on and choose SAML.
Then, click Upload metadata file to upload the metadata file that you downloaded earlier.
Once it is uploaded, save the automatically populated SAML configuration.
Once saved, scroll down to the SAML Signing Certificate section and download Federation Metadata XML.
Configure Auto-Provisioning ^
Switch back to the last AWS SSO page we had opened, and upload the Federation Metadata XML.
Once uploaded, click Next: Review, which will take you to another page where you can review the consequences of your requested identity source change.
Once reviewed, type ACCEPT and click Change identity source.
Once the change is made, go back to the SSO settings and click Enable automatic provisioning to begin using automatic provisioning.
A new page will pop up that includes an SCIM endpoint and an access token. Copy these two values and switch back to the AWS enterprise application we created earlier in Azure AD.
Navigate to Provisioning and click Get Started.
Change the provisioning mode to Automatic and pass the value of the SCIM endpoint in the Tenant URL and the access token in the Secret Token.
Click Test Connection to verify that you can connect to AWS with these credentials.
Once the test succeeds, click Save and change Provisioning Status to On.
Navigate back to the AWS Enterprise Application Users and groups and select the users and/or groups you would like to grant permissions to AWS.
Once the users/groups have been added, navigate to Provisioning to check the status of user sync from Azure AD to AWS.
It looks like the two added users have been synchronized to AWS. To verify this, we will switch back to the AWS SSO Users section.
Map Azure AD users and groups to AWS permissions ^
From the AWS SSO console, navigate to AWS accounts > Permission sets and click Create permission set.
You will be redirected to a new page from which you can start the process of creating a permission set.
- First, specify whether you would like to use an existing job function policy or create a custom one. In this article, we will use an existing one.
- Then, you can select the existing policy. We will use ViewOnlyAccess to test it.
Once created, switch back to AWS accounts > AWS organization and select the projects to which you would like to grant users the permission set you just created.
Afterward, click Assign users.
Select the users/groups you would like to map to the permission set over the previously selected project.
Select the permission set.
Then, click Finish and start testing.
Testing user access ^
There are a couple of ways to test user access:
Subscribe to 4sysops newsletter!
- Via myapps.microsoft.com, you can click the AWS Single Sign-on application. This redirects you to the AWS SSO page, from which you can select the account and the permission set (if you have more than one assigned to you), and set whether you want to access it via the management console or the command line.
- Via the user portal URL in AWS SSO settings, which would directly open the AWS SSO page shown previously.If you open the AWS management console, you will be able to view all the resources; however, if you try to create any resource, for example, an EC2 instance, you will get an error that you're not authorized.
In this article, we've gone through how to integrate AWS SSO with Azure AD. If you've got any further questions, please mention them in the comments.