AWS Best Practice: Azure AD SAML Authentication Configuration for AWS Console

By admin
October 12, 2017

 

Azure AD SAML Authentication Configuration for AWS Console

As AWS experts, we often get asked how different technologies can work with AWS. Most recently we had a customer ask us how to use Azure Active Directory (AD) to manage user authentication to access the AWS console. While we don’t often discuss hybrid cloud technologies in this blog, we thought we’d share with you how we configured Azure AD to manage access to the AWS console.


By following the steps we outline here, you will get:

  • 2 AWS accounts with 3 identical roles in each (Admin, Dev, Auditor)
  • 3 Azure AD groups (Admin, Dev, Auditor) which will map to AWS IAM roles
  • 1 Azure AD Enterprise application to control all users and groups

Before we dive in, note that while Microsoft offers a tutorial on how to integrate Azure AD with AWS, our guide differs as it does not require storing AWS root account credentials in Azure.

To get started you will need:

  • 2 AWS accounts
  • 1 Azure account

Step One: Create users and groups in Azure AD

  • In the Azure portal, go to Azure AD → Users and Groups → All Groups
  • Click on New Group and create the following groups:
Name Description Membership Type
AWS Admins AWS Administrators Assigned
AWS Devs AWS Developers Assigned
AWS Auditors AWS Auditors Assigned

 

  • Click on All Users → New Users and create the following users:
Name User Name Group
Admin User admin@flux7demo.onmicrosoft.com AWS Admins
Dev User dev@flux7demo.onmicrosoft.com AWS Devs
AWS Auditor auditor@flux7demo.onmicrosoft.com AWS Auditors

Step Two: Setup Enterprise Application in Azure AD

  • Click on Azure AD → Enterprise applications → All applications → New Application → All
  • In the text box enter “AWS” and you should see 2 applications

Image from Matt 2.png

  • Select the one with the black icon “Amazon Web Services (AWS) – Developer services”
  • Change the name as needed, as it will display to end users, then click Add
  • Click on Single sign-on and select SAML-based Sign-on
  • Check the checkbox View and edit all other user attributes
  • Click on Add attribute and add the following
Name Value
https://aws.amazon.com/SAML/Attributes/RoleSessionName user.userprincipalname
https://aws.amazon.com/SAML/Attributes/Role user.assignedroles

Note: you can leave the namespace empty; if you refresh the page it will update it automatically.

Also note that instead of user.assignedroles, you can set https://aws.amazon.com/SAML/Attributes/Role with the <IAM role ARN>,<IAM Identity Provider ARN> if you have a single role and account.

  • Download the metadata XML
  • Click on Save

Step Three: Setup Identity Provider in AWS IAM

Repeat the following tasks twice, once on each AWS account.

  • Login to the AWS Console and click on IAM → Identity Providers → Create Providers
  • Select SAML as Provider Type
  • Enter AzureAD as Provider Name
  • Upload the Metadata XML file downloaded previously
  • Click on Next → Create

Image from Matt 1.png

Step Four: Setup IAM Roles

  • Click on Roles → Create new role → Grant Web Single Sign-On (WebSSO) access to SAML provider
  • Select AzureAD as SAML Provider
  • Click on Next Step
  • Select AdministratorAccess as policy
  • Enter AWS-Admins-SAML-AzureAD as Role name
Role Name Policy
AWS-Admins-SAML-AzureAD AdministratorAccess
AWS-Devs-SAML-AzureAD AmazonS3FullAccess
AWS-Auditors-SAML-AzureAD

AWSConfigRole
AWSCloudTrailReadOnlyAccess

  • Take note of the Role ARN and Trusted Identity for each role
Role Account Role ARN Trusted Identifty
AWS-Admins-SAML-AzureAD 591616221111 arn:aws:iam::591616221111:role/AWS-Admins-SAML-AzureAD arn:aws:iam::591616221111:saml-provider/AzureAD
AWS-Devs-SAML-AzureAD 591616221111 arn:aws:iam::591616221111:role/AWS-Devs-SAML-AzureAD arn:aws:iam::591616221111:saml-provider/AzureAD
AWS-Auditors-SAML-AzureAD 591616221111 arn:aws:iam::591616221111:role/AWS-Auditors-SAML-AzureAD arn:aws:iam::591616221111:saml-provider/AzureAD
AWS-Admins-SAML-AzureAD 698203112222 arn:aws:iam::698203112222:role/AWS-Admins-SAML-AzureAD arn:aws:iam::698203112222:saml-provider/AzureAD
AWS-Devs-SAML-AzureAD 698203112222 arn:aws:iam::698203112222:role/AWS-Devs-SAML-AzureAD arn:aws:iam::698203112222:saml-provider/AzureAD
AWS-Devs-SAML-AzureAD 698203112222 arn:aws:iam::698203112222:role/AWS-Auditors-SAML-AzureAD arn:aws:iam::698203112222:saml-provider/AzureAD

Step Five: Configure App Registrations in Azure AD

  • Click on Azure AD → App Registrations
  • Select the application created. By default it is Amazon Web Service (AWS).
  • Click the edit Manifest icon
  • Edit the manifest by adding the following code to the appRoles array

 

Subscribe Here!