In this tutorial I will show you how to integrate Azure AD with AWS. This article has the vision to use your unique identity to log in with your AD user or Azure AD directly in the AWS console.
The SSO between the Azure AD and Amazon Web Service works in a different way. In this integration, we must create the user within the AWS console to merge between the accounts. This is the only point where we should be aware, remembering that is only a user
creation that does not password.
Let's add the AWS app to the Microsoft Azure SaaS application Gallery.
In the Microsoft Azure portal, we go to "Azure Active Directory", then "Enterprise Applications" and click "All Applications".
Next
click on "New Application".
Now
search for "Amazon Web Services (AWS)" and select the application.
Next
you can change the name of the application to make it easier to know which client is integrated. After changing the name click on "Add" and wait for the application provisioning.
Ready
the application is provisioned, now we go to the option of "Single Sign-On".
In
Single "Sign-on" We will choose the option "SAML-based sign-on".
This step is very important because we have to add some parameters to work 100% integration with AWS.
Go to the "Show Advanced URL Settings" option, after expanding this option go to "Identifier" and add the following information "urn: Amazon: webservices".
In the following we will add two attributes in "User attributes", for this Select "View and edit all other user attributes".
Now click on "Add Attribute".
Now add the following rules:
Attribute name | Attribute value | Namespace |
RoleSessionName | user.userprincipalname | https://aws.amazon.com/SAML/Attributes |
Role | user.assignroles | https://aws.amazon.com/SAML/Attributes |
*Remembering that the attributes respect the "case sensitive".
Now let's download the "XML metadata" certificate and save it to a secure location on your computer. A very important detail, change the "Signing Algorithm" to "SHA 1", by default it comes in "SHA 256"
and does not work the integration. Next we will be setting the certificate as active, then we will "Save".
Ready the first part is set up, now we go to the AWS console. Let's look at the
Identity and Access Management (IAM) option.
Now let's create an identity provider, go to "Identity provider" and click on "Create Provider".
Under "Create provider" Select the provider type "SAML", from a name to that provider and then upload the "XML metadata", then click "Next".
Then click on "Create".
Ready
the identity provider was successfully created.
Now
let's create a rule, go to "roles" and click on "Create Roles"
Now
let's choose the trusted "SAML" identity.
Next,
select the identity provider that was created and select the "Allow programmatic and AWS Management Console access" permission, then click "Next Permissions".
Now
select the policy, in this case, I'm giving permission "Full".
Now
a name for this access rule, then click "Create Role".
Ready
the rule was created successfully.
Ready
the ruin-right:auto;margin-left:auto;float:none;display:block;" />
Now we will create a user to make the connection between the Azure AD and AWS. Go to "user" and "ADD user".
Now let's give a name to the user, then select the type of Access "Programmatic access" and click and "Next Permissions".
Now we will associate the policy, select "Attach existing policies directly", then click on "Next Review" then "Create User".
Now you can download the file ". CSV "or you can see your user's Secret Access Key because we need that information. We will go back to the AD Azure to add this information to the roles provisioning.
Go to the Azure AD and select the application and select "Provisioning" by default it comes as manual, we will change to "Automatic", then we will add the following information in the fields "Clientsecret"
and "Secret Token". After the information in the field click on "Test Connection" then click on "Save".
Ready communication between AWS and Azure AD is working.
Lastly in "Settings" go to "provisioning Status" leave it as "on" and click "Save". It takes a while to provision.
Now let's create a user without password in the AWS console.
After creating the user we return to the application in the Azure portal, and we will add users who will have access to integration. Choose the user and assign the rule that was created within AWS.
Ready the integration process is ready, we will access the "MyApps" from Microsoft, at URL:
http://myapps.microsoft.com/. When accessing the application is available enough from one click, it will make your user's SSO inside the AWS console.
Ready we are accessing the AWS console via the federation between Azure AD and Amazon Web Services. How can we repair it does the reading of the role and the user..
Thank you and until the next post.