Reputation: 21
Using Azure AD as a identity provider for AWS
We are trying to use Azure Active Directory as a Identity Provider for the Amazon AWS console but we are failing miserably!
We have tried both the "Amazon Web Services (AWS)" and "AWS Console" applications in Azure, but they both produce the following error when someone tries to use either application to access AWS:
"Your request did not include a SAML response"
We've followed the steps in the following article to create an identity provider in AWS: http://blogs.aws.amazon.com/security/post/Tx71TWXXJ3UI14/Enabling-Federation-to-AWS-using-Windows-Active-Directory-ADFS-and-SAML-2-0
We used the following URL to upload the metadata for the identity provider in AWS: https:// login.windows.net//FederationMetadata/2007-06/FederationMetadata.xml
We are using the following URL when we configure the application in Azure AD: https:// signin.aws.amazon.com/saml
Using Fiddler we can see that nothing is being posted to the Amazon endpoint URL, the browser is just being redirected there without posting anything.
Has anyone managed to get this working, we are struggling to see what we have missed so any help/advice will be very much appreciated.
EDIT: We have also used the SAML tracer Add-On for Firefox to troubleshoot this, which shows nothing is being posted at all. There is a GET request to account.activedirectory.windowsazure.com, which is followed by another GET request to signin.aws.amazon.com
Upvotes: 2
Views: 5130
Answers (1)
Reputation: 392
It is possible to setup SSO with SAML federation from Azure AD to AWS console. Here are the steps in summary:
- Create an Enterprise App in Azure AD. Search for "Amazon Web Services (AWS)", select it from the list, but make sure you give it a unique name of your own choice.
- Go to Single Sign On blade and enable SAML federation. Add the two AWS required SAML attributes (Role and RoleSessionName) with corresponding AAD values.
- Download SAML Certificate from the same page
- Make sure Identifier field is not blank and finally save the changes.
- On AWS side, you need to create an Identity Provider in IAM using the same SAML Certificate you had downloaded previously.
- Create a Role using the Identity provider from previous step.
- Finally you have to create mappings from AAD Groups to AWS Roles. There are two ways you could do this:
1- Using automatic provisioning. This method restricts you to have all your AWS roles in a single AWS account. Moreover, you need to create a user in AWS with read permissions on IAM and then assign programming keys to it. You then have to enter those keys inside AAD. I wouldn't recommend this approach.
2- You can go to App Registrations page in AAD and modify your application manifest JSON with your mappings. This allows you to create mappings to unlimited account/role combinations to Azure AD Groups. Moreover, you wouldn't have to create any users in AWS.
Happy federating!
Upvotes: 1
Related Questions
- Azure AD Identity issuer MicrosoftAccount
- Authenticate user through Azure AD from AWS Lambda
- Howto add Azure AD as AWS Cognito Federated IdP
- Azure AD Claims in IdentityServer4
- Azure AD B2C - Using ADFS as an Identity Provider
- Using Azure AD for customer authentication
- Azure AD as a multitenant identity provider
- How to configure Windows Azure as an Identity Provider with Oauth 2.0
- Windows Azure ACS with Active Directory as identity provider for SSO
- Integrating Windows Azure AD with Windows ACS