Introduction
We will learn how to connect Azure AD with AWS. We will use Azure AD as the identity provider, so Azure AD users will be used to log in to AWS. Let's dive deep into each component.
Azure AD
I will not explain too much about Azure AD. I'll recommend reading the documentation and the home page of the Azure AD. In short, Azure AD (Azure Active Directory) is a cloud-based identity and access management service. You can use the identity provided by Azure AD for connecting various applications or services, including AWS. If you want to learn more about Azure AD, please visit the documentation.
Azure AD SSO with AWS
For connecting Azure AD with AWS, we will need an Enterprise Application. Azure AD has an application gallery to provide a "template" for connecting Azure AD with another SaaS (Software as a Service). Application gallery will help us to create the Enterprise Application, and we can configure the Enterprise Application for single sign-on (SSO) and automated user provisioning. If you want to know more about the application gallery, you might need to read this documentation. But in this post, we will learn to set up the Enterprise Application and configure it for SSO.
We have two approaches to setting up the Enterprise Application. First, we use single AWS Apps to connect multiple AWS Accounts. Last, we create an AWS app for each AWS account.
Single AWS Apps
Single AWS Apps is a model to centralize the configuration, and we only use one Enterprise App to connect multiple AWS Accounts. You will need this approach if you have a small amount of AWS Accounts and roles. We can't configure many AWS Accounts because there is a limitation for the manifest. In contrast, you will need Multiple AWS Apps for the case of large numbers of AWS Accounts.
Multiple AWS Apps
Multiple AWS Apps is a model to map each AWS Account into one AWS Apps. The disadvantage of this model is we need to manage many apps and monitor each app. Other than that, we need to automate of each process to minimize wrong configurations.
Do you imagine how we update the signing certificate for 100 AWS Accounts manually? You will quickly be exhausted and upload the wrong configuration. After that, the SSO doesn't work.
It will become a nightmare if we can't automate the configuration. We are using MS Graph SDK and AWS SDK to solve that problem.
Flow
TLDR
In general, you only need to configure the Enterprise App, download the XML from the Enterprise App, upload the XML to AWS Identity Provider, and configure the roles to use the Identity Provider.
Flow in Technical Term
You might need to see this diagram for details in technical terms.
Repositories
Feel free to check this repository of my project. Please give feedback about this project because this project doesn't fully automate. I plan to have a "save" state and validation of the existing Enterprise App. Currently, the project is assumed to create a new Enterprise App.
bervProject / AzureADxAWSIntegrator
Azure AD x AWS Integrator
Azure AD SSO Automate - AWS
Flow
General Flow
flowchart LR
subgraph azuread[Azure AD]
aad1[Settings Enterprise Application] --> aad2[Download XML Federation]
end
subgraph aws[AWS]
aad2 --> aws1[Settings Identity Provider]
aws1 --> aws2[Add/Create Role]
end
Flow (Technical Terms)
flowchart TD
subgraph azuread[Azure AD]
aad1[Create Enterprise App from Templates] --> aad2[Update Service Principal & App Registration to use SAML]
aad2 --> aad3[Configure Service Principal Roles]
aad3 --> aad4[Configure Claim Mapping Policies & Assign to Service Principal]
aad4 --> aad5[Configure Singing Certificates for Service Principal]
aad5 --> aad6[Optional - Configure User & Assign to a role]
end
subgraph aws[AWS]
aad5 --> aws1[Add/Get SAML Provider]
aws1 --> aws2[Create/Update Role to be assigned with SAML Provider]
end
Setup Project
Environment Variables
## For the Console App/Business Flow, planned to be removed
AWS_ACCOUNT_ID=
## For AWS SDK
AWS_PROFILE=
# For Azure AD / Microsoft Graph
CLIENT_ID=
CLIENT_SECRET=
TENANT_ID=
Note/Details:
- Please seeβ¦
Project Details
I use .NET as the main programming language. You can use different languages if you are more familiar with them as long as it's supported by the SDK/library.
I have 3 projects in this repository. The first project is responsible to connect with Microsoft Graph API. The second one is responsible to connect with AWS API. The last one is responsible to manage the business flow to connect both projects.
Azure Integrator
Please see this diagram for the full steps of the Azure Integrator project.
AWS Integrator
Please see this diagram for the full steps of the AWS Integrator project.
For more details, please refer to the documentation in the repository. I will keep the project up to date.
Testing the SSO
-
Go to the myapps.microsoft.com. Click the AWS Icon.
-
You will be redirected to AWS Dashboard. Please make sure your role and username are correct.
-
On my side, my account is allowed to see the EC2 instances. You can configure the role based on your needs.
Thank you
Thank you for reading. Feel free to give feedback for the process, project and this post.
References
Main Resources
Azure AD (AAD)
- Tutorials/Documentations from Microsoft
- Permissions
Application.ReadWrite.All
,AppRoleAssignment.ReadWrite.All
,Policy.Read.All
,Policy.ReadWrite.ApplicationConfiguration
, andUser.ReadWrite.All
. - App List Dashboard
AWS
- Simple cross-platform application using the AWS SDK for .NET
- AmazonIdentityManagementServiceClient
- AmazonIdentityManagementServiceClient.CreateSAMLProvider
- AmazonIdentityManagementServiceClient.AttachRolePolicy
- AmazonIdentityManagementServiceClient.CreatePolicy
Top comments (0)