# Federated Access With AD ### **Hands-On Lab: Federating AWS with Azure AD using IAM Identity Center (AWS SSO)** πŸ”Ή **Objective:** Enable **federated access** to AWS using **Azure AD** as the identity provider, allowing users to log in without IAM Users.\ πŸ”Ή **Outcome:** Azure AD users will be able to **log into AWS via IAM Identity Center (AWS SSO)** and assume **IAM Roles** dynamically. *** ### **πŸ“Œ Prerequisites** βœ… **AWS IAM Identity Center (AWS SSO) is enabled** in your AWS account.\ βœ… **Azure AD Admin Access** (to configure enterprise apps).\ βœ… **AWS Organizations is configured** (for multi-account setup). *** ## **πŸ› οΈ Step 1: Enable IAM Identity Center in AWS** πŸ“Œ **Go to IAM Identity Center Console**\ 1️⃣ Navigate to **AWS Console β†’ IAM Identity Center**\ 2️⃣ Click **Enable IAM Identity Center** (if not already enabled).\ 3️⃣ Select **"Use an external identity provider (IdP)"**.\ 4️⃣ Copy the **IAM Identity Center SAML Metadata URL** – needed for Azure AD configuration. βœ… **Now, IAM Identity Center is enabled and ready for federation.** *** ## **πŸ› οΈ Step 2: Configure AWS IAM Identity Center in Azure AD** πŸ“Œ **Create an Enterprise App in Azure AD**\ 1️⃣ Sign in to **Azure AD Portal** (`https://portal.azure.com`).\ 2️⃣ Navigate to **Azure Active Directory β†’ Enterprise Applications**.\ 3️⃣ Click **+ New Application** β†’ **Create Your Own Application**.\ 4️⃣ Enter **"AWS IAM Identity Center"** as the name and select **"Integrate any application you don’t find in the gallery (Non-gallery)"**.\ 5️⃣ Click **Create**. βœ… **Now, Azure AD has an enterprise app for AWS login.** *** ## **πŸ› οΈ Step 3: Configure SAML Integration** πŸ“Œ **Set Up SAML Authentication**\ 1️⃣ In the newly created **AWS IAM Identity Center app** in Azure AD, go to **Single Sign-On**.\ 2️⃣ Select **SAML** as the authentication method.\ 3️⃣ Click **Edit SAML Configuration** and enter: * **Identifier (Entity ID):** `urn:amazon:webservices` * **Reply URL (ACS URL):** Paste the **AWS IAM Identity Center SAML Metadata URL** copied earlier. * **Sign-on URL:** `https://.awsapps.com/start` 4️⃣ Download the **Azure AD Federation Metadata XML** (needed for AWS).\ 5️⃣ Click **Save**. βœ… **Azure AD is now configured to send authentication requests to AWS IAM Identity Center.** *** ## **πŸ› οΈ Step 4: Configure IAM Identity Center with Azure AD** πŸ“Œ **Import Azure AD Metadata into AWS**\ 1️⃣ Go back to **AWS Console β†’ IAM Identity Center**.\ 2️⃣ Navigate to **Settings β†’ Identity Source**.\ 3️⃣ Click **Change Identity Source** β†’ Select **SAML 2.0-based authentication**.\ 4️⃣ Upload the **Azure AD Metadata XML** downloaded earlier.\ 5️⃣ Click **Next**, review settings, and **Accept Change**. βœ… **AWS IAM Identity Center is now linked to Azure AD!** *** ## **πŸ› οΈ Step 5: Map Azure AD Groups to AWS IAM Roles** πŸ“Œ **Create Groups in Azure AD**\ 1️⃣ Go to **Azure AD β†’ Groups β†’ + New Group**.\ 2️⃣ Create a group **SecureCart-Developers**.\ 3️⃣ Add **developers to this group** who need AWS access. πŸ“Œ **Assign Groups in AWS IAM Identity Center**\ 1️⃣ Go to **AWS Console β†’ IAM Identity Center β†’ AWS Accounts**.\ 2️⃣ Select the **AWS account** where you want to grant access.\ 3️⃣ Click **Assign Users & Groups** β†’ Select **SecureCart-Developers**.\ 4️⃣ Choose a **Permission Set (e.g., Administrator, Developer, ReadOnly)**.\ 5️⃣ Click **Save**. βœ… **Users in the Azure AD group can now assume the mapped IAM Role.** *** ## **πŸ› οΈ Step 6: Test the Federation Setup** πŸ“Œ **Test User Login**\ 1️⃣ Open the **IAM Identity Center User Portal URL** (from Step 1).\ 2️⃣ Click **Sign in with SSO** β†’ Redirected to **Azure AD login page**.\ 3️⃣ Enter **Azure AD credentials**.\ 4️⃣ After authentication, users can see **assigned AWS accounts**.\ 5️⃣ Click an account β†’ Assume the **assigned IAM Role**. βœ… **Users now authenticate using Azure AD and access AWS resources securely!** *** ## **πŸ“Œ 🎯 Bonus: AWS CLI Authentication with SSO** βœ… **Developers can authenticate with AWS CLI using SSO instead of access keys.** ```sh shCopyEditaws configure sso aws sso login --profile SecureCart-Dev aws sts get-caller-identity ``` πŸ“Œ **Result:** Users authenticate via Azure AD and assume an IAM Role without needing IAM credentials. *** ## **πŸ“Œ Summary of Setup** | **Step** | **Action** | | ---------- | ----------------------------------------------- | | **Step 1** | Enable IAM Identity Center in AWS | | **Step 2** | Create an Azure AD Enterprise App for AWS | | **Step 3** | Configure SAML Authentication | | **Step 4** | Link IAM Identity Center with Azure AD Metadata | | **Step 5** | Map Azure AD Groups to AWS IAM Roles | | **Step 6** | Test Login via AWS IAM Identity Center | | **Bonus** | Enable AWS CLI authentication via SSO | ## **Step-by-Step Guide: Integrating AWS Directory Service with IAM Identity Center (AWS SSO)** πŸ“Œ **Objective:** Configure **AWS IAM Identity Center (AWS SSO) with AWS Directory Service** to enable **Active Directory (AD) users to access AWS resources without IAM Users.**\ πŸ“Œ **Outcome:** Active Directory (AD) users will be able to **log in to AWS accounts via IAM Identity Center (AWS SSO)** using their **existing AD credentials**. *** ## **πŸ“Œ Prerequisites** βœ… **AWS IAM Identity Center (AWS SSO) is enabled** in your AWS account.\ βœ… **AWS Directory Service is deployed** (Managed Microsoft AD or AD Connector).\ βœ… **On-Premises or Cloud Active Directory (AD) is set up**.\ βœ… **Admin access to AWS Directory Service & IAM Identity Center**. *** ## **πŸ› οΈ Step 1: Deploy AWS Directory Service** βœ… **If you already have AWS Managed Microsoft AD or AD Connector set up, skip this step.** πŸ“Œ **To deploy AWS Directory Service (AWS Managed Microsoft AD):** 1️⃣ Navigate to **AWS Console β†’ AWS Directory Service**.\ 2️⃣ Click **Set up Directory** β†’ Choose **AWS Managed Microsoft AD**.\ 3️⃣ Choose **Standard Edition** (for small setups) or **Enterprise Edition** (for larger workloads).\ 4️⃣ Enter **Directory Name (e.g., securecart.local)** and an **Admin password**.\ 5️⃣ Select **VPC and subnets** where the directory should be deployed.\ 6️⃣ Click **Create Directory** β†’ **Wait for it to be Active** (takes \~30 minutes). βœ… **AWS Managed AD is now running and ready for IAM Identity Center integration.** *** ## **πŸ› οΈ Step 2: Integrate AWS IAM Identity Center with AWS Directory Service** πŸ“Œ **Go to AWS IAM Identity Center Console**\ 1️⃣ Navigate to **AWS Console β†’ IAM Identity Center**.\ 2️⃣ Click **Settings** β†’ Scroll down to **Identity Source**.\ 3️⃣ Click **Change Identity Source**.\ 4️⃣ Select **AWS Managed Microsoft AD**.\ 5️⃣ Choose your **AWS Managed AD Directory (securecart.local)**.\ 6️⃣ Click **Next** β†’ Review settings β†’ Click **Accept Changes**. βœ… **IAM Identity Center is now linked to AWS Directory Service.** *** ## **πŸ› οΈ Step 3: Sync Active Directory Groups with IAM Identity Center** πŸ“Œ **Enable User & Group Sync from AD**\ 1️⃣ Go to **AWS Console β†’ IAM Identity Center**.\ 2️⃣ Click **Users & Groups** β†’ **Enable Active Directory Sync**.\ 3️⃣ Select the **Organizational Units (OUs)** in Active Directory that contain AWS users.\ 4️⃣ Click **Save Changes**.\ βœ… **Now, AD users & groups are available in AWS IAM Identity Center.** *** ## **πŸ› οΈ Step 4: Assign AD Users/Groups to AWS Accounts** πŸ“Œ **Map Active Directory (AD) Groups to AWS IAM Roles**\ 1️⃣ Navigate to **IAM Identity Center β†’ AWS Accounts**.\ 2️⃣ Select the **AWS Account** you want to grant access to.\ 3️⃣ Click **Assign Users & Groups**.\ 4️⃣ Choose **Active Directory Groups** (e.g., `AWS-Developers`, `AWS-Admins`).\ 5️⃣ Select the **Permission Set** (e.g., **AdministratorAccess, ReadOnlyAccess**).\ 6️⃣ Click **Save**. βœ… **Now, AD users in those groups will be assigned IAM Roles dynamically.** *** ## **πŸ› οΈ Step 5: Test AWS Login Using Active Directory Credentials** πŸ“Œ **Test AD User Login** 1️⃣ Open **IAM Identity Center User Portal** URL (`https://securecart.awsapps.com/start`).\ 2️⃣ Click **Sign in with Active Directory**.\ 3️⃣ Enter **Active Directory username & password**.\ 4️⃣ After authentication, users can see **assigned AWS accounts**.\ 5️⃣ Click an account β†’ Assume the **assigned IAM Role**. βœ… **Users now authenticate using Active Directory and access AWS resources securely!** *** ## **πŸ“Œ 🎯 Bonus: AWS CLI Authentication with AD & SSO** βœ… **Developers can authenticate to AWS CLI using Active Directory credentials.** ```sh shCopyEditaws configure sso aws sso login --profile SecureCart-Dev aws sts get-caller-identity ``` πŸ“Œ **Result:** Users authenticate via Active Directory and assume an IAM Role without needing IAM credentials. *** ## **πŸ“Œ Summary of Setup** | **Step** | **Action** | | ---------- | ------------------------------------------------------------ | | **Step 1** | Deploy AWS Directory Service (Managed Microsoft AD) | | **Step 2** | Integrate AWS IAM Identity Center with AWS Directory Service | | **Step 3** | Sync Active Directory Groups with IAM Identity Center | | **Step 4** | Assign AD Groups to AWS IAM Roles | | **Step 5** | Test AWS Login with AD Credentials | | **Bonus** | Enable AWS CLI authentication via SSO | --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://awsinpractice.itassist.com/study-group/aws-certified-solutions-architect-associate/domain-1-design-secure-architectures/copy-of-task-statement-1.1-design-secure-access-to-aws-resources/federated-access-with-ad.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.