Ctrlk
Courses

Federated Access With AD

Hands-On Lab: Federating AWS with Azure AD using IAM Identity Center (AWS SSO)

🔹 Objective: Enable federated access to AWS using Azure AD as the identity provider, allowing users to log in without IAM Users. 🔹 Outcome: Azure AD users will be able to log into AWS via IAM Identity Center (AWS SSO) and assume IAM Roles dynamically.

📌 Prerequisites

AWS IAM Identity Center (AWS SSO) is enabled in your AWS account. ✅ Azure AD Admin Access (to configure enterprise apps). ✅ AWS Organizations is configured (for multi-account setup).

🛠️ Step 1: Enable IAM Identity Center in AWS

📌 Go to IAM Identity Center Console 1️⃣ Navigate to AWS Console → IAM Identity Center 2️⃣ Click Enable IAM Identity Center (if not already enabled). 3️⃣ Select "Use an external identity provider (IdP)". 4️⃣ Copy the IAM Identity Center SAML Metadata URL – needed for Azure AD configuration.

Now, IAM Identity Center is enabled and ready for federation.

🛠️ Step 2: Configure AWS IAM Identity Center in Azure AD

📌 Create an Enterprise App in Azure AD 1️⃣ Sign in to Azure AD Portal (https://portal.azure.com). 2️⃣ Navigate to Azure Active Directory → Enterprise Applications. 3️⃣ Click + New ApplicationCreate Your Own Application. 4️⃣ Enter "AWS IAM Identity Center" as the name and select "Integrate any application you don’t find in the gallery (Non-gallery)". 5️⃣ Click Create.

Now, Azure AD has an enterprise app for AWS login.

🛠️ Step 3: Configure SAML Integration

📌 Set Up SAML Authentication 1️⃣ In the newly created AWS IAM Identity Center app in Azure AD, go to Single Sign-On. 2️⃣ Select SAML as the authentication method. 3️⃣ Click Edit SAML Configuration and enter:

  • Identifier (Entity ID): urn:amazon:webservices

  • Reply URL (ACS URL): Paste the AWS IAM Identity Center SAML Metadata URL copied earlier.

  • Sign-on URL: https://<AWS-ACCOUNT-ID>.awsapps.com/start

4️⃣ Download the Azure AD Federation Metadata XML (needed for AWS). 5️⃣ Click Save.

Azure AD is now configured to send authentication requests to AWS IAM Identity Center.

🛠️ Step 4: Configure IAM Identity Center with Azure AD

📌 Import Azure AD Metadata into AWS 1️⃣ Go back to AWS Console → IAM Identity Center. 2️⃣ Navigate to Settings → Identity Source. 3️⃣ Click Change Identity Source → Select SAML 2.0-based authentication. 4️⃣ Upload the Azure AD Metadata XML downloaded earlier. 5️⃣ Click Next, review settings, and Accept Change.

AWS IAM Identity Center is now linked to Azure AD!

🛠️ Step 5: Map Azure AD Groups to AWS IAM Roles

📌 Create Groups in Azure AD 1️⃣ Go to Azure AD → Groups → + New Group. 2️⃣ Create a group SecureCart-Developers. 3️⃣ Add developers to this group who need AWS access.

📌 Assign Groups in AWS IAM Identity Center 1️⃣ Go to AWS Console → IAM Identity Center → AWS Accounts. 2️⃣ Select the AWS account where you want to grant access. 3️⃣ Click Assign Users & Groups → Select SecureCart-Developers. 4️⃣ Choose a Permission Set (e.g., Administrator, Developer, ReadOnly). 5️⃣ Click Save.

Users in the Azure AD group can now assume the mapped IAM Role.

🛠️ Step 6: Test the Federation Setup

📌 Test User Login 1️⃣ Open the IAM Identity Center User Portal URL (from Step 1). 2️⃣ Click Sign in with SSO → Redirected to Azure AD login page. 3️⃣ Enter Azure AD credentials. 4️⃣ After authentication, users can see assigned AWS accounts. 5️⃣ Click an account → Assume the assigned IAM Role.

Users now authenticate using Azure AD and access AWS resources securely!

📌 🎯 Bonus: AWS CLI Authentication with SSO

Developers can authenticate with AWS CLI using SSO instead of access keys.

📌 Result: Users authenticate via Azure AD and assume an IAM Role without needing IAM credentials.

📌 Summary of Setup

Step

Action

Step 1

Enable IAM Identity Center in AWS

Step 2

Create an Azure AD Enterprise App for AWS

Step 3

Configure SAML Authentication

Step 4

Link IAM Identity Center with Azure AD Metadata

Step 5

Map Azure AD Groups to AWS IAM Roles

Step 6

Test Login via AWS IAM Identity Center

Bonus

Enable AWS CLI authentication via SSO

Step-by-Step Guide: Integrating AWS Directory Service with IAM Identity Center (AWS SSO)

📌 Objective: Configure AWS IAM Identity Center (AWS SSO) with AWS Directory Service to enable Active Directory (AD) users to access AWS resources without IAM Users. 📌 Outcome: Active Directory (AD) users will be able to log in to AWS accounts via IAM Identity Center (AWS SSO) using their existing AD credentials.

📌 Prerequisites

AWS IAM Identity Center (AWS SSO) is enabled in your AWS account. ✅ AWS Directory Service is deployed (Managed Microsoft AD or AD Connector). ✅ On-Premises or Cloud Active Directory (AD) is set up. ✅ Admin access to AWS Directory Service & IAM Identity Center.

🛠️ Step 1: Deploy AWS Directory Service

If you already have AWS Managed Microsoft AD or AD Connector set up, skip this step.

📌 To deploy AWS Directory Service (AWS Managed Microsoft AD): 1️⃣ Navigate to AWS Console → AWS Directory Service. 2️⃣ Click Set up Directory → Choose AWS Managed Microsoft AD. 3️⃣ Choose Standard Edition (for small setups) or Enterprise Edition (for larger workloads). 4️⃣ Enter Directory Name (e.g., securecart.local) and an Admin password. 5️⃣ Select VPC and subnets where the directory should be deployed. 6️⃣ Click Create DirectoryWait for it to be Active (takes ~30 minutes).

AWS Managed AD is now running and ready for IAM Identity Center integration.

🛠️ Step 2: Integrate AWS IAM Identity Center with AWS Directory Service

📌 Go to AWS IAM Identity Center Console 1️⃣ Navigate to AWS Console → IAM Identity Center. 2️⃣ Click Settings → Scroll down to Identity Source. 3️⃣ Click Change Identity Source. 4️⃣ Select AWS Managed Microsoft AD. 5️⃣ Choose your AWS Managed AD Directory (securecart.local). 6️⃣ Click Next → Review settings → Click Accept Changes.

IAM Identity Center is now linked to AWS Directory Service.

🛠️ Step 3: Sync Active Directory Groups with IAM Identity Center

📌 Enable User & Group Sync from AD 1️⃣ Go to AWS Console → IAM Identity Center. 2️⃣ Click Users & GroupsEnable Active Directory Sync. 3️⃣ Select the Organizational Units (OUs) in Active Directory that contain AWS users. 4️⃣ Click Save Changes. ✅ Now, AD users & groups are available in AWS IAM Identity Center.

🛠️ Step 4: Assign AD Users/Groups to AWS Accounts

📌 Map Active Directory (AD) Groups to AWS IAM Roles 1️⃣ Navigate to IAM Identity Center → AWS Accounts. 2️⃣ Select the AWS Account you want to grant access to. 3️⃣ Click Assign Users & Groups. 4️⃣ Choose Active Directory Groups (e.g., AWS-Developers, AWS-Admins). 5️⃣ Select the Permission Set (e.g., AdministratorAccess, ReadOnlyAccess). 6️⃣ Click Save.

Now, AD users in those groups will be assigned IAM Roles dynamically.

🛠️ Step 5: Test AWS Login Using Active Directory Credentials

📌 Test AD User Login 1️⃣ Open IAM Identity Center User Portal URL (https://securecart.awsapps.com/start). 2️⃣ Click Sign in with Active Directory. 3️⃣ Enter Active Directory username & password. 4️⃣ After authentication, users can see assigned AWS accounts. 5️⃣ Click an account → Assume the assigned IAM Role.

Users now authenticate using Active Directory and access AWS resources securely!

📌 🎯 Bonus: AWS CLI Authentication with AD & SSO

Developers can authenticate to AWS CLI using Active Directory credentials.

📌 Result: Users authenticate via Active Directory and assume an IAM Role without needing IAM credentials.

📌 Summary of Setup

Step

Action

Step 1

Deploy AWS Directory Service (Managed Microsoft AD)

Step 2

Integrate AWS IAM Identity Center with AWS Directory Service

Step 3

Sync Active Directory Groups with IAM Identity Center

Step 4

Assign AD Groups to AWS IAM Roles

Step 5

Test AWS Login with AD Credentials

Bonus

Enable AWS CLI authentication via SSO

Last updated