> For the complete documentation index, see [llms.txt](https://awsinpractice.itassist.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://awsinpractice.itassist.com/study-group/aws-certified-solutions-architect-associate/domain-1-design-secure-architectures/use-cases/federating-aws-access-with-active-directory-ad-fs-for-hybrid-cloud-access.md). # Federating AWS Access with Active Directory (AD FS) for Hybrid Cloud Access SecureCart operates **both on-premises infrastructure and AWS cloud**. Employees, especially **Software Architects**, need to securely access **both environments** using their existing **on-premises Active Directory (AD) credentials** without managing separate AWS IAM users. ✅ **Goals:**\ ✔ Provide **seamless authentication** using **Active Directory Federation Services (AD FS)**.\ ✔ Allow **temporary access to AWS resources** via **IAM roles** instead of IAM users.\ ✔ Enable **secure and scalable hybrid cloud access** for SecureCart employees. *** ### **📌 Solution Architecture** SecureCart implements **SAML 2.0 Federation with AD FS**, allowing employees to **log in with their existing AD credentials** and assume IAM roles in AWS. 🔹 **Components Involved:**\ ✔ **Active Directory (AD)** → Manages SecureCart user identities.\ ✔ **Active Directory Federation Services (AD FS)** → Acts as the **identity provider (IdP)**, issuing SAML assertions.\ ✔ **AWS IAM Roles** → Define permissions for accessing AWS resources.\ ✔ **AWS Security Token Service (STS)** → Issues **temporary credentials** based on SAML authentication. *** ### **📌 Step-by-Step Setup Guide** #### **1️⃣ Set Up Active Directory Federation Services (AD FS)** 🔹 **SecureCart’s IT team sets up AD FS on-premises** to manage authentication.\ 🔹 **AD FS validates users via Active Directory and issues SAML assertions**. ✔ **Action Items:**\ 1️⃣ Install and configure **AD FS on a Windows Server**.\ 2️⃣ Set up **relying party trust** for AWS in AD FS.\ 3️⃣ Configure **SAML claim rules** to send **user attributes** (e.g., username, department, role). 🔹 **Why This Matters?**\ ✅ **Employees log in using their corporate credentials**—no separate AWS credentials required.\ ✅ **AD FS verifies identity and passes authentication info to AWS via SAML assertion**. *** #### **2️⃣ Configure AWS as a SAML Service Provider** 🔹 SecureCart **registers AD FS as an Identity Provider (IdP) in AWS IAM**. ✔ **Action Items:**\ 1️⃣ In AWS IAM, **create a new identity provider**.\ 2️⃣ Upload the **SAML metadata file** from AD FS.\ 3️⃣ Configure **IAM roles for federated users** (Software Architects, Developers, etc.). 🔹 **Why This Matters?**\ ✅ **Allows AWS to trust authentication requests** from SecureCart’s AD FS.\ ✅ **IAM roles map federated user attributes** to specific AWS permissions. *** #### **3️⃣ Create IAM Roles for SecureCart Employees** 📌 IAM roles define **which AWS resources** employees can access **based on their AD group membership**. ✔ **Action Items:**\ 1️⃣ Create an **IAM Role for Software Architects** (`SecureCart-Architects`).\ 2️⃣ Define **trust relationships** to allow assumption via SAML federation.\ 3️⃣ Attach **permissions** to the role (e.g., access to EC2, RDS, S3, VPC). 🔹 **Example IAM Role Trust Policy** ```json jsonCopyEdit{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::123456789012:saml-provider/SecureCart-ADFS" }, "Action": "sts:AssumeRoleWithSAML", "Condition": { "StringEquals": { "SAML:aud": "https://signin.aws.amazon.com/saml" } } } ] } ``` 🔹 **Why This Matters?**\ ✅ **IAM roles dynamically map permissions based on user attributes**.\ ✅ **Employees assume roles via STS instead of needing IAM users**. *** #### **4️⃣ SecureCart Employees Log In & Assume IAM Roles** 📌 After setup, SecureCart employees use their **Active Directory credentials** to access AWS. ✔ **Action Items:**\ 1️⃣ Employees log in to the **SecureCart AD FS portal**.\ 2️⃣ AD FS **authenticates users** and **redirects them to AWS** via SAML assertion.\ 3️⃣ AWS **grants temporary IAM session tokens** based on assigned IAM roles. 🔹 **Why This Matters?**\ ✅ **No persistent AWS credentials needed**—all authentication is federated.\ ✅ **Users only receive permissions assigned to their role**. *** ### **📌 SecureCart User Experience Flow** #### **1️⃣ Authentication via SecureCart AD FS** 👤 **User Action**:\ ✔ Employee logs into **SecureCart's AD FS portal** with their **Active Directory credentials**. 🔹 **Behind the Scenes:**\ ✅ **AD FS authenticates user credentials** against Active Directory.\ ✅ **Generates a SAML assertion** with user attributes. *** #### **2️⃣ Role Assumption in AWS** 👤 **User Action**:\ ✔ Employee is **redirected to AWS**, assuming an IAM role. 🔹 **Behind the Scenes:**\ ✅ AWS IAM **validates the SAML assertion**.\ ✅ IAM **maps the employee to an IAM role** based on their AD group.\ ✅ AWS STS **issues temporary credentials** valid for up to 12 hours. *** #### **3️⃣ SecureCart Employees Access AWS Resources** 👤 **User Action**:\ ✔ Employee accesses **AWS Console, EC2, S3, RDS, or VPC resources** as per their IAM role. 🔹 **Behind the Scenes:**\ ✅ IAM **restricts access** to only **authorized AWS services**.\ ✅ AWS CloudTrail **logs all actions** for compliance tracking. *** ### **📌 SecureCart User Experience Flow Diagram** ``` pgsqlCopyEdit+-----------------------------+ | SecureCart Employee | +-----------------------------+ | | (1) Logs in to SecureCart AD FS V +-----------------------------+ | Active Directory (AD FS) | +-----------------------------+ | | (2) AD FS authenticates & issues SAML assertion V +-----------------------------+ | AWS IAM Role Assumption | +-----------------------------+ | | (3) AWS STS issues temporary IAM credentials V +-----------------------------+ | SecureCart AWS Resources | +-----------------------------+ | | (4) Employee accesses AWS services V +-----------------------------+ | EC2 | RDS | S3 | VPC | etc. | +-----------------------------+ ``` *** ### **📌 Summary** 🚀 **SecureCart enables federated access using AD FS and SAML 2.0**, allowing employees to log into AWS with their corporate credentials.\ ✅ **IAM roles dynamically grant permissions based on AD groups**.\ ✅ **AWS STS ensures temporary credentialing—eliminating the need for IAM users**.\ ✅ **SecureCart employees can access AWS resources securely without additional login steps**. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://awsinpractice.itassist.com/study-group/aws-certified-solutions-architect-associate/domain-1-design-secure-architectures/use-cases/federating-aws-access-with-active-directory-ad-fs-for-hybrid-cloud-access.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.