Integrating AWS IAM Identity Center with Azure AD SSO
In this blog, I will list the steps needed to integrate AWS IAM Identity Center (successor to AWS Single Sign-On) with Azure Active Directory (Azure AD). I will configure and test Azure AD SSO in a test environment.
Benefits of integrating AWS IAM Identity Center with Azure ADare:
- Access to AWS IAM Identity Center can be controlled in Azure AD.
- Users can automatically sign in to AWS IAM Identity Center using Azure AD credentials.
- The Azure portal can be used as a central location to manage all accounts.
Before starting this please ensure you have the following:
- An Azure AD subscription.
- AWS IAM Identity Center enabled subscription.
The first step is to add AWS IAM Identity Center from the gallery to the list of managed SaaS apps. To do that:
Sign in to the Azure portal.
Select the Azure Active Directory service.
Click on Enterprise Applications and then select New Application.
In the Add from the Gallery section, type AWS in the search box.
Select AWS IAM Identity Center, give it a name, and then click Create.
Once the application is created, you need to assign a user and configure a single sign-on in the manage section.
For SSO to work, a link relationship needs to be established between an Azure AD user and the related user in AWS IAM Identity Center.
Create either a new user or assign an existing user in Azure AD to the AWS IAM Identity Center application that we have added to our tenant.
Once a user is assigned Click on Set up single sign-on.
Select SAML on a single sign-on method page.
Edit the settings Basic SAML Configuration but before that, we need to Upload a metadata file. For that, we need to access the AWS portal.
Open another web browser window and log in to your AWS account.
Select Services -> Security, Identity, & Compliance -> AWS IAM Identity Center.
If you are using it for the first time, enable it.
Click on Choose Settings, In Identity source, click on Actions pull-down menu, and select Change identity source.
And choose an External identity provider.
To Configure the external identity provider section In the Service Provider metadata section, Download the metadata file and save it.
Go back to the Azure portal and upload the metadata file.
Once this file is uploaded successfully, in the Basic SAML Configuration section the Identifier and Reply URL values will get auto-populated.
For the Sign-on URL value, you need to copy the value from the AWS access portal and paste it here.
In the AWS IAM Identity Center console, click on AWS accounts and you can see all the accounts in the organization.
Configure the permissions set to define the level of permissions users can have to an AWS account and it automatically creates an IAM role in the account.
In the options given select the predefined permission set and select Admin Access for this demo.
You can also choose the session duration.
The next step is to create an AWS IAM Identity Center test user
In the AWS IAM Identity Center console, choose Users → choose to Add User.
On the Add user page add the user with the same username as in Azure AD sign-in name to avoid any authentication problems.
Assign the user to your AWS account. Click on AWS accounts → select the AWS organization tab, check the box next to the AWS account you want to assign to the user and choose to Assign users.
Then choose Next: Permission sets.
Under the select permission sets section, check the box next to the permission set you want to assign to the user.
AWS IAM Identity Center supports automatic user provisioning. If you wish you can configure that too.
Once the user is assigned we can test the SSO from Azure Portal.
Go back to Set up Single Sign-on with SAML page where we configured the basic SAML configuration.
Scroll down to section 5 and click on Test.
A new window will open and click on Test Sign in.
It will log in to AWS account and will display the account to which the signed-in user is assigned.
Once you click on the account you will be logged in to the AWS console with the username and the access permissions you defined in the permissions set.
