Azure AD SSO integration with AWS AWS IAM Identity Center (Successor to AWS Single Sign-On)
In this tutorial, you will learn how to integrate AWS IAM Identity Center with Azure Active Directory. When you integrate AWS IAM Identity Center Access with Azure AD, you can:
• Control in Active Directory who has access to AWS IAM Identity Center Access.
• Enable your company users to be automatically linked to AWS IAM Identity Center Access with their Active Directory accounts.
• Users can manage their accounts in one central location in Azure.
AWS IAM Identity Center was added to the Azure AD application gallery recently. It makes it easy to manage access centrally to multiple AWS accounts and AWS operations, with sign-in through Microsoft Azure AD. conjoin Microsoft Azure Active Directory with AWS IAM Identity Center formerly, and use AWS IAM Identity Center to manage permissions across all of your AWS accounts from one place. AWS IAM Identity Center give permissions automatically and keeps them current as you modernize programs and access assignments. End users can authenticate with their Active Directory credentials to access the AWS Console, Command Line Interface, and AWS IAM Identity Center integrated operations.
AWS IAM Identity Center Architecture
How does it actually work?
AWS IAM Identity Center aims to establish a trusting relationship between a service provider and an identity provider. This trust relationship is established substantially by swapping a certificate between the identity provider and the service provider. This certificate can validate identification information given by the identity provider to the service provider, icing that it’s from a trusted source. IAM Identity Center saves this data in the form of tokens, which identify the user’s information like a dispatch id or a username.
Associations generally prefer to have a single identity throughout their apps and Cloud platforms. Azure Active Directory would be a popular authentication fashion since Office 365 is extensively used in businesses. It may serve as the authentication hub because it’s constantly connected with other services.
Prerequisites
Before deep diving we need to have the following things:
· An Azure AD subscription. If you don’t have any no worries you can easily get a free account.
· AWS IAM IdP enabled subscription and AWS IAM Identity Center requires an AWS Organization
Note: Do not add Roles manually in Azure AD when doing role imports.
Enable AWS IAM Identity Center:
Firstly log in to the AWS Console with the AWS master account, then navigate to the AWS IAM Identity Center console. (Ensure that you are in the correct region)
If you access the AWS IAM Identity Center service for the first time in any region, you will be greeted with the welcome screen below. Select “Enable”.
To connect to an external identity provider
- Click on Settings.
- Now click on the Identity source, and then choose Actions -> Change identity source.
3. Under Choose identity source, select External identity provider and then choose Next.
4. Under Configure external identity provider, do the following:
5. Under Service provider metadata, choose Download metadata file to download the metadata file and save it on your system. The AWS IAM Identity Center SAML metadata file is required by your external identity provider.
Configuring Azure AD as IdP
- Now, log in to your Azure account and search for Azure Active Directory.
- Select “Enterprise Applications” from the left panel and click on create a new application.
- Search for AWS IAM Identity Center from the search bar then select AWS IAM Identity Center as shown below:
- After clicking on AWS IAM Identity Center, Click on Create.
- Now navigate to the application that you just created and select “Set up single sign-on” as shown below.
- Now select the SAML on the next page and upload the metadata data that we downloaded from the AWS IAM Identity Center console earlier.
- After successfully uploading click “Save” and then close the Basic SAML Configuration pane.
- Now we need to download the “Azure Federation Metadata XML” as shown in the image.
- After successfully downloading the metadata file, go back to the AWS console. Under Identity provider metadata, choose Choose file, and locate the metadata file that you downloaded from your external identity provider(Azure AD).
- Choose Next.
- Now, enter ACCEPT.
- Then choose Change identity source.
Till now we have successfully completed the implementation. Now let’s provision users automatically from Azure AD to AWS IAM Identity Center.
Automatic provisioning of Users and groups
- From the left panel of AWS IAM Identity Center, Click on “settings.”
- On the Settings page, Click on the Automatic provisioning information box, and then choose Enable.
- From the Inbound automatic provisioning dialog box, copy each of the values for the following options. You will need to paste these in later when you configure provisioning in your IdP. (SCIM endpoint & Access token)
- Choose Close.
- Now, back to Azure.
- Navigate to” Provisioning” from the left panel in the operation and click on Get Started.
- Change the provisioning mode to automatic and bury the copied SCIM endpoint and Token that you copied from the AWS press. Click on Save.
- Back in the “Provisioning” section and start the provisioning. In Azure, the default provisioning interval is 40 minutes.
- Now, the user is successfully provisioned. It should be visible in the AWS IAM Identity Center console.
In this article, I showed how to link Azure Active Directory to AWS IAM Identity Center. With this link, you can now use automatic provisioning to reduce the complexity of managing and using identities, control access to AWS accounts and apps from a single location, and enable single sign-on for AWS accounts and apps. Due to the fact that Azure AD can now be used as a single source for user management, users no longer need to manage numerous identities and passwords in order to access their AWS accounts and apps.
