How to Integrate on-premises active directory with AWS

Integrate Active Directory with AWS

Context

Let’s consider you are working in an organization that has an Active Directory for managing internal applications like Jira, HR portal, etc. Now suppose there are small development teams that use AWS services regularly inside their applications. The company has some policies that each development team must have access to their projects related services only. The user from a team should not be able to access the services from another team.

Now here the infrastructure team has done some excellent work to provide each development team with dedicated access. What they have done is, they created a group for each development team in the AWS IAM. Each group has some restricted policies attached as per the team need using a role for each group. So they have created each user and assigned them to the appropriate group.

Now the question comes “Why should we create the users in AWS if we already have the same users in Active Directory?”. Can we use these existing AD user credentials to log in to the AWS console? The answer is a big

YES!

Pre-requisites

1. A working Microsoft Active Directory
2. Active Directory Federation Service(ADFS) must be installed.
3. An AWS account.

Setup Integration

So let’s dive into how to integrate active directory with AWS. Let’s follow the steps mentioned below to integrate AD with AWS.

Step 1: Download SAML metadata document

You need to download the metadata XML document from the AD server. For that use the following URL.

https://<SERVER_HOST>/FederationMetadata/2007-06/FederationMetadata.xml

Replace your AD server host with the SERVER_HOST. In my case, it is like https://testsystem.test.com/FederationMetadata/2007-06/FederationMetadata.xml

Step 2: Create Identity Provider in AWS

You need to create the Identity Provider in the AWS IAM service. For that follow the steps below:

1. Go to the IAM console.
2. Then click on Identity Providers and select Create Provider.
3. Choose Provider type to SAML.
4. Enter provider name as per your choice. In our case its ADFS.
5. And upload the metadata document that we downloaded in Step 1.
6. Click Next and review the information and click Create.

Step 3: Add relying party trust in ADFS

Go to ADFS Management Console, then click on Trust Relationships and then right-click on Relying Party Trust. Then click on Add Relying Party Trust. The Relying Party Wizard will open up.

1. In the Add Relying Party Trust Wizard, click Start.
2. Check Import data about the relying party published online or on a local network, type https://signin.aws.amazon.com/static/saml-metadata.xml, and then click Next.
3. Set the display name for the relying party like `Amazon Web Services` and then click Next.
4. You can configure multi-factor authentication, I am skipping it.
5. Next, Choose the authorization rules as per your scenario. I am checking `Permit all users to access this relying party`.
6. Review your setup and then click Next.

Step 4

This step is all about adding claim rules. Let's add these rules one by one.
Rule 1:

1. In ADFS Console, inside relying parties, right-click on the relying party that we just added. In our case Amazon Web Services.
2. Click on Edit claim rules. Then click on Add rule.
3. Select Transform an Incoming Claim and then click Next.
4. Use the following settings:
   * Claim rule name: NameId
   * Incoming claim type: Windows Account Name
   * Outgoing claim type: Name ID
   * Outgoing name ID format: Persistent Identifier
   * Pass through all claim values: checked
5. Click on Finish.

Rule 2:

1. Again click on Add rule.
2. In the Claim rule template list, select Send LDAP Attributes as Claims.
3. Use the following settings:
   * Claim rule name: RoleSessionName
   * Attribute store: Active Directory
   * LDAP Attribute: E-Mail-Addresses
   * Outgoing Claim Type: https://aws.amazon.com/SAML/Attributes/RoleSessionName
4. Click on Finish.

Rule 3:

1. Again click Add Rule for the last time.
2. In the Claim rule template list, select Send Claims Using a Custom Rule and then click Next.
3. For Claim Rule Name, enter a name, I would suggestGet AD Groups, and then in Custom rule, enter the following:

c:[Type == “http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == “AD AUTHORITY”] => add(store = “Active Directory”, types = (“http://temp/variable"), query = “;tokenGroups;{0}”, param = c.Value);

4. Click OK and click Add Rule.

5. Repeat the preceding steps, but this time, type Roles for Claim rule name and use the following script:

c:[Type == “http://temp/variable", Value =~ “(?i)^AWS-”] => issue(Type = “https://aws.amazon.com/SAML/Attributes/Role", Value = RegExReplace(c.Value, “AWS-”, “<ARN_OF_IDENTITY_PROVIDER>,arn:aws:iam::<ACCOUNT_NUMBER>:role/ADFS-”));

Note: Dont forget to replace ARN_OF_IDENTITY_PROVIDER with the ARN of your Identity Provider created in Step 2. Also replace ACCOUNT_NUMBER with account Id from the role ARN that you will create using SAML.

Now we are finished with the integration setup. Now let’s test it by creating two roles.

Example

Now suppose I am having two groups in Active Directory AWS-DevTeam and AWS-ProdTeam. There are two users Tom and Jerry and Tom is from AWS-DevTeam and AWS-ProdTeam group in Active Directory.

Let’s create the two roles in AWS namely ADFS-DevTeam and ADFS-ProdTeam . Follow the below steps:

Creating ADFS-DevTeam Role

1. Goto IAM management console. Then click on Roles and click Create Role.
2. You must select SAML 2.0 federation type of trusted entity.
3. Select the SAML provider that we just created during setup.
4. Next, check Allow programmatic and AWS Management Console access and then click on Next: Permissions
5. Here you need to attach the policies that are allowed for this particular role. So for the ADFS-DevTeam role, I am assuming Full Lambda Access policy. So search and check it to move ahead.
6. You can add tags if you want, I am skipping it and click on Next.
7. Enter Role name ADFS-DevTeam . You can add a description there.
8. Finally, click on Create role.

Creating ADFS-ProdTeam Role

You can follow the steps as mentioned above, you only need to change the policies and change the name of the role.

Now, let's check that everything works perfectly.

Visit your Active directory login page using below URL

https://<SERVER_HOST>/adfs/ls/IdpInitiatedSignOn.aspx

Replace the SERVER_HOST with your AD server domain.

Now login with Tom’s credentials, he would be redirected to the AWS console. And he would only be able to access Lambda service and not the other services. Similarly, Jerry won’t be able to access any other service that is not assigned to him.

That's It!

Thanks for reading!

If you like the above article please clap the same and if you don’t like please put your thoughts in comments so that I can improve it.

You can reach me out on Linkedin, Quora.