AWS authenticates from Active Directory with Single Sign-On

This Blog has moved from Medium to blogs.tensult.com. All the latest content will be available there. Subscribe to our newsletter to stay updated.

Why a Single Sign-On?

Single Sign-On (SSO) provides a mechanism in which user authenticates once and then they get authorized for the access of other applications. Users are authenticated from the Centralised authentication services like Active Directory Service(ADS). The user logs on the web console provided by the identity provider, and after successful authentication he is provided with token to access the other trusted services. This prevents administrator to manage multiple authentication databases. Let us see some related technologies and software below.

Active Directory Federation Services (ADFS)

A service which can be installed on Windows Server operating systems to provide users with single sign-on access to systems and applications located across organizational boundaries. ADFS acts in the Identity provider side which authenticates the user form Active Directory Domain Services and then issues a token containing a series of claims about the user, including its identity. On the resources side, the service provider issues an access control to the accepted claim of identity for the service. ADFS allows the user to enter the credential using a web login, and upon authentication, he is lunched to the service he wanted to access.

Security Assertion Markup Language (SAML)

An open standard for exchanging authentication and authorization of data across organizations. SAML uses tokens which are digitally signed and encrypted messages with authentication and authorization attribute like and E-mail address or organization role. The SAML specification defines three roles: the principal (user), an identity provider (IdP), and the service provider (SP). The principal (user) requests a service from the service provider. The service provider requests and obtains an authentication assertion from the identity provider. Based on this assertion, the service provider makes access control decisions for the connected principal.

1. A user bob browses to the ADFS sample site (https://my1.example.com/adfs/ls/IdpInitiatedSignOn.aspx) within his domain.
2. The web page authenticates bob against his email-id and password.
3. bob’s browser receives a SAML assertion in the form of an authentication response from ADFS.
4. Bob’s browser posts the SAML assertion to the AWS sign-in endpoint for SAML (https://signin.aws.amazon.com/saml).
5. Bob’s browser receives the sign-in URL and is redirected to the AWS console, gets the access based on the mapped AWS role.

About Setup

This set up is to have AWS access for two users, Alice and Bob. Bob should have access to EC2, S3, and Alice to only S3. User accounts are not IAM users, instead, they are stored in Active Directory Service.

Server Specifications

1) ADS Domain Controller 1

Operating System: Windows Server 2016

AMI ID: Windows_Server-2016-English-Full-Base-2018.05.09 (ami-bd8daed2)

Platform: AWS

Hostname: my1.example.com

Domain: example.com

Roles: Active Directory Domain Controller

Active Directory Federation Server

Web Server(IIS)

Other Packages: Firefox

2) ADS Domain Controller 2

Operating System: Windows Server 2016

AMI ID: Windows_Server-2016-English-Full-Base-2018.05.09 (ami-bd8daed2)

Platform: AWS

Hostname: my2.example.com

Domain: example.com

Roles: Active Directory Domain Controller-Additional

Active Directory Federation Server

Web Server(IIS)

Other Packages: Firefox

Configuration Steps

Configuration steps involve the creation of users (Alice and Bob) in ADS and adding them to relevant AD groups AWS-Infra and AWS-Desktop. Then we generate metadata from ADFS and download it to the Identity Provider point of AWS. We create AWS roles ADFS-Infra(with EC2 & S3 access) and ADFS-Desktop(only S3 access) and assign the required permissions. In ADFS Relay Party Trust is configured to map all ADS groups AWS-* to AWS role ADFS-*. Since there are no IAM users apart from the root account, authentication should happen from ADS and authorization should happen from mapped AWS roles.

Please follow the steps below:

· Setup Active Directory Domain

· Web Service (IIS) Setup

· Install and Configure ADFS

· Setup Identity Provider and Roles in AWS

· Configure Relay Party Trust

· Set ADFS property

· Set up redundant ADFS System

Setup Active Directory Domain

1. Configure ADS Domain Controller(my1.example.com) and Configure ADS Additional Domain Controller(my2.example.com). This is a standard setup, the configuration details are not added here.

2. Create two AD Groups named AWS-Infra, AWS-Desktop.

3. Create users named Bob, Alice

4. Click on Bob’s properties->general->Email-> Assign an email address to Bob, Eg. bob@example.com. Repeat the same for Alice with her E-Mail ID. This is mandatory in this experiment as ADFS claim is based on the user’s Mail ID.

5. Add Bob to the AWS-Infra and AWS-Desktop AD groups.

6. Add Alice to AWS-Desktop only

7. Create another user named ADFSSVC. This account will be used by ADFS services later on.

Web Service (IIS) Setup

1. Web service is required as it will provide web access for the users. This server is configured to have the SSL enabled. I have used a self-signed certificate. You might use your CA-signed certificate for better security.

2. Install the Windows role Webserver (IIS) using Server Manager

3. Open Internet Information Services (IIS) Manager console. Select your server MY1(EXAMPLE\Administrator). Double click “Server Certificates” in the right windows pane. Click “Create Self Signed Certificate”.

4. Specify a friendly name for the certificate as “web cert” and select the certificate store as “Web Hosting”. Click OK.

5. After the successful creation of a certificate, select it and click export. Export the certificate as webcert.pfx in the Desktop. During the process assign a password and please ensure that you remember this password as this certificate will be used while you configure ADFS.

Install and Configure ADFS

1. Access Server Manager and Install Active Directory Federation Service Role by selecting all the default options.

2. In Server Manager ->Manage Click “Configure the federation service on this server”.

3. In the Welcome page select “Create the First federation server in the federation server farm” and click Next

4. In the “Connect Active Directory Domain Services” page, keep all the configurations as default. EXAMPLE\administrator is default account. This is the account with which the configuration is done on the ADFS. Click on Next.

5. In the “Specify Service Properties” page import certificate and provide the password you had assigned for your self-signed certificate. “Federation Service Name” is normally the hostname. Also, Assign a “Federation Service Display Name”. I have assigned “Example corporation” and click Next

6. In the “Specify Service Account” page click on “Use an existing domain user account or group Managed Service Account” and enter the account name as ADFSSVC. Click Next.

7. In the “Specify Configuration Database” select “Create a database on this server using Windows Internal Database” and click Next.

8. “Review Options” Click Next

9. “Prerequisite checks” click “Configure”. Close

Once the above configurations are completed do the following step to fix a known issue. Use the user adfssvc you created in ADS. Execute the command in PowerShell. After successful execution you can see a message “updated object” at the bottom.

setspn -a host/localhost adfssvc

10. Download the SAML metadata document for your ADFS federation server using Firefox Web browser, type following URL and download it to your Desktop. You replace the my1.example.com with your FQDN.

https://my1.example.com/FederationMetadata/2007-06/FederationMetadata.xml

Setup Identity Provider and Roles in AWS

1. Login into AWS Web console as the root account.

2. Click “Identity Providers” in the left pane. Then Click the “Create Provider” button.

3. In the Configure Provider page, Select Provider type as SAML. Assign a provider name as “newprovider1”. Click choose file against “Metadata Document”. Specify the ADFS metadata file you created a few steps ago which you have stored in your server’s desktop. Click Next Step and click on Create.

4. Make sure you can see the provider you created is in the list of identity providers

5. Now you have to create Role. Click IAM-Roles-> Create Role

6. Click “SAML 2.0 federation”

7. SAML provider as “newprovider1”. Select “Allow programmatic and AWS Management Console access”. Keep other options default and click “Next: Permissions”. AmazonEC2ReadOnlyAccess, AmazonS3ReadOnlyAccess. Click “Next Review”. Specify “Role Name” as ADFS-Infra and “Role description” and click create role. Repeat the same for the role ADFS-Desktop with AmazonS3ReadOnlyAccess.

Configure Relay Party Trust

1. Open the ADFS Management Console. Right-click “Relying on Party Trust” and Click “Add Relying Party Trust”.

2. In the Welcome” screen select “Claims aware” and click Start.

3. In “Select Data Source” Page. Check “Import data about the relying party published online or on a local network”, type https://signin.aws.amazon.com/static/saml-metadata.xml, and then click Next. The metadata XML file is a standard SAML metadata document that describes AWS as a relying party. Click Next.

4. On Specify Display Name Page, type display name as “Amazon web Webvices”. Click Next.

5. In Choose Access Control Policy page make sure that “Permit everyone” is enabled. Click Next.

6. In Ready to Add Trust page click Next

7. In the Finish page make sure that “Configure claims issuance policy for this application” is checked.

8. “Edit Claim Issuance Policy for Amazon Web Services” windows opens (to get same windows open the ADFS console, in the Rely party trust list right-click “Amazon Web Services” and click “Edit Claim Issuance policy”

9. Add four Rules as given below.

Rule1: Map incoming and outgoing claim types

Click Add Rule. Select Transform an Incoming Claim and then click Next.

Use the following settings:

a. Claim rule name: MyNameID

b. Incoming claim type: Windows Account Name

c. Outgoing claim type: Name ID

d. Outgoing name ID format: Persistent Identifier

e. Pass through all claim values: checked

Click finish

Rule 2: Map E-Mail-Addresses LDAP attribute to outgoing claim

Click Add Rules

In the Claim rule template list, select “Send LDAP Attributes as Claims” and click Next

Use the following settings:

a. Claim rule name: MyRoleSession

b. Attribute store: Active Directory

c. LDAP Attribute: E-Mail-Addresses

d. Outgoing Claim Type: https://aws.amazon.com/SAML/Attributes/RoleSessionName

Click Finish

Rule 3: Custom rule to retrieve users AD group membership

Click Add Rule.

In the Claim rule template list, select “Send Claims Using a Custom Rule” and then click Next.

For Claim Rule Name, select groups, and then in Custom rule, enter the following

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => add(store = "Active Directory", types = ("http://temp/variable"), query = ";tokenGroups;{0}", param = c.Value);

Click OK

Rule 4: Generate a Role claim

Click Add Rule.

In the Claim rule template list, select Send Claims Using a Custom Rule and then click Next.

Type MyRoles for Claim rule name and use the following script:

c:[Type == "http://temp/variable", Value =~ "(?i)^AWS-"] => issue(Type = "https://aws.amazon.com/SAML/Attributes/Role", Value = RegExReplace(c.Value, "AWS-", "arn:aws:iam::123456789012:saml-provider/newprovider1,arn:aws:iam::123456789012:role/ADFS-"));

Click Finish

Above code maps “AWS-*” AD groups to ADFS-* AWS role. Please change “123456789012” with your AWS account number. “newprovider1” is the identity provider that I had created from the previous steps.

Finally, the Rules windows looks lookown above

Setup ADFS property

In “Windows 2016 PowerShell prompt” enter the following command

Set-AdfsProperties –EnableIdpInitiatedSignonPage $True

Testing the setup

Browse to the following address: https://my1.example.com/adfs/ls/IdpInitiatedSignOn.aspx. Now Bob can access EC2 and S3 when he accesses through ADFS-Infra while Alice can access only S3.

Set up a redundant ADFS system

Repeat the whole steps starting from Web Service (IIS) Setup. Replace with host relevant configuration(my2.example.com). In the AWS IAM console create another Identity Provider “newprovider2” and make required changes in ADFS claims.

Login to AWS IAM Console, double click the “ADFS-Infra role” and click “Trust Relationships” and press the “Edit Trust Relationships” button under “Federated:” field type.

“arn:aws:iam::123456789012:saml-provider/newprovider2” with a comma separator to read like below. Replace “123456789012” with your AWS account number.

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": [
"arn:aws:iam::123456789012:saml-provider/newprovider1",
"arn:aws:iam::123456789012:saml-provider/newprovider2"
]
},
"Action": "sts:AssumeRoleWithSAML",
"Condition": {
"StringEquals": {
"SAML:aud": "https://signin.aws.amazon.com/saml"
}
}
}
]
}

Repeat the test for the second ADFS Server by typing the following URL in your browser.

https://my2.example.com/adfs/ls/IdpInitiatedSignOn.aspx

Conclusion

Single Sign-On(SSO) is most important concept in a heterogeneous IT environment. Active Directory is a central database to store user credentials. With the combination of Active Directory Federation Service (ADFS), it can provide a single sign-on for many applications and services. We have seen how AWS users can be authenticated using ADS/ADFS.