Tutorial: Integrating Azure AD SSO with AWS Single Account Access - Microsoft Enter (2023)

In this tutorial, you learn how to integrate AWS Single Account Access with Azure Active Directory (Azure AD). By integrating AWS Single-Account Access with Azure AD, you can:

• Control in Azure AD who has access to AWS in a single account.
• Have your users automatically sign in to Access an AWS account with their Azure AD accounts.
• Manage your accounts from one central location: the Azure portal.

Understand the different AWS applications in the Azure AD application collection

Use the following information to decide between using AWS Single Sign-On and AWS Single-Account Access apps in Azure AD App Collection.

AWS single sign-on

AWS single sign-onadded to the Azure AD app collection in February 2021. It makes it easy to centrally manage access to multiple AWS accounts and apps, with a Microsoft Azure AD connection. Combine Microsoft Azure AD once with AWS SSO and use AWS SSO to manage permissions for all your AWS accounts in one place. AWS SSO automatically handles permissions and keeps them up-to-date as you update access policies and roles. End users can authenticate with their Azure AD credentials to access the AWS console, CLI, and built-in AWS SSO apps.

Access an AWS account

Access an AWS accounthas been used by customers for the past few years and allows you to connect Azure AD to a single AWS account and use Azure AD to manage access to AWS IAM roles. AWS IAM administrators define roles and policies for each AWS account. For each AWS account, Azure AD administrators integrate with AWS IAM, assign users or groups to the account, and configure Azure AD to send claims that authorize role access.

Access architecture of an AWS account

You can configure multiple IDs for multiple instances. For example:

• https://signin.aws.amazon.com/saml#1

• https://signin.aws.amazon.com/saml#2

With these values, Azure AD subtracts the value from#and send the correct valuehttps://signin.aws.amazon.com/samlas the audience URL in the SAML token.

We recommend this approach for the following reasons:

• Each application provides a unique X509 certificate. Each instance of an AWS application instance can have a different certificate expiration date, which can be managed in an individual AWS account. In this case, replacing the certificate altogether is easier.

• You can enable user provisioning with an AWS application in Azure AD and our service will retrieve all roles from that AWS account. You don't need to manually add or update AWS roles in your application.

• You can assign the app owner individually. This person can manage the application directly in Azure AD.

requirements

To get started you will need the following items:

• An Azure AD subscription. If you don't have a subscription, you can purchase one.Account free.
• An AWS IAM IdP compliant subscription.
• In addition to Cloud Application Manager, Application Manager can also add or manage applications in Azure AD. See for more informationBuilt-in Azure features.

Script description

In this tutorial, you set up and test Azure AD SSO in a test environment.

• Support access to a single AWS accountSP and PDISSO started.

Add AWS access to an account from the collection

To configure AWS Single-Account Access integration in Azure AD, you must add AWS Single-Account Access from the collection to the list of managed SaaS applications.

1. Sign in to the Azure portal with a work, school, or personal Microsoft account.
2. Search and select in the Azure portalAzure Active Directory.
3. Select Azure Active Directory from the overview menuCorporate applications>all applications.
4. SelectionNew applicationto add an app.
5. Genusadd from collectionunit, typAccess an AWS accountin the search box.
6. SelectionAccess an AWS accountin the results window and add the application. Wait a few seconds for the app to be added to your tenant.

Alternatively, you can also use theEnterprise Application Installation Guide. In this guide you can add an application to your tenant, add users/groups to the application, assign roles and also go through the SSO settings.Learn more about Microsoft 365 assistants.

Alternatively, you can also use theEnterprise Application Installation Guide. In this guide you can add an application to your tenant, add users/groups to the application, assign roles and also go through the SSO settings. You can learn more about O365 assistantshere.

Configure and test Azure AD SSO for access to a single AWS account

Configure and test Azure AD SSO with access to a single AWS account using a named test userB.Simon. For SSO to work, a login relationship must be established between an Azure AD user and the associated user in an AWS account's Access.

To set up and test Azure AD SSO with access to a single AWS account, complete the following steps:

1. Configure single sign-on for Azure AD- to allow your users to use this feature.
   1. Create a test Azure AD user- to test simple Azure AD login with B.Simon.
   2. Define a test user from Azure AD- to allow B.Simon to use Azure AD single sign-on.
2. AWS SSO Configurator to access an account- to configure the settings of a connection on the application side.
   1. Create a single AWS account access test user- you have a B.Simon counterpart in AWS Single-Account Access associated with Azure AD user impersonation.
   2. How to set up role provisioning in Access an AWS account
3. The SSO test- to verify that the configuration works.

Configure single sign-on for Azure AD

Follow these steps to enable Azure AD SSO in the Azure portal.

1. In the Azure portal, on the pageAccess an AWS accountapp integration page, find itTo achievesection and selectsingle connection.

2. GenusChoose a single login methodpage, selectSAML.

   See Also

   A comprehensive guide to authenticating to AWS from the command line

3. GenusConfigure single sign-on with SAMLpage, click the pencil iconBasic SAML configurationto edit the settings.

   

4. GenusBasic SAML configurationsection, update bothIdentification (Entity ID)mResponse URLwith the same default value:https://signin.aws.amazon.com/saml. you have to chooseSaveto save configuration changes.

5. When you configure more than one instance, you specify an identifier value. From the second case, use the following form, including a#sign to specify a unique SPN value.

   https://signin.aws.amazon.com/saml#2

6. The AWS application expects SAML assertions in a specific format, which requires you to add custom attribute mappings to the SAML token attribute configuration. The following screenshot shows the list of default features.

   

7. In addition to the above, the AWS application expects a few more attributes to be passed in the SAML response, which are listed below. These features are also pre-populated, but you can customize them to your liking.

   Name	source attribute	namespace
   FunctionSessionName	user.user hoofdnaam	https://aws.amazon.com/SAML/Attributes
   Paper	user.assignedroles	https://aws.amazon.com/SAML/Attributes
   Session duration	"Enter a value between 900 seconds (15 minutes) and 43,200 seconds (12 hours)"	https://aws.amazon.com/SAML/Attributes

   Observation

   AWS expects roles for the users assigned to the application. Configure these roles in Azure AD so that users can get the appropriate roles. For more information about configuring roles in Azure AD, seehere

8. GenusConfigure single sign-on with SAMLPage noSAML signing certificate(Step 3), selectadd a certificate.

   

9. Create a new SAML signing certificate and selectnew certificate. Enter an email address for certificate notifications.

   

10. GenusSAML signing certificateunity, findingXML of the federation metadataand selectTo downloadto download the certificate and save it to your computer.

    

11. GenusConfigure AWS access to an accountcopy the appropriate URLs based on your needs.

    

Create a test Azure AD user

In this section, you create a test user in the Azure portal named B.Simon.

1. Search and select in the Azure portalAzure Active Directory.
2. Select Azure Active Directory from the overview menuUsers>all users.
3. SelectionNew userat the top of the screen.
4. Genusby userproperties, follow these steps:
   1. GenusNamefield typeB.Simon.
   2. GenusUsernamefield, enter username@companydomain.extension. For example,B.Simon@contoso.com.
   3. Choose itShow the codecheck box and note the value displayed in the boxPasswordbox.
   4. clickTo do.

Define a test user from Azure AD

In this section, you authorize B.Simon to use Azure Single Sign-On by granting access to an AWS account's Access.

1. Select in the Azure portalCorporate applicationsand selectall applications.
2. Select from the list of applicationsAccess an AWS account.
3. On the app's overview page, find itTo achievesection and selectUsers and groups.
4. SelectionAdd userand selectUsers and groupsGenusAdd jobdialogue.
5. GenusUsers and groupsdialog box, selectB.Simonin the Users list and click the buttonSelectionbutton at the bottom of the screen.
6. If you expect a role to be assigned to users, you can select it from the listselect a modesuspended. If no roles are defined for this application, the Default Access role will be selected.
7. GenusAdd jobdialog box, click onAssignhandle.

AWS SSO Configurator to access an account

1. In another browser window, sign in to your company's AWS site as an administrator.

2. On the AWS home page, search forI AMand click on it.

   

3. I'm going to youSecurity entrance check->Identity Providersone clickadd providerhandle.

   

4. GenusAdd an identity providerpage, follow these steps:

   

   O forprovider type, selectSAML.

   B. ForwardProvider name, enter a provider name (for example:ARE YOU).

   w. To upload your downloadmetadata-bestandSelect in the Azure portalSelect the file.

   D. Clickadd provider.

5. SelectionOperations>function creation.

   

6. Genusfunction creationpage, follow these steps:

   

   O. To electTrusted entity type, selectSAML 2.0 federation.

   B. SchnickSAML 2.0 based provider, select itSAML providerthat you previously created (for example:ARE YOU).

   w. SelectionAllow access to the AWS management console programmatically.

   select DNEXT.

7. Genuslicense policydialog box, add the appropriate policy according to your organization. Then chooseNEXT.

   

8. GenusAnalyzesdialog box, perform the following steps:

   

   A. Empaper name, type the name of your function.

   B. EmDescription, enter the role description.

   w. Selectionfunction creation.

   D. Create as many roles as needed and assign them to the identity provider.

9. Use your AWS service account credentials to get your AWS account roles when provisioning users from Azure AD. To do this, open the AWS console home page.

10. In the section, select IAMPolicyone clickthey do politics.

    

11. Create your own policy to retrieve all roles from AWS accounts.

    

    A. Emthey do politics, select itJSONwow

    B. In the policy document, add the following JSON:

    { "Version": "2012-10-17", "Declaration": [ { "Effect": "Allow", "Action": [ "iam:ListRoles"], "Source": "*" } ]}

    versus clicksNext: Labels.

12. You can also add and click the necessary tags on the page belowNext: review.

    

13. Define the new policy.

    

    O forName, guyAzureAD_SSOUserRole_Policy.

    B. ForwardDescription, guyThis policy allows retrieving roles from AWS accounts.

    w. Selectionthey do politics.

14. Create a new user account in the AWS IAM service.

    A. In the AWS IAM console, selectUsersone clickadding users.

    

    B. NeeEnter user informationsection, enter username asAzureADRoleManagerand selectNEXT.

    

    w. Create a new policy for this user.

    

    select DAdd existing policies directly.

    Is. Look for the newly created policy in the filters sectionAzureAD_SSOUserRole_Policy.

    F. Select the policy and selectNEXT.

15. Check your options and choosecreate user.

16. To retrieve a user's user data, enable console accesssecurity credentialswow

    

17. Enter these credentials in the Azure AD user provisioning section to retrieve the roles in the AWS console.

    

How to set up role provisioning in Access an AWS account

1. In the Azure AD management portal in the AWS app, go tosupplies.

   

2. Enter the passkey and secret in the fileclient secretmTokengeheimfields, respectively.

   

   A. Enter your AWS user access key in the fieldclient secretcamp.

   B. Enter your AWS user secret in the fieldTokengeheimcamp.

   w. SelectionCONNECTION TEST.

   D. Save the configuration by selectingSave.

3. Genusinstitutionsdepartment, toprovision status, selectOver. Then chooseSave.

   

Create a single AWS account access test user

The purpose of this section is to create a user named B.Simon in AWS Single-Account Access. AWS Single-Account Access does not require you to create a user on your system for SSO, so no action is required here.

The SSO test

In this section, you test the Azure AD single sign-on installation with the following options.

SP started:

• Click insidetry this appin the Azure portal. This will redirect to the AWS login URL for an account where you can start the login flow.

• Go directly to the AWS login URL to access an account and start the login flow from there.

PDI started:

• Click insidetry this appin the Azure portal and you should automatically sign in to Access an AWS account for which you set up SSO.

You can also use Microsoft My Apps to test the app in each mode. When you click the AWS Single-Account Access tile in My Apps, if it's set to SP mode, you'll be redirected to the app's login page to start the login flow. If configured in IDP mode, you should automatically sign in to Access an account: an AWS account for which you are configuring SSO. For more information about my apps, seeIntroduction to my apps.

Known issues

• The AWS Single-Account Access provisioning integration cannot be used in the China AWS regions.

• Genussuppliesdepartment, theAllocationsThe subsection displays the message "Loading..." and never displays the attribute assignments. The only provisioning workflow currently supported is to import AWS roles into Azure AD for selection during a user or group assignment. The attribute assignments for this are predefined and cannot be set.

• THEsuppliesThe module supports entering only one set of credentials for an AWS tenant at a time. All imported functions are exported toappRollenAzure AD propertyserviceHoofdobjectfor the AWS tenant.

  Multiple AWS tenants (represented byService managers) can be added to Azure AD in the collection for provisioning. However, there is a known issue that it is not possible to automatically register all functions imported from different AWSService managersused to provide a singleserviceHoofdused for simple connection.

  As a workaround, you can use theAPI for Microsoft Graphtake everything outappRollenimported into any AWSserviceHoofdwhere the device is configured. You can add these feature sets to AWS laterserviceHoofdwhere SSO is configured.

• Roles must meet the following requirements to be eligible for import from AWS to Azure AD:

  • Roles require exactly one saml provider defined in AWS
  • The combined length of the role's Amazon Resource Name (ARN) and its SAML provider's ARN must be less than 240 characters.

change calendar

• 2020-01-12 - Increased paper length limit from 119 to 239 characters.

Next steps

After you configure AWS Single-Account Access, you can enforce session control, protecting your organization's sensitive data from real-time intrusion and intrusion. Session management extends from Conditional Access.Learn how to enforce session control with Microsoft Defender for cloud applications.