Multi AWS Account federation with Microsoft Azure Active Directory as IdP

Tudor Toma 12th April 2018
Multi AWS Accounts with Microsoft Azure AD

When it comes to using Amazon Web Services in an enterprise environment, we think of Identity and Access Management being at the center of everything due to its importance for enterprises.

Some of the key solutions which are used today relating to this are:

  • Using a dedicated AWS Account as a central identification point for users and groups of that enterprise -> creating an SSO in AWS using IAM
  • Using a federated access mode, where every AWS Account is federated with an IdP (e.g ADFS) -> creating an SSO in the Enterprise On-premises using ADFS
  • Using a federated access mode, but instead of using the AWS IAM to hold users and groups, you use your own hosted IdP solution (e.g ADFS) in AWS -> creating an SSO in AWS using ADFS.

Microsoft Azure Active Directory has been around for a while and although it provides excellent IdP services for Microsoft Online products, it had troubles providing the same for AWS in a multi-account scenario, which is the case for most big enterprises. Therefore, this solution has not been the most popular among hybrid cloud implementations.

 

The new Azure Active Directory

Recently, Microsoft Azure have moved the Azure Active Directory service from the “classic portal” (ASM) to the ARM portal; adding features, fixing bugs and making it a true feature rich service. Last year they have also launched some documentation guides on how to achieve IdP for AWS, however not in a multi-account scenario.

In the endeavor to find another good IdP solution for multiple AWS Accounts scenarios, me and fellow architect Giulio Calzolari started testing the Azure AD and succeeded in implementing a Multi AWS Account Authentication with Azure AD as IdP.

Before explaining how to achieve that let us visualise this solution:

Multi AWS Accounts with Microsoft Azure AD architecture

Because there is already Microsoft documentation on how to achieve the addition of an AWS Account as an enterprise application in Azure Active Directory, I will not go into many details of how to achieve that. You can read more about this this here.

Instead I will focus on how to achieve the Multi account part, which is a simple configuration change away from the documentation that Microsoft have posted.

 

Achieving a multi-account

The current steps to add the application are briefly described below, but please check the Microsoft blog for more accurate details:

Step 1: Add the AWS Enterprise Application in Azure AD from the gallery

Step 2: Go in the newly created AWS Application and select the SAML Sign-On from the Single Sign-On tab

Step 3: In this tab add two additional user attributes, to be used in the SAML token

Name Value Namespace
RoleSessionName user.userprincipalname https://aws.amazon.com/SAML/Attributes
Role user.assignedroles https://aws.amazon.com/SAML/Attributes

Step 4: Download the application Metadata from the same Single Sign-On tab and create the SAML IdPs in both AWS Accounts

Step 5: Create the AWS IAM roles (select SAML 2.0 federation) which you want to use for the mapping, for example ReadOnly and Admin, attach the proper managed policy and attach the trust relationship created in the previous step.

Following what has been achieved so far, the Microsoft documentation referenced above goes towards the Automatic provisioning, therefore we will continue with Manual Provisioning (in the Provisioning tab), in order to achieve Multi AWS Account SAML federation.

Step 6: Create the AzureAD groups which will match the pair: AWS Account – Role.

Use proper naming, for example, Azure AD group could be AWS-Account1-Admin, this ensures that management will be consistent when creating user membership. So for example if you have 2 users with different roles (one admin, one readonly) and they both need access to 2 different AWS Accounts, you will have to create 4 groups in total.

AWS 4 groups

Step 7: Go to App Registrations and open the AWS Application Manifest Tab as below.

AWS Application Manifest Tab

This will bring the edit manifest page, where you have to add this pair

AzureAD Group – AWS Account – Role

Adding such a pair is easy, all you have to do is copy the existing one and paste it above, but inside the “appRoles” tab.

{

     "allowedMemberTypes": [

       "User"

     ],

     "displayName": "AWS-Acc1-RO",

     "id": "AZURE AD GROUP OBJECT ID",

     "isEnabled": true,

     "description": "AWS-Acc1-RO",

     "value": "arn:aws:iam::111111111111:role/AAD-ReadOnly,arn:aws:iam::111111111111:saml-provider/AzureLabAD"

   }

Remember that you have to add one of these sections for each pair Group-Role, as mentioned above. The final result should look like this.

Edit manifest

Step 8: Return to AzureAD Application, and in the Users and Groups tab you should add a new Mapping of User/Group to Role. Please note that you need Azure AD Premium SKU in order to add Group Object mappings to the Roles. For your tests you can map users to Roles.

new Mapping of User/Group to Role

Step 9: Testing your SSO

There is nothing left to do apart from test the final result. Go to the Enterprise Application properties Tab and copy the Application User Access URL

Testing your SSO

This will be your SSO endpoint, which you can resolve directly or create a CNAME record in your enterprise hosted zone (sso.myorganization.com)

After successful authentication, it will redirect to: https://signin.aws.amazon.com/saml which allows us to login with all options that we have specified in the Application registration manifest file.

In future posts I will try to make this process a bit more automated for managing AWS Accounts and Users/Groups in a more controllable and versionable manner, as right now this has been done only using the Azure Portal.

 

I hope this has helped you create SAML federation for Multi AWS Accounts with Microsoft Azure AD.

Enjoy!