How to setup AWS SSO to Microsoft Entra ID (Azure AD) and use auto provisioning
Last week a customer wanted to setup single sign-on to Amazon Web Services (AWS) from their Entra ID / Azure AD environment. After reading several instructions from both Microsoft and Amazon I needed some more explanation for each step before I would activate it. So here is my manual with step by step guidance.
First let’s set some objectives. We want to be able to login to AWS with our Entra ID account, and we want to setup different permissions for Entra ID / Azure AD groups. For AWS it is also required to setup identities with Permission sets assigned before the users are able to login. So we will setup a System for Cross-domain Identity Management (SCIM) connection from Entra ID to AWS, required to synchronize the usernames to AWS.
Prerequisites
Before we can continue, we need the following:
- AWS Root account
- Entra ID Global Admin account
STEP 1: Configure Identity provider
First login on to AWS with your root account: https://console.aws.amazon.com. After the login, go to the IAM Identity Center (use the search in the top bar to find it quickly). More information about the IAM Identity center can be found here: Access Management- AWS Identity and Access Management (IAM) – AWS (amazon.com). From the IAM Identity Center you can find the option to Choose your identity source
From the next window click on the Actions dropdown and click on Change identity source
On the new window select External identity provider and click Next
In the following step we are going to download the AWS metadata file. This contains information about the sign-in URL, IAM Identity Center assertion Consumer Service (ACS) URL and the IAM identity Center issuer URL. Go ahead and click on the Download metadata file button.
STEP 2: Prepare the Entra ID environment
In this step we are going to create an Entra ID Enterprise Application. This will serve as a service to Entra ID, which will manage permissions, tokens and logins for the AWS portal.
Now open a new tab and go to the Azure Portal (portal.azure.com). From the search bar go to Microsoft Entra ID. From there go to Enterprise applications. Click on Create your own application. On the new tab on the rights side of the page, give your application a name. In this example I named it 2azure.nl – AWS SSO. Make sure that the option Integrate any other application you don’t find in the gallery has been checked.
From your new application go to the Single sign-on page, and select there SAML as the single sign-on method.
From the new page we can now upload the downloaded metadata file from the AWS portal.
Verify the URL’s with the URL’s provided from the Azure Portal. The Identifier should match with the IAM identity Center issuer URL. The Reply URL should match with the IAM Identity Center assertion Consumer Service (ACS) URL. Make sure to Save the configuration when ready.
Now that the app has been created. We can download the Federation Metadata XML file. This containts information for AWS to forward requests to the Entra ID Login portal.
Before we return to the AWS portal, go to Users and groups, and click on Add user/group. Walk throug all steps.
STEP 3: Finalize SSO Provider.
Now back to the AWS portal page. Here we will import the XML file that we just exported from the Entra ID portal.
This next screen just scared me a bit because I wasn’t aware of the impact. The good news is, although IAM Identity center accounts will lose login possibilities, the root accounts will remain active. So make sure that current IAM users are informed that they will temporary lose access to the resources in AWS.
Type ACCEPT and click on Change identity source
STEP 4: Test the login
From the IAM Identity Center go to Users, create a user that exists in your Entra ID. Make sure to match the username with the username in Entra ID.
Now it is time to assign permissions to the added user. Go to AWS accounts under Multi-account permissions. Select the Root or OU where you want to assign permissions, and Assign users or groups. Make sure to right permissions. For this test I added AdministratorAccess to my test user.
Now let’s get the sign-in URL to test. Go back to your Dashboard, and copy the AWS access portal URL
Open the URL in a in-private window and login with the just added account to verify that everything is working as expected. You should be able to login through the Entra ID login page, and you should see a page like this after logging in.
Step 5: Setup Automatic Provisioning
What we don’t want, is that we will need to manually add users and assign permissions for each new user. It would be more convenient to have users automatically added and assigned. So, let’s setup an automatic sync that will do this for you. Go to Settings in the IAM Identity center. Click on the button Enable under Automatic provisioning.
From the next page copy the URL for the SCIM endpoint, and copy the Access token. (unhide it with Show token)
Now go back to the Azure Portal, from the Enterprise application that we created in step 2, go to provisioning.
Change the Provisioning mode to Automatic. Past the SCIM endpoint URL in the Tenant URL field and the Token in the Secret Token field. Test the connection when ready.
When the connection is succesfull, you should see a message like below on the top right.
Don’t forget to save the configuration
Now go back to overview, and Start provisioning. Default all users with application permissions will be synchronized. Change the Users and groups accordingly. Keep in mind that nested groups will not be synced.
When completed the provisioning should look like this. Make sure to grant the users/groups the desired permissions.