How to setup AWS SSO to Microsoft Entra ID (Azure AD) and use auto provisioning

Last week a customer wanted to setup single sign-on to Amazon Web Services (AWS) from their Entra ID / Azure AD environment. After reading several instructions from both Microsoft and Amazon I needed some more explanation for each step before I would activate it. So here is my manual with step by step guidance.

image 26

First let’s set some objectives. We want to be able to login to AWS with our Entra ID account, and we want to setup different permissions for Entra ID / Azure AD groups. For AWS it is also required to setup identities with Permission sets assigned before the users are able to login. So we will setup a System for Cross-domain Identity Management (SCIM) connection from Entra ID to AWS, required to synchronize the usernames to AWS.

Prerequisites

Before we can continue, we need the following:

  • AWS Root account
  • Entra ID Global Admin account

STEP 1: Configure Identity provider

First login on to AWS with your root account: https://console.aws.amazon.com. After the login, go to the IAM Identity Center (use the search in the top bar to find it quickly). More information about the IAM Identity center can be found here: Access Management- AWS Identity and Access Management (IAM) – AWS (amazon.com). From the IAM Identity Center you can find the option to Choose your identity source

image

From the next window click on the Actions dropdown and click on Change identity source

image 1

On the new window select External identity provider and click Next

image 2

In the following step we are going to download the AWS metadata file. This contains information about the sign-in URL, IAM Identity Center assertion Consumer Service (ACS) URL and the IAM identity Center issuer URL. Go ahead and click on the Download metadata file button.

image 3

STEP 2: Prepare the Entra ID environment

In this step we are going to create an Entra ID Enterprise Application. This will serve as a service to Entra ID, which will manage permissions, tokens and logins for the AWS portal.

Now open a new tab and go to the Azure Portal (portal.azure.com). From the search bar go to Microsoft Entra ID. From there go to Enterprise applications. Click on Create your own application. On the new tab on the rights side of the page, give your application a name. In this example I named it 2azure.nl – AWS SSO. Make sure that the option Integrate any other application you don’t find in the gallery has been checked.

image 5

From your new application go to the Single sign-on page, and select there SAML as the single sign-on method.

image 7

From the new page we can now upload the downloaded metadata file from the AWS portal.

image 8

Verify the URL’s with the URL’s provided from the Azure Portal. The Identifier should match with the IAM identity Center issuer URL. The Reply URL should match with the IAM Identity Center assertion Consumer Service (ACS) URL. Make sure to Save the configuration when ready.

image 9

Now that the app has been created. We can download the Federation Metadata XML file. This containts information for AWS to forward requests to the Entra ID Login portal.

image 10

Before we return to the AWS portal, go to Users and groups, and click on Add user/group. Walk throug all steps.

image 14

STEP 3: Finalize SSO Provider.

Now back to the AWS portal page. Here we will import the XML file that we just exported from the Entra ID portal.

image 11

This next screen just scared me a bit because I wasn’t aware of the impact. The good news is, although IAM Identity center accounts will lose login possibilities, the root accounts will remain active. So make sure that current IAM users are informed that they will temporary lose access to the resources in AWS.

Type ACCEPT and click on Change identity source

image 12

STEP 4: Test the login

From the IAM Identity Center go to Users, create a user that exists in your Entra ID. Make sure to match the username with the username in Entra ID.

image 13

Now it is time to assign permissions to the added user. Go to AWS accounts under Multi-account permissions. Select the Root or OU where you want to assign permissions, and Assign users or groups. Make sure to right permissions. For this test I added AdministratorAccess to my test user.

image 17

Now let’s get the sign-in URL to test. Go back to your Dashboard, and copy the AWS access portal URL

image 15

Open the URL in a in-private window and login with the just added account to verify that everything is working as expected. You should be able to login through the Entra ID login page, and you should see a page like this after logging in.

image 16

Step 5: Setup Automatic Provisioning

What we don’t want, is that we will need to manually add users and assign permissions for each new user. It would be more convenient to have users automatically added and assigned. So, let’s setup an automatic sync that will do this for you. Go to Settings in the IAM Identity center. Click on the button Enable under Automatic provisioning.

image 18

From the next page copy the URL for the SCIM endpoint, and copy the Access token. (unhide it with Show token)

image 19

Now go back to the Azure Portal, from the Enterprise application that we created in step 2, go to provisioning.

image 20

Change the Provisioning mode to Automatic. Past the SCIM endpoint URL in the Tenant URL field and the Token in the Secret Token field. Test the connection when ready.

image 21

When the connection is succesfull, you should see a message like below on the top right.

image 22

Don’t forget to save the configuration

image 23

Now go back to overview, and Start provisioning. Default all users with application permissions will be synchronized. Change the Users and groups accordingly. Keep in mind that nested groups will not be synced.

image 24

When completed the provisioning should look like this. Make sure to grant the users/groups the desired permissions.

image 25

Add a Comment

Your email address will not be published. Required fields are marked *