Azure/AWS – Federated login from AAD to the AWS Console

Federated Identity allows us to access various systems with a single authentication token that is trusted. It provides us with SSO (Single Sign on) and allows us to enter systems without different repeated password entries.

In this article we will setup Federated Access to the AWS Console from Microsoft Azure (via Azure Active Directory), giving us SSO capability.

We will be using the SystemAdministrator AWS Managed Policy and the user will be container_admin to coincide with the rest of the articles in this section.

Login to the AWS Console as an Administrator with Full access and/or the root account.
Login to Microsoft Azure as Global Administrator of the Tenant you are wanting to SSO from.

Enable AWS Organizations (if you have already enabled organizations then Settings -> Enable all features):
AWS -> All Services -> AWS Organizations -> Create organization -> Enable all features

Check your email and click the link sent from AWS to finalize the change of enabling all features

Enable AWS SSO:
AWS -> All Services -> AWS Single Sign-On -> Enable AWS SSO

Create the Azure user you are wanting to use for SSO:
Azure Active Directory -> Users | All users -> New user -> Create user -> User name: container_admin -> Name: container admin -> First name: container -> Last name: admin -> Password -> Auto-generate password
-> Tick Show Password (Take note of the password) -> Create

Add the AWS Gallery application in to Azure AD via Enterprise applications:
Azure -> Azure Services -> Azure Active Directory -> Enterprise applications (Manage) -> All applications (Manage) -> New application -> Cloud platforms: Amazon Web Services (AWS) (black bordered box) -> Create

Enterprise Application | All applications -> Amazon Web Services (AWS) -> Single sign-on (Manage) -> SAML -> Click Yes on Save single sign-on setting popup (Identifier (Entity ID) and Reply URL)

Create a SAML (Security Assertion Markup Language) certificate and activate it:
SAML Signing Certificate -> Edit -> Add a certificate -> New Certificate -> Save -> Select the toolbar on the certificate -> Make certificate active -> Yes -> Close pane

Dismiss the ‘Test single sign-on with Amazon Web Services (AWS)’ popup (i.e. No, I’ll test later).

Download the Federation data for the later created Identity Provider in AWS:
SAML Signing Certificate -> Download Federation Metadata XML

Modify the Federated SSO session to 3 hours (from 15 minutes (900 seconds)):
User Attributes & Claims -> Edit -> Select the SessionDuration Claim name -> Source attribute -> “10800” -> Save

Create the Identity Provider:
AWS -> IAM -> Identity Providers -> Create Provider -> Provider Type -> SAML -> Provider Name: AzureAD -> Metadata Document -> Choose File (the downloaded Federated Metadata XML file) -> Next Step -> Create

Create the role and assign the SystemAdministrator AWS managed policy to it:
IAM -> Roles -> Create role -> SAML 2.0 federation -> SAML provider -> AzureAD -> Allow programmatic and AWS Management Console access -> Next permissions -> select SystemAdministrator -> Next: Tags -> Next: Review -> Role name: SystemAdministrator -> Create role

Create a policy which will allow a fetch of roles:
IAM -> Policies -> Create policy -> JSON ->

 {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
            "iam:ListRoles"
            ],
            "Resource": "*"
        }
    ]
}

-> Review policy -> Name: AzureAD_SSOUserRole_Policy -> Description: This policy will allow to fetch the roles from AWS accounts. -> Create policy

Create a user (to be used in Azure’s AWS Gallery application for Provisioning) and assign it the previously created policy:
IAM -> Users -> Add user -> User name: AzureADRoleManager -> select Programmatic access -> Next: Permissions -> Attach existing policies directly -> select AzureAD_SSOUserRole_Policy -> Next: Tags -> Next: Review -> Create user -> Take note of the Access ID and the Secret Access key

Configure Provisioning:
Azure -> Enterprise applications | All applications -> Amazon Web Services (AWS) -> Provisioning -> Get started -> Provisioning Mode: Automatic -> Admin Credentials: clientsecret (enter in the Access ID) -> Secret Token: (enter in the Secret Access Key) -> Test Connection -> Save -> Provisioning Status: On -> Save

Wait some time for the Incremental cycle to be completed (it should show finished shortly thereafter but you should wait another 15 minutes or so).

Assign a user to the AWS gallery application:
Users and groups -> Add user -> Users and groups -> select container_admin -> select -> Select a role -> SystemAdministrator,AzureAD -> Select -> Assign

Note: If you see DefaultAccess and/or you are not able to select the role, assign the user then go back in and assign the role (it must say SystemAdministrator,AzureAD)

In a browser:
https://myapplications.microsoft.com/ -> Login as container_admin@TENANT.onmicrosoft.com -> Change the password -> Click on the Amazon Web Services icon -> click on container_admin@TENANT.onmicrosoft.com in the popup list -> You will be taken to the AWS Console

Up top, select the user and in the dropdown you will see:
Federated Login: SystemAdministrator/container_admin@TENANT.onmicrosoft.com

Source:
amazon-web-service-tutorial