Windows Blogs

Integrating AWS SSO with Azure Active Directory

By Sai Kurada
15mins Read
Introducing Single Sign-On
Single Sign-On (SSO) is an authentication and authorization method that allows a user to log in to different apps using a single set of credentials (username and password).

This streamlined login process eliminates the need for users to repeatedly sign in and out of various applications, whether on-premises or cloud-based. SSO makes overall password management easier in a company, enhancing productivity and security by lowering the chance of lost, weak, or forgotten passwords.

How it works?
SSO aims to establish a trusted partnership between an identity provider (IdP) and a service provider (SP). This mutual trust is primarily solidified through the exchange of certificates between IdP and SP. The exchanged certificate serves as a validation mechanism for the identification information shared by the identity provider with the service provider, ensuring its credibility from a trusted source. SSO securely stores this information in the form of tokens, which contain user-specific details such as an email ID or username.

In organizational contexts, there is a preference for maintaining a unified identity across
applications and cloud-based platforms. Azure Active Directory (AD) stands out as a widely embraced authentication method, especially given the prevalent use of Office 365 in businesses. Azure AD often serves as the central authentication hub due to its seamless integration with various services.

This blog post will guide the integration of AWS SSO into the Organization's master account, leveraging Azure Active Directory for user authentication. Such integrations play a pivotal role in enabling administrators to efficiently manage users and groups from a centralized source.

Step by Step guide for Integration of AWS SSO with Azure AD

Architectural diagram:
Enable AWS SSO:
  1. Log in to the AWS Console with the AWS master account, then navigate to the IAM Identity Center (successor to AWS Single Sign-On).
  2. Verify the upper right corner of the AWS Management console to ensure that they are in the correct region.
  3. If you access the Identity Center for the first time in this region, you will be greeted with the welcome screen below. Click on “Enable”.
Once the service is enabled, click on “Change your Identity Source.” Navigate to Identity source and select action. Choose “Change identity source.”
By default, the identity source in AWS SSO. We will change it to “External Identity provider” to integrate with Azure AD. Download the metadata from step 2 and now switch to the Azure side.
Configuring Azure AD as IdP:
Login to your Azure account and navigate to Azure Active Directory. Select “Enterprise Applications” from the left panel and create a new application. Search for AWS from the search bar then select AWS IAM Identity Center (successor to AWS Single Sign-On) as shown below:
After selecting AWS SSO, Click on Create. Now navigate to the application that you just created and select “Set up single sign-on” as shown below.
Select SAML on the next page and upload the metadata data you downloaded from AWS IAM Identity Center.
After the upload is complete click “Save” and then close the Basic SAML Configuration pane. You will get a prompt to test the single sign-on with AWS Single Sign-On. You can click “No, I’ll test later.” Now download the Azure Federation Metadata XML as shown below.
After downloading the metadata file, now back to the AWS console and upload the downloaded metadata as shown below then click on Next.
In the next step, acknowledge and change the identity source as shown.
The basic configuration is completed. Now let’s implement the automatic provision of users and groups from Azure AD using the SCIM protocol. Before automatic provisioning creates users and groups in your active directory and then add them to the application.
Automatic provisioning of Users and Groups:
In the left panel of AWS Identity Center, select “settings.” Navigate to the identity source and go to action. Click on “Manage Provisioning.” Enable the provisioning to Automatic and copy the “SCIM endpoint” and “Token”.
Back in Azure, Navigate to “Provisioning” from the left panel in the application and click on Get Started. Change the provisioning mode to automatic and paste the copied SCIM endpoint and token that you copied from the AWS console. Click on Save.
Back in the “Provisioning” section and start the provisioning. The default provisioning interval is set to 40 minutes.
As shown above, the user is successfully provisioned. It should be visible in the AWS Identity Center.
Now, we can assign permissions to the users and access AWS accounts as Azure AD users.
Conclusion:
This article demonstrates how we can integrate Azure AD to AWS Single Sign-On (SSO). With this connection, you can now manage access to AWS accounts and apps centrally for single sign-on and utilize automated provisioning to decrease complexity when maintaining and utilizing identities. Users no longer need to manage multiple identities and passwords to access their AWS accounts and apps since Azure AD can now serve as a single source for user management.