AWS SSO with Azure Active Directory

Tutorial from Azure provided here :

To configure the integration of Amazon Web Services (AWS) into Azure AD, you need to add Amazon Web Services (AWS) from the gallery to your list of managed SaaS apps.

To add Amazon Web Services (AWS) from the gallery, perform the following steps:

  1. In the Azure Portal, on the left navigation panel, click Azure Active Directory icon.Active Directory
  2. Navigate to Enterprise applications. Then go to All applications.Applications
  3. Click Add button on the top of the dialog.Applications
  4. In the search box, type Amazon Web Services (AWS).Creating an Azure AD test user
  5. In the results panel, select Amazon Web Services (AWS), and then click Add button to add the application.Creating an Azure AD test user

    Configuring Azure AD single sign-on

    In this section, you enable Azure AD single sign-on in the Azure portal and configure single sign-on in your Amazon Web Services (AWS) application.

    To configure Azure AD single sign-on with Amazon Web Services (AWS), perform the following steps:

    1. In the Azure Portal, on the Amazon Web Services (AWS) application integration page, click Single sign-on.Configure Single Sign-On
    2. On the Single sign-on dialog, as Mode select SAML-based Sign-on to enable single sign-on.Configure Single Sign-On
    3. On the Amazon Web Services (AWS) Domain and URLs section, check the Show advanced URL settings and placed the Identifier as “urn:amazon:webservices”.AWS_Azure_SAML
    4. The Amazon Web Services (AWS) Software application expects the SAML assertions in a specific format. Please configure the following claims for this application. You can manage the values of these attributes from the “User Attributes” section on application integration page. The following screenshot shows an example for this.AWS_Azure_SAML2.JPG
    5. On the SAML Signing Certificate section, click Metadata XML and then save the XML file on your computer.Configure Single Sign-On
    6. Make new certificate active.AWS_Azure_SAML3.JPG

      Click Save button to save the settings on Azure.

      Configure Single Sign-On

  6. In a different browser window, sign-on to your Amazon Web Services (AWS) company site as administrator.
  7. Click Console Home.Configure Single Sign-On
  8. Click IAM from Security, Identity & Compliance service.Configure Single Sign-On
  9. Click Identity Providers, and then click Create Provider.Configure Single Sign-On
  10. On the Configure Provider dialog page, perform the following steps:AWS_Azure_SAML1.JPG 

    a. As Provider Type, select SAML.

    b. In the Provider Name textbox, type a provider name (e.g.: AzureAD).

    c. To upload your downloaded metadata file, click Choose File.

    d. Click Next Step.

  11. On the Verify Provider Information dialog page, click Create.AWS_Azure_SAML4

    Lets Create couple of roles “AWSRead” for ReadOnly Access and “AWSAdmin” for Admin Level Access. These Roles will be synced to Azure AD – AWS application and while assigning users we can also select roles.

  12. Click Roles, and then click Create New Role.

    Configure Single Sign-On

  13. Select SAML 2.0 federation. From the drop down box select the SAML provider that we have created above.AWS_Azure_SAML5
  14. Search for IAM Read Only Access policyAWS_Azure_SAML6
  15. Give Role name as AWSRead and save it.
  16. Repeat the above steps – select Administrator policy and save the role as AWSAdminAWS_Azure_SAML7Now lets create a user which can read the roles created above and can sync it to Azure AD – AWS Application.AWS_Azure_SAML8
  17. Attach “IAMReadOnly” policy to read the roles that we have created. Save the ACCESSKEY and SECRETKEY for the user as we need to configure in Azure AD – AWS Application provision.AWS_Azure_SAML9
  18. Lets go back to Azure portal and finish the provision section.In the Azure Portal, on the Amazon Web Services (AWS) application integration page, click Provisioning.Configure Single Sign-On

    Set the Provisioning mode to Automatic

    Configure Single Sign-On

    Now in the clientsecret and Secret Token paste the corresponding values, which you have copied from AWS Console.

    You can click the Test Connection button to test the connectivity. Once that is successful then you can start the provisioning connector.

    Configure Single Sign-On

    Now enable the Provisioning Status to On. This starts fetching the roles from the application.

    Configure Single Sign-On


    Azure AD Provisioning service runs every after some time to sync the roles from AWS. You should see all the Identity Provider attached AWS roles into Azure AD and you can use them while assigning the application to users or groups.

    Creating an Azure AD test user

  19. In the Azure portal, on the left navigation pane, click Azure Active Directory icon.Creating an Azure AD test user
  20. Go to Users and groups and click All users to display the list of users.Creating an Azure AD test user
  21. At the top of the dialog click Add to open the User dialog.Creating an Azure AD test user
  22. On the User dialog page, perform the following steps:AWS_Azure_SAML10

    Assigning the Azure AD test user

  23. In the Azure portal, open the applications view, and then navigate to the directory view and go to Enterprise applications then click All applications.Assign User
  24. In the applications list, select Amazon Web Services (AWS).Configure Single Sign-On
  25. In the menu on the left, click Users and groups and click “+Add User”Assign User
  26. Search for the “TestUser” created above and selectAWS_Azure_SAML11
  27. By this time the roles created in AWS might have synced. If not wait for some more time so that Azure can fetch them. Once the roles are visible select accordingly.AWS_Azure_SAML12.JPG
  28. We can select multiple users but only one role at a time. Repeat the above steps – select Test User and this time select AWSAdmin.AWS_Azure_SAML13.JPG

    Testing single sign-on

  29. Go to which redirects to Microsoft online login page. If we are logging for the first time then the portal asks you to change the password.AWS_Azure_SAML14.JPG
  30. Once the login is successful we can see the applications assigned to user which also includes AWS.AWS_Azure_SAML15
  31. Click Amazon Web Services. The login should be redirected to with the assigned roles.AWS_Azure_SAML16



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s