Tutorial from Azure provided here : https://docs.microsoft.com/en-us/azure/active-directory/active-directory-saas-amazon-web-service-tutorial
To configure the integration of Amazon Web Services (AWS) into Azure AD, you need to add Amazon Web Services (AWS) from the gallery to your list of managed SaaS apps.
To add Amazon Web Services (AWS) from the gallery, perform the following steps:
- In the Azure Portal, on the left navigation panel, click Azure Active Directory icon.
- Navigate to Enterprise applications. Then go to All applications.
- Click Add button on the top of the dialog.
- In the search box, type Amazon Web Services (AWS).
- In the results panel, select Amazon Web Services (AWS), and then click Add button to add the application.
Configuring Azure AD single sign-on
In this section, you enable Azure AD single sign-on in the Azure portal and configure single sign-on in your Amazon Web Services (AWS) application.
To configure Azure AD single sign-on with Amazon Web Services (AWS), perform the following steps:
- In the Azure Portal, on the Amazon Web Services (AWS) application integration page, click Single sign-on.
- On the Single sign-on dialog, as Mode select SAML-based Sign-on to enable single sign-on.
- On the Amazon Web Services (AWS) Domain and URLs section, check the Show advanced URL settings and placed the Identifier as “urn:amazon:webservices”.
- The Amazon Web Services (AWS) Software application expects the SAML assertions in a specific format. Please configure the following claims for this application. You can manage the values of these attributes from the “User Attributes” section on application integration page. The following screenshot shows an example for this.
- On the SAML Signing Certificate section, click Metadata XML and then save the XML file on your computer.
- Make new certificate active.
Click Save button to save the settings on Azure.
- In a different browser window, sign-on to your Amazon Web Services (AWS) company site as administrator.
- Click Console Home.
- Click IAM from Security, Identity & Compliance service.
- Click Identity Providers, and then click Create Provider.
- On the Configure Provider dialog page, perform the following steps:
a. As Provider Type, select SAML.
b. In the Provider Name textbox, type a provider name (e.g.: AzureAD).
c. To upload your downloaded metadata file, click Choose File.
d. Click Next Step.
- On the Verify Provider Information dialog page, click Create.
Lets Create couple of roles “AWSRead” for ReadOnly Access and “AWSAdmin” for Admin Level Access. These Roles will be synced to Azure AD – AWS application and while assigning users we can also select roles.
Click Roles, and then click Create New Role.
- Select SAML 2.0 federation. From the drop down box select the SAML provider that we have created above.
- Search for IAM Read Only Access policy
- Give Role name as AWSRead and save it.
- Repeat the above steps – select Administrator policy and save the role as AWSAdminNow lets create a user which can read the roles created above and can sync it to Azure AD – AWS Application.
- Attach “IAMReadOnly” policy to read the roles that we have created. Save the ACCESSKEY and SECRETKEY for the user as we need to configure in Azure AD – AWS Application provision.
- Lets go back to Azure portal and finish the provision section.In the Azure Portal, on the Amazon Web Services (AWS) application integration page, click Provisioning.
Set the Provisioning mode to Automatic
Now in the clientsecret and Secret Token paste the corresponding values, which you have copied from AWS Console.
You can click the Test Connection button to test the connectivity. Once that is successful then you can start the provisioning connector.
Now enable the Provisioning Status to On. This starts fetching the roles from the application.
Azure AD Provisioning service runs every after some time to sync the roles from AWS. You should see all the Identity Provider attached AWS roles into Azure AD and you can use them while assigning the application to users or groups.
Creating an Azure AD test user
- In the Azure portal, on the left navigation pane, click Azure Active Directory icon.
- Go to Users and groups and click All users to display the list of users.
- At the top of the dialog click Add to open the User dialog.
- On the User dialog page, perform the following steps:
Assigning the Azure AD test user
- In the Azure portal, open the applications view, and then navigate to the directory view and go to Enterprise applications then click All applications.
- In the applications list, select Amazon Web Services (AWS).
- In the menu on the left, click Users and groups and click “+Add User”
- Search for the “TestUser” created above and select
- By this time the roles created in AWS might have synced. If not wait for some more time so that Azure can fetch them. Once the roles are visible select accordingly.
- We can select multiple users but only one role at a time. Repeat the above steps – select Test User and this time select AWSAdmin.
Testing single sign-on
- Go to https://myapps.microsfot.com which redirects to Microsoft online login page. If we are logging for the first time then the portal asks you to change the password.
- Once the login is successful we can see the applications assigned to user which also includes AWS.
- Click Amazon Web Services. The login should be redirected to https://signin.aws.amazon.com/saml with the assigned roles.