Introduction









In this tutorial I will show you how to integrate Azure AD with AWS. This article has the vision to use your unique identity to log in with your AD user or Azure AD directly in the AWS console.

aws-signon2

The SSO between the Azure AD and Amazon Web Service works in a different way. In this integration, we must create the user within the AWS console to merge between the accounts. This is the only point where we should be aware, remembering that is only a user creation that does not password.



Let's add the AWS app to the Microsoft Azure SaaS application Gallery.







Creating the Azure Portal application

In the Microsoft Azure portal, we go to "Azure Active Directory", then "Enterprise Applications" and click "All Applications".







Integração_do_Azure_Active_Directory_com_o_AWS_(Amazon Web Services)_01
Next click on "New Application".







Integração_do_Azure_Active_Directory_com_o_AWS_(Amazon Web Services)_02
Now search for "Amazon Web Services (AWS)" and select the application.







Integração_do_Azure_Active_Directory_com_o_AWS_(Amazon Web Services)_03
Next you can change the name of the application to make it easier to know which client is integrated. After changing the name click on "Add" and wait for the application provisioning.







Integração_do_Azure_Active_Directory_com_o_AWS_(Amazon Web Services)_04
Ready the application is provisioned, now we go to the option of "Single Sign-On".







Integração_do_Azure_Active_Directory_com_o_AWS_(Amazon Web Services)_05
In Single "Sign-on" We will choose the option "SAML-based sign-on".







Integração_do_Azure_Active_Directory_com_o_AWS_(Amazon Web Services)_06




This step is very important because we have to add some parameters to work 100% integration with AWS.



Go to the "Show Advanced URL Settings" option, after expanding this option go to "Identifier" and add the following information "urn: Amazon: webservices".







Integração_do_Azure_Active_Directory_com_o_AWS_(Amazon Web Services)_07




In the following we will add two attributes in "User attributes", for this Select "View and edit all other user attributes".







Integração_do_Azure_Active_Directory_com_o_AWS_(Amazon Web Services)_08




Now click on "Add Attribute".







Integração_do_Azure_Active_Directory_com_o_AWS_(Amazon Web Services)_09

Now add the following rules:

Attribute name Attribute value Namespace
RoleSessionName user.userprincipalname https://aws.amazon.com/SAML/Attributes
Role user.assignroles https://aws.amazon.com/SAML/Attributes





*Remembering that the attributes respect the "case sensitive".







Integração_do_Azure_Active_Directory_com_o_AWS_(Amazon Web Services)_10Integração_do_Azure_Active_Directory_com_o_AWS_(Amazon Web Services)_11



Now let's download the "XML metadata" certificate and save it to a secure location on your computer. A very important detail, change the "Signing Algorithm" to "SHA 1", by default it comes in "SHA 256" and does not work the integration. Next we will be setting the certificate as active, then we will "Save".







Integração_do_Azure_Active_Directory_com_o_AWS_(Amazon Web Services)_24








Integração_do_Azure_Active_Directory_com_o_AWS_(Amazon Web Services)_12

Creating AWS Console

Ready the first part is set up, now we go to the AWS console. Let's look at the Identity and Access Management (IAM) option.







Integração_do_Azure_Active_Directory_com_o_AWS_(Amazon Web Services)_13




Now let's create an identity provider, go to "Identity provider" and click on "Create Provider".







Integração_do_Azure_Active_Directory_com_o_AWS_(Amazon Web Services)_14




Under "Create provider" Select the provider type "SAML", from a name to that provider and then upload the "XML metadata", then click "Next".







Integração_do_Azure_Active_Directory_com_o_AWS_(Amazon Web Services)_15




Then click on "Create".







Integração_do_Azure_Active_Directory_com_o_AWS_(Amazon Web Services)_16
Ready the identity provider was successfully created.







Integração_do_Azure_Active_Directory_com_o_AWS_(Amazon Web Services)_17
Now let's create a rule, go to "roles" and click on "Create Roles"







Integração_do_Azure_Active_Directory_com_o_AWS_(Amazon Web Services)_18
Now let's choose the trusted "SAML" identity.







Integração_do_Azure_Active_Directory_com_o_AWS_(Amazon Web Services)_19
Next, select the identity provider that was created and select the "Allow programmatic and AWS Management Console access" permission, then click "Next Permissions".







Integração_do_Azure_Active_Directory_com_o_AWS_(Amazon Web Services)_20
Now select the policy, in this case, I'm giving permission "Full".







Integração_do_Azure_Active_Directory_com_o_AWS_(Amazon Web Services)_21
Now a name for this access rule, then click "Create Role".







Integração_do_Azure_Active_Directory_com_o_AWS_(Amazon Web Services)_22
Ready the rule was created successfully.







Integração_do_Azure_Active_Directory_com_o_AWS_(Amazon Web Services)_23

Now we will create a user to make the connection between the Azure AD and AWS. Go to "user" and "ADD user".







Integração_do_Azure_Active_Directory_com_o_AWS_(Amazon Web Services)_25




Now let's give a name to the user, then select the type of Access "Programmatic access" and click and "Next Permissions".



Integração_do_Azure_Active_Directory_com_o_AWS_(Amazon Web Services)_26




Now we will associate the policy, select "Attach existing policies directly", then click on "Next Review" then "Create User".







Integração_do_Azure_Active_Directory_com_o_AWS_(Amazon Web Services)_27








Integração_do_Azure_Active_Directory_com_o_AWS_(Amazon Web Services)_28




Now you can download the file ". CSV "or you can see your user's Secret Access Key because we need that information. We will go back to the AD Azure to add this information to the roles provisioning.





Integração_do_Azure_Active_Directory_com_o_AWS_(Amazon Web Services)_29

Provisioning the application

Go to the Azure AD and select the application and select "Provisioning" by default it comes as manual, we will change to "Automatic", then we will add the following information in the fields "Clientsecret" and "Secret Token". After the information in the field click on "Test Connection" then click on "Save".







Integração_do_Azure_Active_Directory_com_o_AWS_(Amazon Web Services)_30

Ready communication between AWS and Azure AD is working.

Integração_do_Azure_Active_Directory_com_o_AWS_(Amazon Web Services)_31

Lastly in "Settings" go to "provisioning Status" leave it as "on" and click "Save". It takes a while to provision.







Integração_do_Azure_Active_Directory_com_o_AWS_(Amazon Web Services)_32

Now let's create a user without password in the AWS console.







Integração_do_Azure_Active_Directory_com_o_AWS_(Amazon Web Services)_33

After creating the user we return to the application in the Azure portal, and we will add users who will have access to integration. Choose the user and assign the rule that was created within AWS.

Integração_do_Azure_Active_Directory_com_o_AWS_(Amazon Web Services)_34

Access operation

Ready the integration process is ready, we will access the "MyApps" from Microsoft, at URL: http://myapps.microsoft.com/. When accessing the application is available enough from one click, it will make your user's SSO inside the AWS console.







Integração_do_Azure_Active_Directory_com_o_AWS_(Amazon Web Services)_35




Ready we are accessing the AWS console via the federation between Azure AD and Amazon Web Services. How can we repair it does the reading of the role and the user..







Integração_do_Azure_Active_Directory_com_o_AWS_(Amazon Web Services)_36




Thank you and until the next post.