Everything related to Cloud, Automation & DevOps.
AWS Windows

How to federate your on premise users to AWS using ADFS and SAML 2.0 PART 1

by Sophnel Merzier 3 min read

1. Introduction

Most enterprises using the cloud would want to federate their existing users base, meaning creating an SSO (Single Sign-On) environment to authorize with specific rights what a person can do in AWS cloud.

This post will describe how to use enterprise federation, the integration of ADFS and AWS.

Prerequisites:

  • Windows server 2019 ( 2016 should be fine)
  • AWS account (free tier is fine)

2. How it works

ADFS Integration with AWS - ARCHITECTURE

1 - User will connect to their ADFS portal

2 - ADFS will check the user access and authenticate against the AD.

3 - A response is receive as a SAML assertion with group membership information.

4 - The ARNs are dynamically build using ADs group membership information for the IAM roles, while the user attributes (distinguishedName, mail, sAMAccountName) are used for the AWS account IDs.

Finally, ADFS will send a signed assertion to AWS STS.

5 - Temporary credentials are giving by STS AssumeRoleWithSAML.

6 - The user is authenticated and giving access to the AWS management console.

3. Configuring Active Directory

Before configuring ADFS, you'll need to have an active working directory.

  • Create two AD Groups named exactly AWS-accountId-AWS-PROD-ADMIN & AWS-accountId-AWS-PROD-DEV (uppercase and lowercase are important). Your account ID is found on your AWS dashboard.
  • Create a user named Jean with an email address.
  • Add Jean in the two Groups created above.
  • Create another user named ADFSAWS, This is a service account used by the ADFS service.

4. Installing and Configuring ADFS

Before installing our ADFS role, we created a user name Jean whom we added to two groups.

After installing the role, configuring and setting up the environment is easy by keeping the default settings.

Launch the ADFS management page by searching AD FS.

Search on Windows

Click to Configure the WIZARD :

  • Select Create a new Federation (default setting).
  • Select New federation server farm (default setting).
  • In the Specify Service Properties, I'm using a self-signed SSL certificate generated with IIS for demo purposes.
  • ADFSAWS is the service account created earlier.
Specify Service Account
  • Select the first option Create a database on this server
  • A review of our choices.
Review options

If you encounter this error, it means we have to set up the service account created earlier.

SPN error
setspn -a host/localhost adfsaws
Note: ADFSAWS is the service account created earlier.

If the command succeeds, you should see something like that:

Result

Configure AWS, which will be in PART 2 -->CLICK HERE

Read more posts by this author

Sophnel Merzier

The link has been copied!
You’ve successfully subscribed to The Learning Journey
Welcome back! You’ve successfully signed in.
Great! You’ve successfully signed up.
Success! Your email is updated.
Your link has expired
Success! Check your email for magic link to sign-in.