AWS SSO with Azure Active Directory

Introduction

Recently in one of my project we had to setup AWS SSO with Azure AD as our primary identity provider. There are couple good reads available on the web like this one from 2019 but things are changing dynamically, so they are quickly becoming outdated. This is the reason why I decided to write my own detailed guide!

Pre-requisites

Before we start we need two pieces in place which are not described in this guide:

• Azure Active Directory
• AWS SSO

Add Enterprise Application on Azure

1. Go to your Azure subscription. Navigate to Azure Active Directory, next in the menu on the left hand side click Enterprise applications.

   

2. Click New application.

   

3. Click Create your own application, add meaningful name, check Integrate any other application you don't find in the gallery and click Create when ready

   

4. We have created our Enterprise application, now let's go back to our AWS account.

   

Configure AWS SSO with external identity provider

1. Log into your AWS account, navigate to AWS SSO service and click Choose your identity source.

   

2. Under Identity source settings, click Change.

   

3. You will be redirected to the new page with additional settings. On that page choose External identity provider. Scroll down to Service provider metadata section and click Download metadata file. We are going to upload this file to our Azure application. Leave this page open, we will need it later.

   

Now let's go back to our Enterprise application on Azure.

Configure Enterprise application

1. Navigate to the previously created Enterprise application and click Setup single sign on.

   

2. On next page choose SAML.

   

3. Upload metadata file downloaded from AWS SSO configuration and click Save on next dialog.

   

4. Now you should see the link to download Federation Metadata XML file which we will upload to AWS SSO as IdP SAML metadata (you didn't close it, right? (: ). If you can't see the link, please refresh the page.

   

Finish AWS SSO configuration

1. Go back to the AWS SSO configuration page and upload Federation Metadata XML file from Azure as IdP SAML metadata. Click Review when ready.

   

2. Carefully read warning message. When ready write ACCEPT in the text box and click Change identity source button.

   

Congrats! You have configured AWS SSO with AzureAD as your main identity provider. Now let's configure automatic provisioning of your users and groups.

Enable automatic provisioning

1. Navigate to AWS SSO console, click Settings and then click Enable identity synchronization link. New dialog will open with your SCIM endpoint address and Access token. Copy these values, you will need them later.

   

2. Let's go back to Azure portal. Navigate to your Enterprise application and click Provisioning on the left hand side menu.

   

3. Set Provisioning mode to Automatic. Provide Tenant URL (SCIM endpoint) and Secret Token (Access token). You can click Test Connection button to verify if Azure can establish connection with SCIM endpoint.

   

4. Mappings section will be available as soon as you hit Save button with your SCIM endpoint and Access token fields populated. It's good idea to set up Notification Email field so you will get notified if you synchronization fails. You can set Provisioning Status to On.

   

   Pro tip: AzureAD allows you to create user without First Name and Last Name defined but AWS SSO won't like it. Please pay attention to any synchronization errors.

5. Last but not least is to define our users and groups that we want to be synchronized from AzureAD to AWS SSO. To do this navigate to your Enterprise application, click Users and Groups in the left hand side menu and then Add user button.

   

6. You can now login to your AWS accounts using AWS SSO User portal URL or myapplications.microsoft.com webpage.

Closing remarks

Hope you will find this guide useful.

I would like to thank my team mate Guru for help with the screenshots! ;)