DEV Community

Cover image for Case Study: Connecting Azure AD SSO with AWS
Bervianto Leo Pratama for AWS Community Builders

Posted on • Updated on

Case Study: Connecting Azure AD SSO with AWS

Introduction

We will learn how to connect Azure AD with AWS. We will use Azure AD as the identity provider, so Azure AD users will be used to log in to AWS. Let's dive deep into each component.

Azure AD

I will not explain too much about Azure AD. I'll recommend reading the documentation and the home page of the Azure AD. In short, Azure AD (Azure Active Directory) is a cloud-based identity and access management service. You can use the identity provided by Azure AD for connecting various applications or services, including AWS. If you want to learn more about Azure AD, please visit the documentation.

Azure AD SSO with AWS

For connecting Azure AD with AWS, we will need an Enterprise Application. Azure AD has an application gallery to provide a "template" for connecting Azure AD with another SaaS (Software as a Service). Application gallery will help us to create the Enterprise Application, and we can configure the Enterprise Application for single sign-on (SSO) and automated user provisioning. If you want to know more about the application gallery, you might need to read this documentation. But in this post, we will learn to set up the Enterprise Application and configure it for SSO.

We have two approaches to setting up the Enterprise Application. First, we use single AWS Apps to connect multiple AWS Accounts. Last, we create an AWS app for each AWS account.

Single AWS Apps

Single AWS Apps is a model to centralize the configuration, and we only use one Enterprise App to connect multiple AWS Accounts. You will need this approach if you have a small amount of AWS Accounts and roles. We can't configure many AWS Accounts because there is a limitation for the manifest. In contrast, you will need Multiple AWS Apps for the case of large numbers of AWS Accounts.

Single AWS App

Multiple AWS Apps

Multiple AWS Apps is a model to map each AWS Account into one AWS Apps. The disadvantage of this model is we need to manage many apps and monitor each app. Other than that, we need to automate of each process to minimize wrong configurations.

Do you imagine how we update the signing certificate for 100 AWS Accounts manually? You will quickly be exhausted and upload the wrong configuration. After that, the SSO doesn't work.

It will become a nightmare if we can't automate the configuration. We are using MS Graph SDK and AWS SDK to solve that problem.

Multiple AWS App

Flow

TLDR

In general, you only need to configure the Enterprise App, download the XML from the Enterprise App, upload the XML to AWS Identity Provider, and configure the roles to use the Identity Provider.

tldr flow

Flow in Technical Term

You might need to see this diagram for details in technical terms.

technical

Repositories

Feel free to check this repository of my project. Please give feedback about this project because this project doesn't fully automate. I plan to have a "save" state and validation of the existing Enterprise App. Currently, the project is assumed to create a new Enterprise App.

GitHub logo bervProject / AzureADxAWSIntegrator

Azure AD x AWS Integrator

Azure AD SSO Automate - AWS

Flow

General Flow

flowchart LR
    subgraph azuread[Azure AD]
        aad1[Settings Enterprise Application] --> aad2[Download XML Federation]
    end
    subgraph aws[AWS]
        aad2 --> aws1[Settings Identity Provider]
        aws1 --> aws2[Add/Create Role]
    end

Flow (Technical Terms)

flowchart TD
    subgraph azuread[Azure AD]
        aad1[Create Enterprise App from Templates] --> aad2[Update Service Principal & App Registration to use SAML]
        aad2 --> aad3[Configure Service Principal Roles]
        aad3 --> aad4[Configure Claim Mapping Policies & Assign to Service Principal]
        aad4 --> aad5[Configure Singing Certificates for Service Principal]
        aad5 --> aad6[Optional - Configure User & Assign to a role]
    end
    subgraph aws[AWS]
        aad5 --> aws1[Add/Get SAML Provider]
        aws1 --> aws2[Create/Update Role to be assigned with SAML Provider]    
    end

Setup Project

Environment Variables

## For the Console App/Business Flow, planned to be removed
AWS_ACCOUNT_ID=
## For AWS SDK
AWS_PROFILE=
# For Azure AD / Microsoft Graph
CLIENT_ID=
CLIENT_SECRET=
TENANT_ID=
Enter fullscreen mode Exit fullscreen mode

Note/Details:

  1. Please see here for…

Project Details

I use .NET as the main programming language. You can use different languages if you are more familiar with them as long as it's supported by the SDK/library.

General View

I have 3 projects in this repository. The first project is responsible to connect with Microsoft Graph API. The second one is responsible to connect with AWS API. The last one is responsible to manage the business flow to connect both projects.

Azure Integrator

Please see this diagram for the full steps of the Azure Integrator project.

Azure Integrator

AWS Integrator

Please see this diagram for the full steps of the AWS Integrator project.

AWS Integrator


For more details, please refer to the documentation in the repository. I will keep the project up to date.

Testing the SSO

  1. Go to the myapps.microsoft.com. Click the AWS Icon.

    My Apps

  2. You will be redirected to AWS Dashboard. Please make sure your role and username are correct.

    AWS Dashboard

  3. On my side, my account is allowed to see the EC2 instances. You can configure the role based on your needs.

    ec2

Thank you

Thank you for reading. Feel free to give feedback for the process, project and this post.

Thanks

References

Main Resources

Azure AD (AAD)

AWS

Setup SSO Manually - Single Account

Setup SSO Manually - Multiple Accounts

Another Topic - Provisioning

Another Code Samples

Tools/SDK Documentation

Oldest comments (0)

🌚 Friends don't let friends browse without dark mode.

Sorry, it's true.