Skip to content

Seamless AWS Access - Setting Up Azure AD as a Federated Identity Provider

Imagine you run a growing organization where employees need access to AWS services. Managing individual IAM users for each employee would be complex and inefficient. This is where identity federation becomes a game-changer. Instead of creating separate IAM users, you can configure Azure AD as an identity provider, allowing employees to log into AWS using their existing Azure AD credentials. This setup leverages SAML federation, ensuring seamless and secure access management without the overhead of IAM user administration.

In this blog post, we'll explore identity federation, its key concepts, and how to set up Azure AD as an identity provider for AWS.

What is Federation?

Federation enables users to authenticate using their existing credentials from a trusted identity provider (IdP) rather than creating separate accounts for different applications. This allows multiple systems or organizations to establish trust, enabling Single Sign-On (SSO) and seamless access to resources across different platforms.

Key Concepts in Federation

Federated Identity (SAML Federation)

  • Users authenticate via an external identity provider (IdP) instead of managing credentials separately for each application.
  • For example, logging into a website using Google or Facebook credentials means the identity is federated.
  • The identity provider verifies the user's credentials and shares user attributes (such as email and user ID) with the relying application.

Delegated Authentication

  • Instead of handling authentication directly, an application (OAuth2 client) delegates the process to an external provider.
  • Protocols like SAML and OpenID Connect (OIDC) are commonly used for this, depending on the use case.
  • The OAuth2 authorization server trusts the identity provider to authenticate the user securely.

Single Sign-On (SSO)

  • Federation allows SSO, meaning users authenticate once and can access multiple applications without needing to log in again.
  • Example: Employees signing into corporate applications via Azure AD gain access to various services without repeated logins.

Identity Providers (IdPs)

  • Common identity providers used in a federated OAuth2 setup include:
  • Google
  • Facebook
  • Azure AD
  • Okta
  • Any SAML or OpenID Connect compliant provider
  • The SAML or OpenID Connect provider establishes a federation relationship with these IdPs, allowing authentication via external credentials.

Configuring Azure AD as an Identity Provider for AWS

Organizations often use Azure AD for authentication while running workloads on AWS. By integrating AWS IAM Identity Center (formerly AWS SSO) with Azure AD, users can log in to AWS resources using their Azure credentials.

Steps to Set Up Azure AD for AWS Access

  1. Configure IAM Roles for SAML Users
  2. In AWS IAM, create roles with permissions needed for users.
  3. Link the role with the identity provider by configuring the SAML trust relationship.
  4. Define role mappings in AWS IAM Identity Center, so users receive appropriate permissions upon logging in.
  5. AWS STS will issue temporary credentials for users based on their assigned role.
  6. Enable IAM Identity Center in AWS: Navigate to IAM Identity Center in the AWS console and select External Identity Provider.
  7. Register AWS in Azure AD: In the Azure Portal, add AWS as an enterprise application under Azure Active Directory.
  8. Configure SAML in Azure AD: Enable Single Sign-On (SSO) and set up SAML attributes.
  9. Integrate with AWS IAM Identity Center: Upload the Azure AD Metadata XML in AWS and configure user mappings.
  10. Assign Users and Groups: Ensure assigned users/groups match in both Azure AD and AWS IAM Identity Center.
  11. Test the Integration: Verify login via Azure AD and check role-based access.

SAML Federation Flow

  1. User attempts to log in to an application.
  2. The application redirects the user to a SAML identity provider (e.g., Azure AD).
  3. The user authenticates with the identity provider.
  4. The identity provider returns a SAML assertion to AWS IAM Identity Center.
  5. AWS Security Token Service (STS) issues temporary security credentials based on the SAML assertion.
  6. The user assumes an IAM role in AWS, granting them appropriate permissions.
  7. The application uses these temporary credentials to grant access to AWS resources.

Key Benefits

  • Centralized Access Management: Manage AWS permissions via Azure AD.
  • Single Sign-On: Users authenticate once to access AWS services.
  • Enhanced Security: Enforce Conditional Access Policies and MFA.

With this setup, organizations can leverage Azure AD’s security while ensuring streamlined access control in AWS.

Happy coding! 💻