This integrates the AWS IAM Identity Center with the Azure AD as a SSO solution.
This will use terraform to configure the AWS IAM Identity Center and the Azure AD services as described in the Tutorial: Azure AD SSO integration with AWS IAM Identity Center.
It will create the Azure AD Users, Application, Application Roles, Enterprise Application (aka Service Principal) that can be used to login into AWS.
It will create the homologous AWS Identity Center Users, Groups, and Permissions Sets to login into AWS.
You can test this in the Azure AD of Free Microsoft 365 E5 instant sandbox and in the AWS Free Tier.
Be aware that this is not configuring Automatic User Provisioning. Its creating the users in both directories: Azure AD and AWS Identity Center.
Be aware that the AWS IAM Identity Center can only be connected with a single Azure AD. For more information see the FAQ: Can I connect more than one identity source to IAM Identity Center?.
Be aware of the AWS IAM Identity Center User Guide Troubleshooting section, especially the Error 'An unexpected error has occurred' when a user tries to sign in using an external identity provider.
Be aware that although AWS Single Sign-On was renamed to AWS IAM Identity Center, the sso and identitystore API namespaces (and terraform names) continue to retain their original name for backward compatibility purposes. For more information, see IAM Identity Center rename.
Create an Azure account.
Create an AWS account, choose a region, and then just enable the IAM Identity Center (this will also enable the AWS Organizations service).
Install the required tools:
Login into Azure:
az login --allow-no-subscriptionsNB If you are using the Free Microsoft 365 E5 instant sandbox, you should login as its administrator.
Ensure the expected account is set as default:
az account show
az account list
az account set --subscription=<tenantId or id>
az account showConfigure the AWS CLI to use a Secret Key to access AWS:
# set the account credentials.
# NB get these from your aws account iam console.
# see Managing access keys (console) at
# https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_CreateAccessKey
export AWS_ACCESS_KEY_ID='TODO'
export AWS_SECRET_ACCESS_KEY='TODO'
# set the default region.
export AWS_DEFAULT_REGION='eu-west-1'
# show the user, user amazon resource name (arn), and the account id.
aws sts get-caller-identityInitialize terraform:
make terraform-initLaunch the example:
make terraform-plan
make terraform-applyOpen the AWS Identity Center page and:
- Go to the
Dashboardpage. - Change the identity source to
External service provider:- Click the
Choose your identity sourcelink. - Under the
Identity sourcetab, click theActionsbutton, and chooseChange identity source. - Click
External service provider. - Click the
Nextbutton.
- Click the
- Under the
Service provider metadatasection:- Copy the
IAM Identity Center Assertion Consumer Service (ACS) URLand paste it into theaws_saml_acsvariable value inside theaws-permissions.tffile. - Copy the
IAM Identity Center issuer URLand paste it into theaws_saml_entity_idvariable value inside theaws-permissions.tffile. - Execute
make terraform-planand review the plan. - Execute
make terraform-applyand wait for it to finish. - Execute
terraform output -raw saml_metadata_document >azure-ad-idp-saml-metadata.xml
- Copy the
- Under the
Identity provider metadata,IdP SAML metadatasection:- Click the
Choose filebutton, and upload theazure-ad-idp-saml-metadata.xmlfile created in the previous step.
- Click the
- Click
Next. - Review and confirm.
- Click
Change identity source.
Show the AWS access portal URL (aka SSO start URL):
terraform output -raw aws_access_portal_urlOpen the AWS access portal URL in a web browser, and login with the Alice credentials:
terraform output -raw alice_email
terraform output -raw alice_passwordOpen a new shell session, and configure the AWS CLI to use a SSO generated
token to access AWS as Alice:
aws configure ssoThe questions, answers, and output will be something alike:
SSO session name (Recommended): cli
SSO start URL [None]: https://d-0000000000.awsapps.com/start
SSO region [None]: eu-west-1
SSO registration scopes [sso:account:access]:
Attempting to automatically open the SSO authorization page in your default browser.
If the browser does not open or you wish to use a different device to authorize this request, open the following URL:
https://device.sso.eu-west-1.amazonaws.com/
Then enter the code:
0000-0000
The only AWS account available to you is: 00000000
Using the account ID 00000000
There are 2 roles available to you.
Using the role name "Readers"
CLI default client Region [None]:
CLI default output format [None]:
CLI profile name [Readers-00000000]: Alice-Readers
To use this profile, specify the profile name using --profile, as shown:
aws s3 ls --profile Alice-Readers
Use the profile, and show the user, user amazon resource name (arn), and the account id:
unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY
export AWS_PROFILE='Alice-Readers'
aws sts get-caller-identity
This should show something alike:
{
"UserId": "000000000000000000000:[email protected]",
"Account": "00000000",
"Arn": "arn:aws:sts::00000000:assumed-role/AWSReservedSSO_Readers_0000000000000000/[email protected]"
}After you are done testing as Alice, logout, and exit the shell:
aws sso logout
exitWhen you later need to login again, you can skip the aws configure sso step,
and use aws sso login as:
unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY
export AWS_PROFILE='Alice-Readers'
aws sso login
aws sts get-caller-identityAfter you are done testing, and are ready to destroy everything, return to the
original shell, the one that is using the AWS_ACCESS_KEY_ID and
AWS_SECRET_ACCESS_KEY environment variables, and destroy everything:
make terraform-destroy
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent