Almoayyed Computers Middle East (ACME) using AWS SSO service to centrally manage SSO access for multiple AWS accounts and business applications. Employees can sign in with their existing corporate credentials to access their business applications from a single user portal.
With AWS Single Sign-On, you can easily control who can have single sign-on (SSO) access to your cloud applications. Users get one-click access to these applications after they use their directory credentials to sign into their user portal.
What is single sign-on (SSO)
Single sign-on means a user doesn't have to sign into every application they use. The user logs in once and that credential is used for other apps too.
Single sign-on based authentication systems are often called "modern authentication". Modern authentication and single sign-on fall into a category of computing called Identity and Access Management (IAM).
Benefits of Integration of AWS Single Sign-On (SSO) with Azure AD
- Control in Azure AD who has access to Amazon Web Services (AWS).
- Enable users to be automatically signed-in to Amazon Web Services (AWS) with their Azure AD accounts.
- Manage accounts in one central location that is Azure portal.
- An Azure AD subscription.
- An AWS subscription.
How to do it
High Level Diagram
Configure the integration of AWS Single Sign-On (SSO) into Azure AD
- Sign into the Azure portal using a work account, school account, or personal Microsoft account.
- In the Azure portal, search for and select Azure Active Directory.
- Within the Azure Active Directory overview menu, choose Enterprise Applications > All applications.
- Select New application to add an application.
- In the Add from the gallery section, type Amazon Web Services (AWS) in the search box.
- Select Amazon Web Services (AWS) from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
Configure and test Azure AD SSO for Amazon Web Services (AWS)
- Create an Azure AD user
- Configure Amazon Web Services (AWS) SSO
- Test SSO
Configure Amazon Web Services (AWS) SSO
- sign-on to your AWS company site as an administrator.
- Select AWS Home.
- Select Identity and Access Management..
- 4. Select Identity Providers > Create Provider.
- On the Configure Provider page, Provide Provider name and Type
- Upload your downloaded metadata file from the Azure portal, select Choose File
- On the Verify Provider Information page, select Create.
- Select Roles > Create role.
- On the Create role page, Under Select type of trusted entity, select SAML 2.0 federation.
- Under Choose a SAML 2.0 Provider, select the SAML provider you created previously
- Select Allow programmatic and AWS Management Console access.
- Attach permissions policies
- Create role as many roles as needed and map them to the identity provider.
- In the IAM section, select Policies
- Create a new policy by selecting Create policy for fetching the roles from the AWS account in Azure AD user provisioning.
How to configure role provisioning in Amazon Web Services (AWS)
- In the Azure AD management portal, in the AWS app, go to Provisioning.
- Enter the access key and secret in the client secret and Secret Token fields, respectively.
- In the Settings section, for Provisioning Status, select On. Then select Save.
Test your Azure AD single sign-on configuration using the Access Panel. When you click the Amazon Web Services (AWS) tile in the Access Panel, you should be automatically signed into the Amazon Web Services (AWS) for which you set up SSO
Browse to https://myapps.microsoft.com and login with your Azure Credential, your will get below page-
Click on Amazon Web Services and will redirect to AWS console with asking additional credential of AWS. The account and page are shown below.