Introduction
- The AWS IAM identity center successor of Single Sign-On (SSO) makes it easy to centrally manage access to multiple AWS accounts and business applications and provide users with single sign-on access to all their assigned accounts and applications from one place.
- With AWS IAM identity center, you can easily manage access and user permissions to all of your accounts in AWS Organizations centrally. AWS SSO configures and maintains all the necessary permissions for your accounts automatically, without requiring any additional setup in the individual accounts.
- You can assign user permissions based on common Job functions and customize these permissions to meet your specific security requirements. AWS SSO also includes built-in integrations to many business applications, such as Salesforce, Box, and Office 365.
Important Points
- Organizations having multiple AWS accounts, want to have a clean mechanism to login to different AWS accounts.
- AWS SSO is a free service and is backed by infrastructure across multiple AWS regions.
- Having individual IAM users in every account is tedious and not a good practice.
- Joiner, mover, leaver process is not properly implemented with usage of IAM users.
- Users do not want to remember one more credential to login to AWS console.
- With AWS SSO, you can easily authenticate against existing corporate AD. AWS SSO now supports Azure AD as an External Identity Source.
- Management of rights for different AWS accounts could be configured at AWS SSO level.
- Users and Groups in AD become available in AWS SSO via Automatic Provisioning.
- Permission Sets are a combination of Managed & Custom IAM policies which could be mapped against an AWS account (s) and an AD group (or user).
- Administrators of these applications are also empowered to assign users and groups access directly within the application.
SSO Workflow Diagram
SSO Working process
- User opens the browser and enters the URL.
- Request access to web app server.
- Generates SAML requests and redirects to AD server.
- User is authenticated.
- SAML token will be generated and sent to the browser
- Browser redirects the token to the web app server.
- The web app server then validates the SAML response or token.
- If the response is legitimate, then the web app server will grant access to the web page.
- The token will have a validity for a certain time window or for the entire session.
Benefits
- Centrally manage access permissions to AWS accounts .
- Create users in AWS SSO or connect to your existing identity system .
- Access accounts and applications from one place .
- Easy to use .
POC on How AWS IAM identity center works
- In order to show how AWS IAM IS (SSO) works we will connect it to the azure active directory.
- Organizations usually like to maintain a single identity across their range of applications and AWS cloud environments. Azure Active Directory (AD) is a common authentication method as Office 365 often is used among companies, and might be the hub of authentication as it often is integrated with other applications as well.
- If you are using AWS IAM IS [ Single Sign-On (SSO)] you can leverage your existing identity infrastructure while enabling your users to access their AWS accounts and resources at one place. By connecting Azure AD with AWS SSO you can sign in to multiple AWS accounts and applications using your Azure AD identity with the possibility to enable automatic synchronization of Azure AD Users/Groups into AWS SSO.
CREATING A NEW AZURE ENTERPRISE APPLICATION
Login to your Azure portal and open AZURE ACTIVE DIRECTORY. Under the Manage section, click on ENTERPRISE APPLICATION.
Click NEW APPLICATION and search for “AWS” select AWS SINGLE SIGN-ON, give your new application an appropriate name and click CREATE.
Once the Azure gods have created our new application, head into the OVERVIEW page and select SET UP SINGLE SIGN-ON and choose the SAML option.
Under section, SAML Signing Certificate click DOWNLOAD next to Federation Metadata XML.
Please keep this page open as we later need to upload the metadata XML file from AWS IAM IS (SSO).
SETUP AWS IAM Identity Center (SSO)
Login to AWS management console and search for AWS IAM identity center earlier known as AWS SSO.
Click CHOOSE YOUR IDENTITY SOURCE. You can also configure your custom User portal URL if you’d like but it is not required.
Select EXTERNAL IDENTITY PROVIDER. Upload the AD FEDERATION METADATA XML FILE downloaded earlier inside the IDP SAML METADATA SECTION and download the AWS SAML METADATA
In the Azure SAML page, click UPLOAD METADATA FILE and upload the AWS SSO SAML METADATA FILE.
SETTING UP AUTOMATIC PROVISIONING
- The connection between Azure AD and AWS SSO is now established, we can proceed to enable automatic provisioning to synchronize users/groups from Azure AD to AWS SSO.
- NOTE THAT YOU CAN USE AZURE AD GROUPS BUT NOT NESTED GROUPS IE. GROUPS THAT ARE INTO GROUPS.
- Head over to the PROVISIONING page and change the mode to AUTOMATIC. Please keep this page open as we will copy values from AWS SSO.
In the AWS SSO Settings page, click Enable automatic provisioning
Take note of both values given in the popup
In the PROVISIONING page in the Azure portal, expand the ADMIN CREDENTIALS section and insert the values from above. It is also recommended to add an email address for notification of failures.
SCIM endpoint > Tenant URL
Access token > Secret Token
NOTE THAT THESE TOKENS EXPIRE AFTER 1 YEAR AND SHOULD BE RENEWED FOR CONTINUOUS CONNECTIVITY.
Click TEST CONNECTION and it should result in a success message.
Cascab ac h
Expand the Mapping section and click SYNCHRONIZE AZURE ACTIVE DIRECTORY USERS TO CUSTOMAPPSSO.
Which attributes you want to sync over depends on your setup, but default setups you can remove all attributes except:
- userName
- active
- displayName
- emails
- name.givenName
- name.familyName
You then create a new attribute mapping objectId with externalId.
IMPORTANT TO NOTE IS THAT YOU CAN MODIFY THE EMAIL ATTRIBUTE TO USE USERPRINCIPALNAME OVER MAIL AS NOT ALL USERS HAVE OFFICE365 LICENSES WHICH LEAVE THAT ATTRIBUTE NULL.
- In the PROVISIONING page, you can now set the Status to ON. It is recommended leaving Scope set to SYNC ONLY ASSIGNED USERS AND GROUPS.
- Click SAVE, it should take about 5 minutes for it to start synchronizing.
- Our AWS SSO and Azure AD connection is now fully set up, when you assign Azure Users/Groups to the enterprise app, they will then appear in AWS SSO Users/Groups within around 40 minutes.
CREATION AND ASSIGNMENTS OF AWS SSO PERMISSION SETS
- Using Permission Sets, we can assign permissions to synchronized Groups and Users, these permission sets will later create IAM roles in accounts which they are assigned.
- You can create new Permission Sets based on AWS Identity and Access Management (IAM) managed policies or create your own custom policies.
- To create a new Permission Set in the AWS Management console you can follow the below steps:
- Go to the AWS SSO management portal, in the navigation pane, choose AWS accounts and then the AWS ORGANIZATION TAB.
- In AWS account, choose the account that you want to create a permission set for, and then choose ASSIGN USERS.
- In DISPLAY NAME, choose the user name that you want to create the permission set for, and then choose NEXT: PERMISSION SETS.
- In SELECT PERMISSION SETS, choose CREATE NEW PERMISSION SET.
- In CREATE NEW PERMISSION SET, choose USE AN EXISTING JOB FUNCTION POLICY or CREATE A CUSTOM PERMISSION SET depending on your needs, click NEXT DETAILS, and then select a job function or create a custom policy or managed policy.
- You can then complete the guide and click CREATE.
You should then see the message “We have successfully configured your AWS account. Your users can access this AWS account with the permissions you assigned”.
Sign in is accomplished using the familiar Azure AD experience, and users will be able to choose the accounts and roles to assume in the AWS SSO portal.
zYou now also have the possibility to use your existing automation process on how you apply for access, grant and revoke access to systems.
