AWS SSO With ADFS - Part 2
I’d assume ADFS has already been setup correctly.
We’ll only concentrate on
How to setup ADFS side and AWS side for SSO with SAML
Design & Implementation
We will be using
Identity providers -
SAML type - with Provider name as ->
Metadata Document can be granted from URL:
We need to create
Role for all kind-like users in the same AD group to be mapped in AWS.
Let’s create a role called
sandbox-admin, and binds with “Administrators” permission with it.
SAML 2.0 federation
ADFSpreviously created as the provider
- Select the way you want users to access the console or resources, here I select
Allow programmatic and AWS Management Console access
- Next, permission, we tick
- Next, Next, Role name:
Till here, all AWS side is finished.
On-prem AD side
The main steps are pretty much the same as: https://aws.amazon.com/blogs/security/aws-federated-authentication-with-active-directory-federation-services-ad-fs/
However, I made some changes to adopt with more features:
As users will be granting permissions by joining to an AD group, so we will need to create a group before doing anything:
- AWSGlobal: hard-coded value as prefix showing what is this for. <- by having this one, you will be able to map to different region, like China or Gov
- 123456789012: AWS Account ID in number. <- by changing this bit, you will be able to map to different accounts.
- sandbox-admin: role name (created in AWS side). <- by changing this, you will be able to login to different role with different permission.
In ADFS configuration,
Role Attributes should be following:
Leave the rest the same as above link.
Then try to login from ADFS portal, you will be redirect to AWS Console with correct permission as
Have fun there.