AWS SSO With ADFS - Part 2
I’d assume ADFS has already been setup correctly.
We’ll only concentrate on How to setup ADFS side and AWS side for SSO with SAML
Design & Implementation
AWS Side
We will be using Identity providers - SAML type - with Provider name as -> ADFS
Metadata Document can be granted from URL: https://<your_adfs_url>/FederationMetadata/2007-06/FederationMetadata.xml
We need to create Role for all kind-like users in the same AD group to be mapped in AWS.
Let’s create a role called <accountName>-admin, like sandbox-admin, and binds with “Administrators” permission with it.
- Select
SAML 2.0 federation - Select
ADFSpreviously created as the provider - Select the way you want users to access the console or resources, here I select
Allow programmatic and AWS Management Console access - Next, permission, we tick
Administrators - Next, Next, Role name:
sandbox-admin
Till here, all AWS side is finished.
On-prem AD side
The main steps are pretty much the same as: https://aws.amazon.com/blogs/security/aws-federated-authentication-with-active-directory-federation-services-ad-fs/
However, I made some changes to adopt with more features:
As users will be granting permissions by joining to an AD group, so we will need to create a group before doing anything: AWSGlobal-123456789012-sandbox-admin
- AWSGlobal: hard-coded value as prefix showing what is this for. <- by having this one, you will be able to map to different region, like China or Gov
- 123456789012: AWS Account ID in number. <- by changing this bit, you will be able to map to different accounts.
- sandbox-admin: role name (created in AWS side). <- by changing this, you will be able to login to different role with different permission.
In ADFS configuration, Role Attributes should be following:
| |
Leave the rest the same as above link.
Then try to login from ADFS portal, you will be redirect to AWS Console with correct permission as sandbox-admin.
Have fun there.
R