Not an Oracle blog for a change, but when an organization uses both Amazon Web Services (AWS) and Microsoft Office 365 it is possible to allow single sign-on with the internal LDAP Microsoft uses (Azure AD). Since RubiX uses both cloud products since day 1, I decided to look into integration between both products when Microsoft recently allowed SAML federation.
In this blog I will demonstrate how to connect Amazon Web Services (AWS) to the internal Azure Active Directory (AAD) that is used by Microsoft. As a result of this blog your users should be able to login to AWS from the Office 365 menu.
1. Configure Microsoft Office 365 / Azure Active Directory (AAD)
Go to your Administration console and select Azure AD from ADMIN
In the Azure AD console select “Active Direcory”, click on your Office 365 domain name and the AD menu should open. Click on “Applications” from the top menu
By defaut you will see a lot of Microsoft web applications, so we click on “Add+” on the bottom menu. Then select “Add application from the gallery”
The AWS application will be added to your list. Select Configure Single Sign-On next.
We will select the 1st option (MS AAD SSO) to establish federation between AAD & AWS. The Federated Single Sign-On enables the users in your organization to be automatically signed in to a third-party application like AWS by using the AAD user account information. In this scenario, when you have already been logged into Office 365 the federation eliminates the need for you to login again to AWS.
In this case, we don’t need to perform any extra advanced settings. So NEXT
Download the metadata XML and store it for future use and make sure to accept the checkbox
Go to the users tab and assign (bottom button) your users that are allowed to login to AWS
Before we can finalize our SSO from AAD, we first need to setup AWS.
2. Configure Amazon Web Service (AWS)
Login to your AWS account and select the Identity & Access Management
First we will create an Identity Provider for AAD.
Select SAML as Provider Type and choose a logical name (I use “Office365” in my example).
Browse to the exported metadata we downloaded from the AAD console earlier.
Important: check your metadata xml file
- The exported metadata XML file from Azure might be encoded as UTF-8 with byte order mark (BOM). Make sure to convert it to UTF-8 without BOM otherwise the AWS console will not be able to import it.
- Make sure to remove the <?xml version=”1.0″?> on line 1, otherwise AWS will not be able to parse the file
As a result we now have a SAML provider configured, so time to set some roles.
Select Roles in the IAM menu, select “Create New Role” and give your role a logical name (I use “RubixUsers” here)
In the Role Type select “Grant Web Single Sign-On (WebSSO) access to SAML providers“.
- Select the SAML provider we trust, so we use the earlier created “Office365” provider here.
- Next step we can customize the policy, which we won’t do so next.
- In the next step we can select the policy you want to attach to your SSO users.
You can go fine grained with policies, but for now I will use the default PowerUser policy - The last screen you will receive a review of the configuration, make sure to note down the Role ARN and Thrusted Entities
Role ARN = arn:aws:iam::[customerID]:role/[RoleName]
Trust = arn:aws:iam::[customerID]:saml-provider/[ProviderName]
3. Configure Microsoft Office 365 / Azure Active Directory (AAD) – part 2
Go back to the AAD management console (https://manage.windowsazure.com).
Select applications -> Amazon Web Services (AWS) -> Attributes
Add the following 2 attributes:
- name = https://aws.amazon.com/SAML/Attributes/Role
- value = arn:aws:iam::[customerID]:role/[RoleName],arn:aws:iam::[customerID]:saml-provider/[ProviderName]
- name = https://aws.amazon.com/SAML/Attributes/RoleSessionName
- value = user.userprincipalname
4. Result
With these configuration steps you are now able to login to AWS from your Office 365 apps tile.
Ingo Dettmar
30-11-2016 at 08:03
Great article, thank you!
Krishna Chaitanya Ch
19-02-2017 at 19:31
Wonderful Article, was really helpful. Would also like to know on how to add multiple roles for same provider. I tried but AWS fails to create second IDP in Same AWS Account for same Azure AD.