Integrating Azure AD and G-Suite – Automated Provisioning

Posted on February 13, 2018 by mattfeltonma

Today I’ll wrap up my series on Azure Active Directory’s (Azure AD) integration with Google’s G-Suite. In my first entry I covered the single-sign on (SSO) integration and in my second and third posts I gave an overview of Google’s Cloud Platform (GCP) and demonstrated how to access a G-Suite domain’s resources through Google’s APIs. In this post I’m going to cover how Microsoft provides automated provisioning of user, groups, and contacts . If you haven’t read through my posts on Google’s API (part 1, part 2) take a read through so you’re more familiar with the concepts I’ll be covering throughout this post.

SSO using SAML or Open ID Connect is a common capability of most every cloud solutions these days. While that solves the authentication problem, the provisioning of users, groups, and other identity-relates objects remains a challenge largely due to the lack of widely accepted standards (SCIM has a ways to go folks). Vendors have a variety of workarounds including making LDAP calls back to a traditional on-premises directory (YUCK), supporting uploads of CSV files, or creating and updating identities in its local databases based upon the information contained in a SAML assertion or Open ID Connect id token. A growing number of vendors are exposing these capabilities via a web-based API. Google falls into this category and provides a robust selection of APIs to interact with its services from Gmail to resources within Google Cloud Platform, and yes even Google G-Suite.

If you’re a frequent user of Azure AD, you’ll have run into the automatic provisioning capabilities it brings to the table across a wide range of cloud services. In a previous series I covered its provisioning capabilities with Amazon Web Services. This is another use case where Microsoft leverages a third party’s robust API to simplify the identity management lifecycle.

In the SSO Quickstart Guide Microsoft provides for G-Suite it erroneously states:

“Google Apps supports auto provisioning, which is by default enabled. There is no action for you in this section. If a user doesn’t already exist in Google Apps Software, a new one is created when you attempt to access Google Apps Software.”

This simply isn’t true. While auto provisioning via the API can be done, it is a feature you need to code to and isn’t enabled by default. When you enable SSO to G-Suite and attempt to access it using an assertion containing the claim for a user that does not exist within a G-Suite domain you receive the error below.

This establishes what we already knew in that identities representing our users attempting SSO to G-Suite need to be created before the users can authenticate. Microsoft provides a Quickstart for auto provisioning into G-Suite. The document does a good job telling you were to click and giving some basic advice but really lacks in the detail into what’s happening in the background and describing how it works.

Let’s take a deeper look shall we?

If you haven’t already, add the Google Apps application from the Azure AD Application Gallery. Once the application is added navigate to the blade for the application and select the Provisioning page. Switch the provisioning mode from manual to automatic.

Right off the bat we see a big blue Authorize button which tells us that Microsoft is not using the service accounts pattern for accessing the Google API. Google’s recommendation is to use the service account pattern when accessing project-based data rather than user specific data. The argument can be made that G-Suite data doesn’t fall under project-based data and the service account credential doesn’t make sense. Additionally using a service account would require granting the account domain-wide delegation for the G-Suite domain allowing the account to impersonate any user in the G-Suite domain. Not really ideal, especially from an auditing perspective.

By using the Server-side Web Apps pattern a new user in G-Suite can be created and assigned as the “Azure AD account”. The downfall with of this means you’re stuck paying Google $10.00 a month for a non-human account. The price of good security practices I guess.

Microsoft documentation states that the account must be granted the Super Admin role. I found this surprising since you’re effectively giving the account god rights to your G-Suite domain. It got me wondering what authorization scopes is Microsoft asking for? Let’s break out Fiddler and walk through the process that kicks off after clicking on the Authorization button.

A new window pops up from Google requesting me to authenticate. Here Azure AD, acting as the OAuth client, has made an authorization request and has sent me along with the request over to the Google which is acting as the authorization server to authenticate, consent to the access, and take the next step in the authorization flow.

When I switch over to Fiddler I see a number of sessions have been captured. Opening the WebForms window of the first session to accounts.google.com a number of parameters that were passed to Google.

The first parameter gives us the three authorization scopes Azure AD is looking for. The admin.directory.group and admin.directory.user are scopes are both related to the Google Directory API, which makes sense if it wants to manage users and groups. The /m8/feeds scope grants it access to manage contacts via the Google Contacts API. This is an older API that uses XML instead of JSON to exchange information and looks like it has been/is being replaced by the Google People API.

Management of contacts via this API is where the requirement for an account in the Super Admin role originates. Google documentation states that management of domain shared contacts via the /m8/feeds API requires an administrator username and password for Google Apps. I couldn’t find any privilege in G-Suite which could be added to a custom Admin role that mentioned contacts. Given Google’s own documentation along the lack of an obvious privilege option, this may be a hard limitation of G-Suite. Too bad too because there are options for both Users and Groups. Either way, the request for this authorization scope drives the requirement for Super Admin for the account Azure AD will be using for delegated access.

The redirect_uri is the where Google sends the user after the authorization request is complete. The response_type tells us Azure AD and Google are using the OAuth authorization code grant type flow. The client_id is the unique identifier Google has assigned to Azure AD in whatever project Microsoft has it built in. The approval_prompt setting of force tells Google to display the consent window and the data Azure AD wants to access. Lastly, the access_type setting of offline allows Azure AD to access the APIs without the user being available to authenticate via a refresh token which will be issued along with the access token. Let’s pay attention to that one once the consent screen pops up.

I plug in valid super user credentials to my G-Suite domain and authenticate and receive the warning below. This indicates that Microsoft has been naughty and hasn’t had their application reviewed by Google. This was made a requirement back in July of 2017… so yeah… Microsoft maybe get on that?

To progress to the consent screen I hit the Advanced link in the lower left and opt to continue. The consent window then pops up.

Here I see that Microsoft has registered their application with a friendly name of azure.com. I’m also shown the scopes that the application wants to access which jive with the authorization scopes we saw in Fiddler. Remember that offline access Microsoft asked for? See it mentioned anywhere in this consent page that I’m delegating this access to Microsoft perpetually as long as they ask for a refresh token? This is one of my problems with OAuth and consent windows like this. It’s entirely too vague as to how long I’m granting the application access to my data or to do things as me. Expect to see this OAuth consent attacks continue to grow in in use moving forward. Why worry about compromising the user’s credentials when I can display a vague consent window and have them grant me access directly to their data? Totally safe.

Hopping back to the window, I click the Allow button and the consent window closes. Looking back at Fiddler I see that I received back an authorization code and posted it back to the reply_uri designated in the original authorization request.

Switching back to the browser window for the Azure Portal the screen updates and the Test Connection button becomes available. Clicking the button initiates a quick check where Azure AD obtains an access token for the scopes it requires unseen to the user. After the successful test I hit the Save button.

Switching to the browser window for the Google Admin Portal let’s take a look at the data that’s been updated for the user I used to authorize Microsoft its access. For that I select the user, go to the Security section and I now see that the Azure Active Directory service is authorized to the contacts, user, and group management scopes.

Switching back to the browser window for the Azure Portal I see some additional options are now available.

The mappings are really interesting and will look familiar to you if you’ve ever done anything with an identity management tool like Microsoft Identity Manager (MIM) or even Azure AD Sync. The user mappings for example show which attributes in Azure AD are used to populate the attributes in G-Suite.

The attributes that have the Delete button grayed out are required by Google in order to provision new user accounts in a G-Suite domain. The options available for deletion are additional data beyond what is required that Microsoft can populate on user accounts it provisions into G-Suite. Selecting the Show advanced options button, allow you to play with the schema Microsoft is using for G-Suite. What I found interesting about this schema is it doesn’t match the resource representation Google provides for the API. It would have been nice to match the two to make it more consumable, but they’re probably working off values used in the old Google Provisioning API or they don’t envision many people being nerdy enough to poke around the schema.

Next up I move toggle the provisioning status from Off to On and leave the Scope option set to sync only the assigned users and groups.

I then hit the Save button to save the new settings and after a minute my initial synchronization is successful. Now nothing was synchronized, but it shows the credentials correctly allowed Azure AD to hit my G-Suite domain over the appropriate APIs with the appropriate access.

So an empty synchronization works, how about one with a user? I created a new user named dutch.schaefer@geekintheweeds.com with only the required attributes of display name and user principal name populated, assigned the new user to the Google Apps application and give Azure AD a night to run another sync. Earlier tonight I checked the provisioning summary and verified the sync grabbed the new user.

Review of the audit logs for the Google Apps application shows that the new user was exported around 11PM EST last night. If you’re curious the synch between Azure AD and G-Suite occurs about every 20 minutes.

Notice that the FamilyName and GivenName attributes are set to a period. I never set the first or last name attributes of the user in Azure AD, so both attributes are blank. If we bounce back to the attribute mapping and look at the attributes for Google Apps, we see that FamilyName and GivenName are both required meaning Azure AD had to populate them with something. Different schemas, different requirements.

Switching over to the Google Admin Console I see that the new user was successfully provisioned into G-Suite.

Pretty neat overall. Let’s take a look at what we learned:

Azure AD supports single sign-on to G-Suite via SAML using a service provider-initiated flow where Azure AD acts as the identity provider and G-Suite acts as the service provider.
A user object with a login id matching the user’s login id in Azure Active Directory must be created in G-Suite before single sign-on will work.
Google provides a number of libraries for its API and the Google API Explorer should be used for experimentation with Google’s APIs.
Google’s Directory API is used by Azure AD to provision users and groups into a G-Suite domain.
Google’s Contacts API is used by Azure AD to provision contacts into a G-Suite domain.
A user holding the Super Admin role in the G-Suite domain must be used to authorize Azure AD to perform provisioning activities. The Super Admin role is required due to the usage of the Google Contact API.
Azure AD’s authorization request includes offline access using refresh tokens to request additional access tokens to ensure the sync process can be run on a regular basis without requiring re-authorization.
Best practice is to dedicate a user account in your G-Suite domain to Azure AD.
Azure AD uses the Server-side Web pattern for accessing Google’s APIs.
The provisioning process will populate a period for any attribute that is required in G-Suite but does not have a value in the corresponding attribute in Azure AD.
The provisioning process runs a sync every 20 minutes.

Even though my coding is horrendous, I absolutely loved experimenting with the Google API. It’s easy to realize why APIs are becoming so critical to a good solution. With the increased usage of a wide variety of products in a business, being able to plug and play applications is a must. The provisioning aspect Azure AD demonstrates here is a great example of the opportunities provided when critical functionality is exposed for programmatic access.

I hope you enjoyed the series, learned a bit more about both solutions, and got some insight into what’s going on behind the scenes.

Integrating Azure AD and AWS – Part 4

Posted on December 12, 2017 by mattfeltonma

Update: In November 2019 AWS introduced support for integration between Azure AD and AWS SSO. The integration offers a ton more features, including out of the box support for multiple AWS accounts. I highly recommend you go that route if you’re looking to integrate the two platforms. Check out my series on the new integration here.

We’ve reached the end of the road for my series on integrating Azure Active Directory (Azure AD) and Amazon Web Services (AWS) for single sign-on and role management. In part 1 I walked through the many reasons the integration is worth looking at if your organization is consuming both clouds. In part 2 I described the lab I used to for this series, described the different way application identities (service accounts for those of you in the Microsoft space) are handled in Active Directory Domain Services versus Azure AD, and walked through what a typical application identity looks like in Azure AD. In part 3 I walked through a portion of the configuration steps, did a deep dive into the Azure AD and AWS federation metadata, examined a SAML assertion, and configured the AWS end of the federated trust through the AWS Management Console. This included creation of an identity provider representing the Azure AD tenant and creation of a new IAM role for users within the Azure AD tenant to assert.

In this final post I’ll cover the remainder of the configuration, describe the “provisioning” capabilities of Azure AD in this integration, and pointing out some of the issues with the recommended steps in the Microsoft tutorial.

Before I continue with the configuration, let me cover what I’ve done so far.

Part 2
- Added the AWS application from the Azure AD Application Gallery through the Azure Portal.
Part 3
- Assigned an Azure Active Directory user to the application through the Azure Portal.
- Configured the Azure AD to pass the Role and RoleSessionName claims through the Azure Portal.
- Created the SAML identity provider representing Azure AD in the AWS Management Console.
- Created an AWS IAM Role and associated it with the identity provider representing Azure AD in the AWS Management Console.

At this point JoG users can assert their identity to their heart’s content but we don’t have a list of what AWS IAM roles stored in Azure AD for our users to assert. So how do we assert a role from Azure AD if the listing of the roles exists in AWS? The wonderful concept of application programmatic interfaces (APIs) swoops in and saves the day. Don’t get me wrong, if you hate yourself you can certainly provision them manually by modifying the application manifest file every time a new role is created or deleted. However, there is an easier route of having Azure AD pick up those roles directly from AWS on an automated schedule. How does this work? Well nothing works better than demonstrating how the roles can be queried from the AWS API.

The AWS SDK for .NET makes querying the API incredibly easy. We’re not stuck worrying about assembling the request and signing it. As you can see below the script is six lines of code in PowerShell.

The result is a listing of the roles configured in AWS which includes the AzureADEC2Admins role I created earlier. This example demonstrates the power a robust API brings to the table when integrating cloud services.

When Microsoft speaks of provisioning in regards to the AWS integration, they are talking about provisioning the roles defined in AWS to the the application manifest file in Azure AD. This provides us with the ability to assign the roles from within the Azure Portal as we’ll see later. This differs from many of the Azure AD integrations I’ve observed in the past where it will provision a record for the user into the software as a service (SaaS) offering. Below is a simple diagram of the provisioning process.

To do support provisioning we need to navigate to the AWS Management Console, open the Services Menu, and select IAM. We then select Users and hit the Add User button. I named the user AzureAD, gave it programmatic access type, and attached the IAMReadOnlyAccess policy. AWS then presented me with the access key ID and secret access key I’ll need to provide to Azure AD. Yes, we are going to follow security best practices and provide the account with the minimum rights and permissions it needs to provide the functionality. The Microsoft tutorial instructs you to generate the credentials under the context of the AWS administrator effectively giving the application full rights to the AWS account. No Microsoft, just no.

I next bounce back to the Azure portal and to the AWS application configuration. From here I select the Provisioning option, switch the drop-down box to Automatic, and plug the access key ID into the clientsecret field and the secret access key into the secret token field. A quick test connection shows success and I then save the configuration. Note that you must first save the configuration before you can turn on the synchronization.

After the screen refreshes I move down to the Settings section and turn the Provisioning Status to On and set the Scope to Sync only assigned users and groups (kind of a moot point for this, but oh well). I then Save the configuration once again and give it about 10 minutes to pull down the roles.

I then navigate back to the Users and Groups section and edit the Rick Sanchez assignment. Hitting the role option now shows me the AzureADEC2Admins role I configured in AWS IAM.

Let’s take another look at the service principle representing the AWS application in PowerShell. Using the Azure AD PowerShell cmdlets I referenced in entry 2 we connect to Azure AD and run the cmdlet Get-AzureADServicePrincipal which when run shows the manifest has been updated to include the newly synchronized application role.

We’ve configured the SAML trust on both ends, defined the necessary attributes, setup synchronization, and assigned Rick Sanchez an IAM role. In a moment we’ll demonstrate all of the pieces coming together.

Before I wrap it up, I want to quickly mention a few issues I ran into with this integration that seemed to resolve themselves without any intervention.

Up to a few nights ago I was unable to get the Provisioning piece working. I’m not putting it past user error (this is me we’re talking about) but I tried numerous times and failed but was successful a few nights ago. I also noticed from some recent comments in the Microsoft tutorial people complaining of similar errors. Maybe something broke for a bit?
The value of the audience attribute in the audienceRestriction section of the SAML assertion generated by Azure AD doesn’t match the identifier within the AWS federation metadata. Azure AD inserts some garbage looking audience value by default which was causing the assertions to be rejected by AWS. After setting the identifier to the value of urn:amazon:webservices as referenced in the AWS federation metadata the assertion was consumed without issue. I saw similar complaints in the Microsoft tutorial so I’m fairly confident this wasn’t just my issue.The story gets a bit stranger. I wanted to demonstrate the behavior for this series by removing the identifier I had previously added. Oddly enough the assertion was consumed without issue by AWS. I verified using Fiddler that the audience value was populated with that garbage entry. Either way, I would err on the side of caution and would recommend populating the identifier with the entry referenced in the AWS metadata as seen below.

The last thing I want to point out is the Microsoft tutorial states that you are required to create the users in AWS prior to asserting their identity. This is inaccurate as AWS does not require a user record to be pre-created in AWS. This is different from a majority (if not all) of the SaaS integrations I’ve done in the past so this surprised me as well. Either way, it’s not required which is a nice benefit if you’ve ever had to deal with the challenging of managing the identify lifecycle across cloud offerings.

Let’s wrap up this series by having Rick Sanchez log into the AWS Management Console and shutdown an EC2 instance. Here I have logged into the Windows 10 machine named CLIENT running in Azure. We navigate to https://myapps.microsoft.com and log into Azure AD as Rick Sanchez. We then hit the Amazon Web Services icon and are seamless logged into the AWS Management Console.

Examining the assertion in Fiddler shows the Role and RoleSessionName claims in the assertion.

Navigating to the EC2 Dashboard displays the instance I prepared earlier using my primary account. Rick has full rights over administration of the instance for activities such as starting and starting the instance. After successfully terminating the instance I log into the AWS Management Console as my primary AWS account and go to CloudTrail and see the log entries recording the activities of Rick Sanchez.

With that let’s cover some key pieces of information to draw from the series.

The Azure AD and AWS integration differs from most SaaS integrations I’ve done when it comes to user provisioning. Most of the time a user record must exist prior to the user authenticating. There are a growing number of SaaS providers provisioning upon successful authentication as provisioning challenges grow to further consumption of cloud services, but they are still few and far between. AWS does a solid job with eliminating the pain of pre-provisioning users.
The concept of associating roles with specific identity providers is really neat on Amazon’s part. It allows the customer to manage permissions and associate those permissions with roles in AWS, but delegate the right on a per identity provider basis to assert a specific set of roles.
Microsoft’s definition of provisioning in this integration is pulling a listing of roles from AWS and making them configurable in the Azure Portal.
The AWS API is solid and quite easy to leverage when using the AWS SDKs. I would like to see AWS switch from what seems to be proprietary method of application access to OAuth to become more aligned with the rest of the industry.
Don’t trust vendors to make everything point and click. Take the time to understand what’s going on in the background. In a SAML integration such as this, a quick review of the metadata can save you a lot of headaches when troubleshooting issues.

I learned a ton about AWS over these past few weeks and also got some good deep dive time into Azure AD which I haven’t had time for in a while. Hopefully you found this series valuable and learned a thing or two yourself.

In my next series I plan on writing a simple application to consume the Cognito service offered by AWS. For those of you more familiar with the Microsoft side of the fence, it’s similar to Azure AD B2C but with some unique features Microsoft hasn’t put in place yet making a great option to solve those B2C identity woes.

Thanks and have a wonderful holiday!

Integrating Azure AD and AWS – Part 3

Posted on December 10, 2017 by mattfeltonma

Welcome! This entry continues my series in the integration of Azure AD and AWS. In my first entry I covered what the advantages of the integration are. In the second entry I walked through my lab configuration and went over what happens behind the scenes when an application is added to Azure AD from the application gallery. In this post I’m going to walk through some of the configuration we need to do in both Azure AD and AWS. I’ll also be breaking open the Azure AD and AWS metadata and examining the default assertion sent by Microsoft out of the box.

In my last entry I added the AWS application to my Azure AD tenant from the Azure AD Application Gallery. The application is now shown as added in the All Applications view of the Azure Active Directory blade for my tenant.

After selecting AWS from the listing of applications I’m presented with a variety of configuration options. Starting with Properties we’re provided with some general information and configuration options. We need to ensure that the application is enabled for users to sign-in and that it’s visible to users so we can select it from the access panel later on. Notice also that that I’m configuring the application to require the user be assigned to the application.

On the Users and groups page I’ve assigned Rick Sanchez to the application to allow the account access and display it on the access panel.

After waiting about 10 minutes (there is a delay in the time it takes for the application to appear in the application panel) I log into the Access Panel as Rick Sanchez and we can see that the AWS app has been added for Rick Sanchez.

Back to the properties page of the AWS application, my next stop is the Single sign-on page. Here I drop down the Single Sign-on Mode drop box and select SAML-based Sign-on option. Changing the mode to SAML-based Sign-on exposes a ton of options. The first option that caught my eye was the Amazon Web Services (AWS) Domain and URLs. Take notice of the note that says Amazon Web Services (AWS) is pre-integrated with Azure AD and requires no mandatory URL settings. Yeah, not exactly true as we progress through this series.

Further down we see the section that allows us to configure the unique user identifier and additional attributes. By default Microsoft includes the name, givenName, surName, and emailAddress claims. I’ll need to make some changes there to pass the claims Amazon requires, but let’s hold off on that for now.

Next up a copy of the Azure AD metadata (IdP metadata) is provided for download. Additionally some advanced options are available which provide the capability to sign the SAML response, assertion, or both as well as switching the hash algorithm between SHA1 and SHA256.

Now like any nerd, I want to poke around the IdP metadata and see what the certificate Azure AD is using to sign looks like. Opening up the metadata in a web browser parses the XML and makes the format look pretty. From there I grab the contents X509Certificate tag (the base-64 encoded public-key certificate), dump it to Notepad, and renam it with a file extension of cer. Low and behold, what do we see but a self-signed certificate. This is a case where I can see the logic that the operational overhead is far greater than the potential security risk. I mean really, does anyone want to deal with the challenge of hundreds of thousands of customers not understanding the basics of public key infrastructure and worrying about revocation, trust chains, and the like? You get a pass Microsoft… This time anyway.

Before I proceed with the next step in the configuration, let’s take a look at what the assertion looks like without any of the necessary configuration. For this I’ll use Fiddler to act as a man-in-the-middle between the client and the web. In session 6 of the screenshot below we see that the SAML response was returned to the web browser from Azure.

Next up we extract that information with the Text Wizard, base-64 decode it, copy it to Notepad, save it as an XML file, and open it with IE. The attributes containing values of interest are as follows:

Destination – The destination is the service provider assertion consumer URI

NameID – This is the unique identifier of the used by the service provider to identify the user accessing the service

Recipient– The recipient attribute references the service the assertion is intended for. Oasis security best practices for SAML require the service provider to verify this attribute match the URI for the service provider assertion consumer URI

Audience – The audience attribute in the audienceRestriction section mitigates the threat of the assertion being stolen and used to impersonate a user. Oasis security best practices require the service provider to verify this when the assertion is received to ensure it is recognizes the identifier. The way in which this is accomplished is the value in the audience attribute is checked against the service provider EntityID attribute.

Additionally we have some interesting claims including tenantid, objectidentifier of the user object in Azure AD, name, surname, givenname, displayname, identityprovider, and authnmethosreferences. I don’t think any of these need further explanation.

Let’s now take a look at the AWS (service provider in SAML terms) metadata. The AWS metadata is available for download from here. After it’s downloaded it can be opened with IE.

The fields of interest in this set of metadata is:

EntityID – The entityID is the unique identifier AWS will provide in its authentication requests. Let’s note the value of urn:amazon:webservices for later as it will come in handy due to some issues with Microsoft’s default settings.

NameIDFormat – This tells me both transient and persistent are accepted. I won’t go into details on Name ID format, you can review that for yourself in the Oasis standard. Suffice to say the Name ID format required by the service provider can throw some wrenches into integrations when using a more basic security token service (STS) like AD FS.

AssertionConsumerService – This is where our browser will post back the SAML assertion after a successful authentication. Note the URI in the location field.

RequestedAttributes – This provides us with a listing of all the attributes AWS will accept in an assertion. Note that the only two required attributes are Role and RoleSessionName.

We’ve added the AWS application to Azure AD, granted a user access to the application, and have started the SAML setup within Azure AD (Identity Provider). Let’s continue that setup by configuring which attributes Azure AD will include in the assertions delivered to AWS. From review of the AWS metadata we know that we need to send claims of Role and RoleSessionName. The RoleE will match to an an AWS IAM Role handling authorization of what we can do within AWS and the RoleSessionName provides a unique identifier for the user asserting the entitlement.

Back in the Azure AD Portal I’m going to click the option to View and edit all other user attributes. The exposes the attributes Microsoft sends by default. These include givenName, suName, emailAddress, and name. Since the AWS metadata only requires RoleSessionName and Role, I’m going to delete the other attributes. No sense in exposing additional information that isn’t needed!

After the extra attributes are deleted I create the two required attributes as seen in the screenshot below.

I’m now going to bounce over to the AWS Management Console. After logging in I navigate to the Services menu and choose IAM.

On the IAM menu I choose the Identity providers menu item and hit the Create Provider button.

On the next screen I’m required to configure the identity provider settings. I choose SAML from the drop-down box enter a provider name of MAAD and upload the IdP metadata I downloaded from Azure AD referenced earlier in the blog entry and hit the Next Step button.

On the next page I verify the provider name and the type of identity provider and hit the Create button. Once that is complete I see the new entry listed in identity providers list. Easy right?

We have an identity provider, but that identity provider needs some IAM roles to be associated with the identity provider that my fictional users can assert. For that I go to the Roles section and hit the Create Role button.

On the next screen I select the SAML button as the type of trusted entity since the role is going to be asserted via the SAML trust with Azure AD. Here I select the MAAD provider and choose the option to allow the users to access both the AWS Management Console and the API and then hit the Next: Permissions button.

As I referenced in my first entry to this series, the role I’m going to create is going to be capable of managing all EC2 instances. For that I choose the AmazonEC2FullAccess policy template and then hit the Next:Review button.

On the last screen I name the new role AzureADEC2Admins, write a short description, and hit the Create Role button.

The new role is created and can be seen associated to the identity provider representing the trust between AWS and Azure AD.

Let’s sum up what we did for this entry. We examined the key settings Microsoft exposes for configuration with the AWS integration. We examined the Azure AD (IdP) and AWS (SP) metadata to understand which settings are important to this integration and what those settings do. We examined an assertion generated out of Azure AD prior to any of the necessary customization being completed to understand what a canned assertion looks like. Finally, we completed a majority of the tasks we need to complete on the AWS side to create the SAML trust on the AWS end and to create a role JoG users can asserts. Are your eyes bleeding yet?

In my last post in this series I’ll walk through the rest of the configuration needed on the Azure AD end. This will include going over some of the mistakes the Microsoft tutorial makes as well as covering configuration of Azure AD’s provisioning integration as to what it means and how we can effectively configure it. Finally, we’ll put all the pieces of the puzzle together, assert our identity, and review logs at AWS to see what they look like when a federated user performs actions in AWS.

The journey continues in my fourth entry.

Integrating Azure AD and AWS – Part 2

Posted on December 5, 2017 by mattfeltonma

Today I will continue the journey into the integration between Azure AD and Amazon Web Services. In my first entry I covered the reasons why you’d want to integrate Azure AD with AWS and provided a high-level overview of how the solution works. The remaining entries in this series will cover the steps involved in completing the integration including deep dives into the inner workings of the solution.

Let me start out by talking about the testing environment I’ll be using for this series.

The environment includes three virtual machines (VMs) running on Windows Server 2016 Hyper V on a server at my house. The virtual machines consists three servers running Windows Server 2016 with one server acting as a domain controller for the journeyofthegeek.local Active Directory (AD) forest, another server running Active Directory Federation Services (AD FS) and Azure AD Connect (AADC), and the third server running MS SQL Server and IIS. The IIS instance hosts a .NET sample federated application published by Microsoft.

In Microsoft Azure I have a single Vnet configured for connectivity to my on-premises lab through a site-to-site IPSec virtual private network (VPN) I’ve setup with pfSense. Within the Vnet exists a single VM running Windows 10 that is domain-joined to the journeyofthegeek.local AD domain. The Azure AD tenant providing the identity backend for the Microsoft Azure subscription is synchronized with the journeyofthegeek.local AD domain using Azure AD Connect and is associated with the domain journeyofthegeek.com. Authentication to the Azure AD tenant is federated using my instance of AD FS. I’m not synchronizing passwords and am using an alternate login ID with the user principal name being synchronized to Azure AD being stored in the AD attribute msDS-CloudExtensionAttribute1. The reason I’m still configured to use an alternate login ID was due to some testing I needed to do for a previous project.

I created a single test user in the journeyofthegeek.local Active Directory domain named Rick Sanchez with a user principal name (UPN) of rick.sanchez@journeyofthegeeklocal and msDS-CloudExtensionAttribute1 of rick.sanchez@journeyofthegeek.com. The only attribute to note that the user has populated is the mail attribute which has the value of rick.sanchez@journeyofthegeek.com. The user is being synchronized to Azure AD via the Azure AD Connect instance.

In AWS I have a single elastic compute cloud (EC2) instance running Windows Server 2016 within a virtual private cloud (VPC). I’ll be configuring Azure AD as an identity provider associated with the AWS account and will be associating an AWS IAM role named AzureADEC2Admins. The role will grant full admin rights over the management of the EC2 instances associated to the account via the AmazonEC2FullAccess permissions policy.

Let’s begin shall we?

The first step I’ll be taking is to log into the Azure Portal as an account that is a member of the global admins and navigate to the Azure Active Directory blade. From there I select Enterprise Applications blade and hit the New Application link.

I then search the application gallery for AWS, select the AWS application, accept the default name, and hit the Add button. Azure AD will proceed to add the application and will then jump to a quick start page. So what exactly does it mean to add an application to Azure AD? Good question, for that we’ll want to use the Azure AD cmdlets. You can reference this link.

Before we jump into running cmdlets, let’s talk very briefly about the concept of application identities in AAD. If you’ve managed Active Directory Domain Services (AD DS), you’re very familiar with the concept of service accounts. When you needed an application (let’s call it a non-human to be more in-line with industry terminology) to access AD-integrated resources directly or on-behalf of a user you would create a security principal to represent the non-human. That security principal could be a user object, managed service account object, or group managed service account object. You would then grant that security principal rights and permissions over the resource or grant it the right to impersonate a user and access the resource on the user’s behalf. The part we want to focus in on is the impersonation or delegation to access a resource on the behalf of a user. In AD DS that delegation is accomplished through the Kerberos protocol.

When we shift over to AAD the same basic concepts still exist of creating a security principal to represent the application and granting that application direct or delegated access to a resource. The difference is the protocol handling the access shifts from Kerberos to OAuth 2.0. One thing many people become confused about is thinking that OAuth handles authentication. It doesn’t. It has nothing do with authentication and everything to do with authorization, or more clearly delegation. When we add an application the AAD a service principal object and sometimes application object (in AWS instance both are created) are created in the AAD tenant to represent the application. I’m going to speak to the service principal object for the AWS integration, but you can read through this link for a good walkthrough on application and service principal objects and how they differ.

Now back to AWS. So we added the application and we now have a service principal object in our tenant representing AWS. Here is a few of the attributes for the object pulled via PowerShell.

Review of the attributes for the object provide a few pieces of interesting information. We’ll get to experiment more with what these mean when we start doing Fiddler captures, but let’s talk a bit about them now. The AppRoles attribute provides a single default role of msiam_access. Later on we’ll be adding additional roles that will map back to our AWS IAM roles.

Next up we have the KeyCredentials which contains two entries. This attribute took me a while to work out. In short, based upon the startDate, I think these two entries are referencing the self-signed certificate included in the IdP metadata that is created after the application is added to the directory. I’ll cover the IdP metadata in the next entry.

The Oauth2Permissions are a bit funky for this use case since we’re not really allowing the application to access AWS on our behalf, but rather asking it to produce a SAML assertion asserting our identity. Maybe the delegation can be thought of as delegating Azure AD the right to create logical security tokens representing our users that can be used to assert an identity to AWS.

The PasswordCredentials contains a single entry which shares the same KeyID as the KeyCredential. As best I can figure from reading the documentation is this would normally contain entries for client keys when not using certificate authentication. Given that it contains a single entry with the same KeyID as the KeyCredential for signing, I can only guess it will contain an entry even with a certificate is used to authenticate the application.

The last attributes of interest are the PreferredTokenSigningKeyThumbprint which references the certificate within the IdP metadata and the replyURLs which is the assertion consumer URI for AWS.

So yeah, that’s what happens in those 2 or 3 seconds the AWS application is registered with Azure AD. I found it interesting how the service principal object is used to represent trust between Azure AD and AWS and all the configuration information attached to the object after the application is simply added. It’s nice to have some of the configuration work done for us out of the box, but there is much more to do.

In the next entry I’ll walk through the Quick Start for the AWS application configuration and explore the metadata Azure AD creates.

The journey continues in my third entry.

Journey Of The Geek

The chronicles of a Bostonian tech geek navigating through life, technology, and general geekiness.

Category Archives: SAML

Integrating Azure AD and G-Suite – Automated Provisioning

Integrating Azure AD and AWS – Part 3

Integrating Azure AD and AWS – Part 2