I’m back yet again with the fifth entry into my series on integrating Azure AD and AWS SSO. It’s been a journey and the series has covered a lot of ground. It started with outlining the challenge with the initial integration of Azure AD and AWS using the AWS app in the Azure Marketplace. From there it took a deep dive into the components of the solution and how it compares to a standard integration using your SAML provider of choice. It continued with the steps necessary to configure Azure AD and AWS SSO to support the federated trust to enable single sign-on. The fourth post explored the benefits of SCIM and went step by step on how to configure SCIM between the two services. For this final post I’m going to cover a few different scenarios to demonstrate what’s possible with this new integration.
Before I jump into the scenarios, there is one final task that needs to be completed now that the federated trust and SCIM have been setup. That task is setting up the permission sets in AWS SSO. Permission sets are simply IAM policies (either AWS-managed or custom policies you create). For those of you from the Microsoft Azure world, an IAM policy is a collection of permissions which define what a security principal (such as a user or role) is authorized to do. They are most similar to an Azure RBAC role definition but more flexible and granular due to advanced features such as condition keys. Permission sets are projected into the AWS accounts they are assigned to as AWS IAM roles. These are the IAM roles the security principal assumes.
As I mentioned above, AWS SSO supports both AWS-managed IAM policies and custom IAM policies for permission sets. If you go into the AWS Accounts menu option of AWS SSO you’ll see the accounts associated with the AWS Organization and which permission sets have been associated to the AWS accounts thus resulting in AWS IAM Roles being created within the AWS account. In the image below you can see that I’ve provisioned two permission sets to account1 and account2.
The permission sets tab displays the permission sets I’ve created and whether or not they’ve been provisioned to any accounts. In the screenshot below you’ll see I’ve added four AWS-managed policies for Billing, SecurityAudit, AdministratorAccess, and NetworkAdministrator. Additionally, I created a new permission set named SystemsAdmin which uses a custom IAM policy which restricts the principal assuming the rule to EC2, CloudWatch, and ELB activities.
Back on the AWS organization tab, if you click on an account you can see the AWS SSO Users or Groups that have been assigned to a permission set. In the image below, you can see that I’ve assigned both the B2B Security Admins group and the Security Admins group to the AdministratorAccess permission set and the System Operators group to the SystemsAdmin permission set.
With permission sets out of the way, let’s jump into the scenarios.
Scenario 1 – Windows AD User, AD FS, Azure AD, AWS SSO
In this scenario the user is Bart Simpson who is a member of the System Operators group on-premises and exists authoritatively in a Windows AD forest. A federated trust has been established with Azure AD using an instance of AD FS running on-premises. Azure AD has been integrated with AWS SSO for both SSO (via SAML) and provisioning (via SCIM).
Once Bart was logged into a domain-joined machine, I popped open a browser and navigated to My Apps portal at https://myapps.microsoft.com. This redirected me to the Azure AD login screen. Here I entered Bart’s user name.
Azure AD performed its home realm discovery process, identified that the domain jogcloud.com is configured for federated authentication, and redirected me to AD FS. Take note I purposely broke integrated windows authentication here to show you each step. In a correctly configured browser, you wouldn’t see this screen.
After I successfully authenticated to AD FS, I was bounced back over to Azure AD where the assertion was delivered. Azure AD then whipped up a SAML assertion for AWS SSO, returned it to the browser, and redirected the browser to the AWS SSO assertion consumer URL. AWS SSO consumed the assertion and authenticated Bart into AWS SSO displaying the AWS IAM Role selection page with the relevant roles he has permission to access.
Scenario 2 – Windows AD User, AD FS with Certificate MFA, Azure AD with Conditional Access, AWS SSO
Scenario 1 is pretty simple, so let’s get fancy and layer on some security. Here I added an access control policy into AD FS requiring certificate-based authentication for members of the Security Admins group. Additionally, I added a conditional access policy in Azure AD requiring MFA for any user that is a member of that same group.
Since Homer Simpson regularly runs a nuclear reactor, he’s also the Security Admin for JOGCLOUD. He has been made member of the Windows AD Security Admin group.
As a first step I again popped open a browser and navigated to the My Apps portal. After Homer’s username was plugged in, Azure AD redirected me to the AD FS server. I again broke IWA to capture each step in the process.
After the password challenge was satisfied, I was prompted to provide the appropriate user certificate.
From there I was authenticated to Azure AD and served up the My Apps portal.
Wondering why I wasn’t prompted for Azure MFA? No, I didn’t misconfigure it (at least this time). A not well documented feature (at least in my opinion) of Azure AD is that you can pass a claim asserting a user has satisfied the MFA requirement thus making for a better user experience because the user isn’t required to authenticate multiple times. Yes folks, this means you can layer your traditional certificate-based authentication on top of Azure AD and AWS.
After selecting the AWS SSO app, I was signed into AWS SSO and presented with the role selection screen.
I then selected a one of the roles and was signed into the relevant AWS account assuming the AdministratorAccess IAM Role.
Scenario 3 – Azure AD B2B User, AWS SSO
What if you have a multi-tenant situation due to an acquisition or merger or perhaps you farm out operations to a managed service provider? No worries there, B2B is also supported with this pattern. In this scenario I’m using a user sourced from tenant that has been invited via Azure AD’s B2B. The user has been added to the B2B Security Admins group which exists authoritatively in the inviting tenant (jogcloud.com) and was synchronized to AWS SSO via SCIM.
Opening a browser and navigating to the My Apps portal kicks off Azure AD authentication and drops the user into their source tenant. Once there I can change my tenant by selecting the profile icon and selecting the jogcloud tenant.
I’m then presented with the apps that I’m authorized to use in the jogcloud tenant, which includes the AWS SSO app.
Azure AD kicks off the federated authentication and I’m presented with the AWS role selection page where I can choose to assume the AdministratorAccess role in two of the AWS accounts.
Scenario 4 – AWS CLI
I know what you’re saying now, “But what about CLI?” Well folks, for that you can leverage the AWS CLI v2. It’s still in preview right now, but I did test it using the user from scenario 2 and it worked flawlessly. The experience is pretty anti-climatic so I’m not going to dive into it. The user experience is similar to using the Azure PowerShell cmdlets in that a web browser instance is opened and guides you through the authentication process.
That will sum up this series.
Few technologies get me excited enough to write five posts, but this integration is really amazing. With AWS hooking into Azure AD as effectively as they have (especially love the CLI integration), it reduces operational overhead and improves security which is a combination you rarely see together. Most importantly, it puts the customer first by optimizing the user experience. If you weren’t convinced on Azure AD’s capabilities as an IDaaS, hopefully this series has helped educate you as to the value of the platform.
With that I’ll sign off. A big thanks to the AWS product team that worked on this integration. You did an amazing job that will greatly benefit our mutual customers.
To the rest of you, I wish you happy holidays!