Bobcares

ADFS Integration AWS: Explained with Setup

by | Oct 30, 2022

let us learn more about the ADFS integration aws and the configuration steps necessary to set up the integration with the support of our AWS support Services at Bobcares.

How integration between ADFS and AWS works?

 

ADFS Integration AWS

The default method for accessing stacks and VPCs is a one-way trust between the on-premises network and the AMS domain. It will give access when forming a VPC and stack using pre-setup Active Directory security groups.

Furthermore, for a single sign-on (SSO) to the AWS Management Console, we can set up the access using Active Directory Federation Service (AD FS) or any federation program that supports SAML.

Note

We can combine many federation services, such as Ping and Okta, using the AMS.  There is no limitation for us to AD FS. This section exemplifies one federation technology that is available to us.

  1. When we navigate to the AD FS sample site within the domain, the flow has begun. When we install AD FS, we create a new virtual directory for the default website called ADFS, which includes this page.
  2. The sign-on page verifies the user’s identity against AD. A prompt for the AD username and password depending on the browser will open up.
  3. AD FS sends a SAML assertion to the browser in the form of an authentication response.
  4. The browser sends the SAML assertion to the AWS sign-in endpoint for SAML (https://signin.aws.amazon.com/saml). Sign-in uses the AssumeRoleWithSAML API to request temporary security credentials and then creates a sign-in URL for the AWS Management Console behind the scenes.
  5. The process will send the browser to the console after receiving the sign-in URL.

From our vantage point, the procedure is transparent. He navigates from an internal website to the AWS Management Console without ever entering any AWS credentials.

Configuring Active Directory

This is the next step in ADFS integration AWS. And please note that we will need a Windows domain to proceed with the configurations below.

Here, we will utilize a single user that is a member of two AD groups (AWS-Production and AWS-Dev) and an ADFS service account (ADFSSVC).

It’s worth noting that the names of the AD groups both begin with AWS-. This is significant because a match of group names beginning with AWS determines the user’s ability to sign in to AWS.

To begin, we must have the following in the domain:

  1. Create two AWS-Production and AWS-Dev AD Groups.
  2. Make a user called User.
  3. Provide the user with an email address (for example, user@abcd.com).
  4. We must include the users to the AWS-Production and AWS-Dev groups.
  5. Make a new user called ADFSSVC. Later on, this account will become the ADFS service account.

Installing ADFS

After we’ve set up the accounts and groups, we’ll move on to installing ADFS. Windows Server 2008 R2 included an older version of ADFS. Instead of installing that version, this page will download ADFS 2.0.

We launched the ADFS setup wizard after downloading the package by double clicking AdfsSetup.exe. Assume we’ve setup the environment as a federation server with the default defaults.

Configuring ADFS

The following step is to setup the ADFS for ADFS integration AWS. We had to check the Start the AD FS 2.0 Management snap-in when this wizard ends box during setup, thus the window loaded after we press the Finish button.

If we do not tick that box during installation, we can access the window by going to Start > All Programs > Administration Tools > AD FS 2.0 Management.

To launch the configuration wizard, we have to click AD FS 2.0 Federation Server Setup Wizard. We can follow the setup steps given below to do this:

  1. Select Create a new Federation Service.
  2. Select New federation server farm.
  3. Choose an SSL certificate. Consider the following situation:

we have a certificate that we could use. If there are no certificates, we can use IIS to create a self signed certificate. Self-signed certificates make testing and development easier. We will want to use a certificate from a known certificate authority for production use (CA).

  1. Use the Account number mentioned earlier.
  2. After that, we must confirm the settings by clicking Next.

Finally, click Close to exit. If everything works well, we will receive a report with all successful setups. If this is the case, proceed to the Configuring AWS section.

During the testing and ADFS integration AWS process, we might have to stop at an error box. It turns out that this is a known problem that we can resolve by doing the following command at the command line. Here we must execute the command window as an administrator.

setspn -a host/localhost adfssvc

If the command is successful, we will see a line as shown below:

Registering ServicePrincipalNames for CN=ADFSSVC,CN=Users,DC=mydomain,DC=aws,DC=amazon,DC=com host/localhost

Configuring AWS

We have completed the setup of AD FS. The next step is to set up the AWS side of things. We can do this by using the AWS Management Console.

The initial step is to set up a SAML provider. We must first obtain the SAML metadata document for the ADFS federation server before we can build a SAML provider. We can download it by default from the following address:

https://userservername/FederationMetadata/2007-06/FederationMetadata.xml

The SAML provider is shown as an ADFS in this section. We can set up the SAML provider in AWS after we receive the SAML metadata document. We can upload the metadata document as part of that process.

When we have completed the SAML provider, we can create two IAM roles. In this case, we used the Grant Web Single Sign-On (WebSSO) access to the SAML provider’s role wizard template to set up two roles and supplied the newly formed ADFS SAML provider.

The two jobs are ADFS-Production and ADFS-Dev. They are an addition to the previous AD listing. These IAM roles will be matched by name to the AD groups (AWS-Production and AWS-Dev) throughout the SAML verification process in AWS using ADFS claim rules.

Finally, in ADFS integration AWS, we must locate and record the ARNs for the SAML provider and the roles that we made. The ARNs will be required later when we set up the claims in the IDP.

[Need assistance with similar queries? We are here to help]

Conclusion

To conclude we have now gone through all of the configuration steps for setting up the ADFS integration AWS with the support of our AWS support services at Bobcares.

PREVENT YOUR SERVER FROM CRASHING!

Never again lose customers to poor server speed! Let us help you.

Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.

GET STARTED

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Never again lose customers to poor
server speed! Let us help you.