Introduction

Recently in one of my project we had to setup AWS SSO with Azure AD as our primary identity provider. There are couple good reads available on the web likethis one from 2019 but things are changing dynamically, so they are quickly becoming outdated. This is the reason why I decided to write my own detailed guide!

Pre-requisites

Before we start we need two pieces in place which are not described in this guide:

• Azure Active Directory
• AWS SSO

Add Enterprise Application on Azure

1. Go to your Azure subscription. Navigate toAzure Active Directory, next in the menu on the left hand side clickEnterprise applications.

   

2. ClickNew application.

   

3. ClickCreate your own application, add meaningful name, checkIntegrate any other application you don't find in the gallery and clickCreate when ready

   

4. We have created our Enterprise application, now let's go back to our AWS account.

   

Configure AWS SSO with external identity provider

1. Log into your AWS account, navigate to AWS SSO service and clickChoose your identity source.

   

2. UnderIdentity source settings, clickChange.

   

3. You will be redirected to the new page with additional settings. On that page chooseExternal identity provider. Scroll down toService provider metadata section and clickDownload metadata file. We are going to upload this file to our Azure application. Leave this page open, we will need it later.

   

Now let's go back to our Enterprise application on Azure.

Configure Enterprise application

1. Navigate to the previously created Enterprise application and clickSetup single sign on.

   

2. On next page chooseSAML.

   

3. Upload metadata file downloaded from AWS SSO configuration and clickSave on next dialog.

   

4. Now you should see the link to downloadFederation Metadata XML file which we will upload to AWS SSO asIdP SAML metadata (you didn't close it, right? (: ). If you can't see the link, pleaserefresh the page.

   

Finish AWS SSO configuration

1. Go back to the AWS SSO configuration page and uploadFederation Metadata XML file from Azure asIdP SAML metadata. ClickReview when ready.

   

2. Carefully read warning message. When ready writeACCEPT in the text box and clickChange identity source button.

   

Congrats! You have configured AWS SSO with AzureAD as your main identity provider. Now let's configure automatic provisioning of your users and groups.

Enable automatic provisioning

1. Navigate toAWS SSO console, clickSettings and then clickEnable identity synchronization link. New dialog will open with yourSCIM endpoint address andAccess token. Copy these values, you will need them later.

   

2. Let's go back to Azure portal. Navigate to your Enterprise application and clickProvisioning on the left hand side menu.

   

3. SetProvisioning mode toAutomatic. ProvideTenant URL (SCIM endpoint) andSecret Token (Access token). You can clickTest Connection button to verify if Azure can establish connection with SCIM endpoint.

   

4. Mappings section will be available as soon as you hitSave button with your SCIM endpoint and Access token fields populated. It's good idea to set upNotification Email field so you will get notified if you synchronization fails. You can setProvisioning Status toOn.

   

   Pro tip: AzureAD allows you to create user without First Name and Last Name defined but AWS SSO won't like it. Please pay attention to any synchronization errors.

5. Last but not least is to define our users and groups that we want to be synchronized from AzureAD to AWS SSO. To do this navigate to your Enterprise application, clickUsers and Groups in the left hand side menu and thenAdd user button.

   

6. You can now login to your AWS accounts using AWS SSOUser portal URL or myapplications.microsoft.com webpage.

Closing remarks

Hope you will find this guide useful.

I would like to thank my team mate Guru for help with the screenshots! ;)