AWS Architecture Blog

Field Notes: Automate SAML 2.0 Federation using AWS Control Tower and Azure Active Directory

Some AWS Control Tower customers have adopted Azure Active Directory as their Identity Provider (IdP) and wish to keep authentication and authorization within the IdP. When setting up federation from Azure Active Directory a tutorial is often consulted which describes how to integrate Azure AD single sign-on with AWS. The tutorial uses an IAM user with programmatic access into each account to retrieve IAM roles which are then mapped to groups of users within Azure Active Directory. This meets their requirements by keeping both authentication and authorization within the IdP.

This post shows how you can streamline the configuration of SAML 2.0 federation from Azure Active Directory with AWS Control Tower and the Customizations for AWS Control Tower solution.  As a result, you experience a more efficient process for enabling federation across your AWS accounts.

Overview of solution

This solution is based upon an AWS prescriptive guidance solution for automating SAML 2.0 federation for AWS multi-account environments that use Azure Active Directory. It is implemented for AWS Control Tower customers using the Customizations for AWS Control Tower solution.

Let’s first consider a typical workflow to enable Azure Active Directory federation into a new member account. In this workflow there are two roles, 1) an Azure Active Directory admin responsible for configuring federation into AWS and 2) a CloudOps admin responsible for creating a new account. The workflow goes as follows:

  • An Azure AD admin creates a new Enterprise Application (EA) for AWS Single-Account Access and provides the SAML metadata to a CloudOps admin.
  • A CloudOps admin creates a new member account within AWS and creates the IdP in the new account.
  • The CloudOps admin logs into the new account and performs the following actions:
    • Creates the IAM user for Azure AD user provisioning
    • Generate programmatic access keys for the IAM user
    • Provides the access keys to the Azure AD admin
  • The Azure Active Directory admin enables provisioning within the Enterprise Application using the access keys and then maps the roles accordingly.

As a best practice, customers may adopt a cycle of regular access key rotation. Each time the keys are rotated, the Azure Active Directory admin must go through the CloudOps admin to obtain the new access keys.

We can simplify this process through automation. This reduces manual effort and provides a secure means for the Azure Active Directory admin to directly obtain the programmatic access keys. The workflow for enabling Azure Active Directory federation into a new member account would look like this:

  1. An Azure AD admin creates a new Enterprise Application for AWS Single-Account Access and provides the SAML metadata to a CloudOps admin.
  2. A CloudOps admin creates a new member account within AWS and creates the IdP.
  3. The Azure AD admin logs into the new account, securely obtains the IAM user programmatic access keys, and enables provisioning within the Enterprise Application.

The following diagram shows the solution architecture and workflow to enable federation for a new account.

Azure AD Reference Architecture

Walkthrough

To set up this solution, we perform the following steps:

  1. Create a StackSet using the Customizations for AWS Control Tower solution
  2. Enable federation to the management account using the AzureAdFederationAdminRole

Once set up, we can then configure provisioning within the Azure Active Directory Enterprise Application for AWS Single-Account Access for each account.

The CloudFormation templates for AWS Control Tower Customizations to automate SAML 2.0 Federation with Azure Active Directory can be found on GitHub.

Prerequisites

For this solution, you will need to meet the following prerequisites:

  • AWS Control Tower with the Customizations for AWS Control Tower solution deployed.
  • An Azure AD Enterprise Application for AWS Single-Account Access has been created for the AWS management account and the account is configured with the IAM identity provider.
  • An Azure AD Enterprise Application for AWS Single-Account Access has been created for each AWS member account and the account is configured with the IAM identity provider.

Configure the Control Tower Customization Solution

The first step is to configure the Customizations for AWS Control Tower solution with a new template to support the Azure AD required resources.

  1. Download the yaml template files from GitHub into your templates folder of your control tower customization solution repo.
  2. Configure your manifest.yaml file to deploy the azuread-fed-management-account.yaml as a StackSet to your management account.
  3. Configure your manifest.yaml file to deploy the azuread-fed-member-account.yaml as a StackSet to all of your other accounts by specifying the appropriate top level Organization Units. Your manifest.yaml file should now look similar to the following code sample.
#=============================================================
  # Azure AD Federation - Management Account
  #=============================================================
  - name: azure-ad-federation-automation-management
    resource_file: templates/azuread-fed-management-account.yaml
    parameters:
      - parameter_key: OrganizationId
        parameter_value: "o-aaa111bbb2222"
      - parameter_key: SAMLProviderName
        parameter_value: "aad"
      - parameter_key: IAMUserName
        parameter_value: "AzureADAutomationUser"
      - parameter_key: IAMUserGroupName
        parameter_value: "AzureADAutomationGroup"
      - parameter_key: AzureAdFederationAdminRoleName
        parameter_value: "AzureAdFederationAdminRole"
      - parameter_key: AzureAdFederationAssumeRoleName
        parameter_value: "AzureAdFederationAssumeRole"
    deploy_method: stack_set
    deployment_targets:
      accounts:
        - 111122223333
    regions:
      - us-east-1

  #=============================================================
  # Azure AD Federation - All Member Accounts
  #=============================================================
  - name: azure-ad-federation-automation-management
    resource_file: templates/azuread-fed-management-account.yaml
    parameters:
      - parameter_key: ManagementAccountId
        parameter_value: "111122223333"
      - parameter_key: IAMUserName
        parameter_value: "AzureADAutomationUser"
      - parameter_key: IAMUserGroupName
        parameter_value: "AzureADAutomationGroup"
      - parameter_key: AzureAdFederationAdminRoleName
        parameter_value: "AzureAdFederationAdminRole"
      - parameter_key: AzureAdFederationAssumeRoleName
        parameter_value: "AzureAdFederationAssumeRole"
    deploy_method: stack_set
    deployment_targets:
      organizational_units:
        - Core
        - infrastructure
        - workloads
    regions:
      - us-east-1

4. Commit and push the changes. Monitor the stacks until they are all deployed.

Configure the management account

The management account now has the IAM user secrets needed for Azure Active Directory provisioning. Follow these steps to configure Azure Active Directory provisioning for the management account.

  1. From the management account, log in to the AWS Secrets Manager console.
  2. Navigate to the AzureADFederation/CFNUserSecretAccessKey secret and retrieve the stored secrets.
  3. In the Azure AD EA for the management account:
      1. a. Enable user provisioning using the secret values; AccessKey and SecretKey.
                 b. Map the synced AzureAdFederationAdminRole to the appropriate group in Active Directory.

Configure the member accounts

All of the member accounts can now be configured with Azure Active Directory provisioning.

  • Federate into the management account using the AzureAdFederationAdminRole.
  • For each member account, follow these steps:
    1. Switch role to the member account using the account Id and the AzureAdFederationAssumeRole.
    2. Access the AWS Secrets Manager console.
    3. Choose the AzureADFederation/CFNUserSecretAccessKey secret and retrieve the stored secrets.
    4. In the Azure AD EA for the management account, enable user provisioning using the secret values AccessKey and SecretKey.

 

The following diagram visualizes the process of configuring user provisioning for the member accounts.

Azure AD Architecture Diagram

 

Conclusion

In this post, I demonstrated how customers using the Customizations for AWS Control Tower solution can use Azure Active Directory single sign-on and enable SAML 2.0 federation faster in their AWS accounts while maintaining Azure Active Directory as the source of authentication and authorization.

The solution uses automation to accelerate the onboarding of new member accounts by securely allowing Active Directory admins to directly configure user provisioning. Review the GitHub code and get started using this solution today in your AWS Control Tower environment.

Field Notes provides hands-on technical guidance from AWS Solutions Architects, consultants, and technical account managers, based on their experiences in the field solving real-world business problems for customers.

 

TAGS:
Adam Spicer

Adam Spicer

Adam Spicer is a Senior Migration Delivery Consultant for AWS Professional Services. He works with enterprise customers to design and build their cloud infrastructure and automation to accelerate their migration to AWS. He is an avid FSU Seminole fan who loves to be on outdoor adventures with his family.