AWS Architecture Blog
Field Notes: Automate SAML 2.0 Federation using AWS Control Tower and Azure Active Directory
Some AWS Control Tower customers have adopted Azure Active Directory as their Identity Provider (IdP) and wish to keep authentication and authorization within the IdP. When setting up federation from Azure Active Directory a tutorial is often consulted which describes how to integrate Azure AD single sign-on with AWS. The tutorial uses an IAM user with programmatic access into each account to retrieve IAM roles which are then mapped to groups of users within Azure Active Directory. This meets their requirements by keeping both authentication and authorization within the IdP.
This post shows how you can streamline the configuration of SAML 2.0 federation from Azure Active Directory with AWS Control Tower and the Customizations for AWS Control Tower solution. As a result, you experience a more efficient process for enabling federation across your AWS accounts.
Overview of solution
This solution is based upon an AWS prescriptive guidance solution for automating SAML 2.0 federation for AWS multi-account environments that use Azure Active Directory. It is implemented for AWS Control Tower customers using the Customizations for AWS Control Tower solution.
Let’s first consider a typical workflow to enable Azure Active Directory federation into a new member account. In this workflow there are two roles, 1) an Azure Active Directory admin responsible for configuring federation into AWS and 2) a CloudOps admin responsible for creating a new account. The workflow goes as follows:
- An Azure AD admin creates a new Enterprise Application (EA) for AWS Single-Account Access and provides the SAML metadata to a CloudOps admin.
- A CloudOps admin creates a new member account within AWS and creates the IdP in the new account.
- The CloudOps admin logs into the new account and performs the following actions:
- Creates the IAM user for Azure AD user provisioning
- Generate programmatic access keys for the IAM user
- Provides the access keys to the Azure AD admin
- The Azure Active Directory admin enables provisioning within the Enterprise Application using the access keys and then maps the roles accordingly.
As a best practice, customers may adopt a cycle of regular access key rotation. Each time the keys are rotated, the Azure Active Directory admin must go through the CloudOps admin to obtain the new access keys.
We can simplify this process through automation. This reduces manual effort and provides a secure means for the Azure Active Directory admin to directly obtain the programmatic access keys. The workflow for enabling Azure Active Directory federation into a new member account would look like this:
- An Azure AD admin creates a new Enterprise Application for AWS Single-Account Access and provides the SAML metadata to a CloudOps admin.
- A CloudOps admin creates a new member account within AWS and creates the IdP.
- The Azure AD admin logs into the new account, securely obtains the IAM user programmatic access keys, and enables provisioning within the Enterprise Application.
The following diagram shows the solution architecture and workflow to enable federation for a new account.
Walkthrough
To set up this solution, we perform the following steps:
- Create a StackSet using the Customizations for AWS Control Tower solution
- Enable federation to the management account using the AzureAdFederationAdminRole
Once set up, we can then configure provisioning within the Azure Active Directory Enterprise Application for AWS Single-Account Access for each account.
The CloudFormation templates for AWS Control Tower Customizations to automate SAML 2.0 Federation with Azure Active Directory can be found on GitHub.
Prerequisites
For this solution, you will need to meet the following prerequisites:
- AWS Control Tower with the Customizations for AWS Control Tower solution deployed.
- An Azure AD Enterprise Application for AWS Single-Account Access has been created for the AWS management account and the account is configured with the IAM identity provider.
- An Azure AD Enterprise Application for AWS Single-Account Access has been created for each AWS member account and the account is configured with the IAM identity provider.
Configure the Control Tower Customization Solution
The first step is to configure the Customizations for AWS Control Tower solution with a new template to support the Azure AD required resources.
- Download the yaml template files from GitHub into your templates folder of your control tower customization solution repo.
- Configure your manifest.yaml file to deploy the azuread-fed-management-account.yaml as a StackSet to your management account.
- Configure your manifest.yaml file to deploy the azuread-fed-member-account.yaml as a StackSet to all of your other accounts by specifying the appropriate top level Organization Units. Your manifest.yaml file should now look similar to the following code sample.
#=============================================================
# Azure AD Federation - Management Account
#=============================================================
- name: azure-ad-federation-automation-management
resource_file: templates/azuread-fed-management-account.yaml
parameters:
- parameter_key: OrganizationId
parameter_value: "o-aaa111bbb2222"
- parameter_key: SAMLProviderName
parameter_value: "aad"
- parameter_key: IAMUserName
parameter_value: "AzureADAutomationUser"
- parameter_key: IAMUserGroupName
parameter_value: "AzureADAutomationGroup"
- parameter_key: AzureAdFederationAdminRoleName
parameter_value: "AzureAdFederationAdminRole"
- parameter_key: AzureAdFederationAssumeRoleName
parameter_value: "AzureAdFederationAssumeRole"
deploy_method: stack_set
deployment_targets:
accounts:
- 111122223333
regions:
- us-east-1
#=============================================================
# Azure AD Federation - All Member Accounts
#=============================================================
- name: azure-ad-federation-automation-management
resource_file: templates/azuread-fed-management-account.yaml
parameters:
- parameter_key: ManagementAccountId
parameter_value: "111122223333"
- parameter_key: IAMUserName
parameter_value: "AzureADAutomationUser"
- parameter_key: IAMUserGroupName
parameter_value: "AzureADAutomationGroup"
- parameter_key: AzureAdFederationAdminRoleName
parameter_value: "AzureAdFederationAdminRole"
- parameter_key: AzureAdFederationAssumeRoleName
parameter_value: "AzureAdFederationAssumeRole"
deploy_method: stack_set
deployment_targets:
organizational_units:
- Core
- infrastructure
- workloads
regions:
- us-east-1
4. Commit and push the changes. Monitor the stacks until they are all deployed.
Configure the management account
The management account now has the IAM user secrets needed for Azure Active Directory provisioning. Follow these steps to configure Azure Active Directory provisioning for the management account.
- From the management account, log in to the AWS Secrets Manager console.
- Navigate to the AzureADFederation/CFNUserSecretAccessKey secret and retrieve the stored secrets.
- In the Azure AD EA for the management account:
-
-
a. Enable user provisioning using the secret values; AccessKey and SecretKey.
-
b. Map the synced AzureAdFederationAdminRole to the appropriate group in Active Directory.
-
Configure the member accounts
All of the member accounts can now be configured with Azure Active Directory provisioning.
- Federate into the management account using the AzureAdFederationAdminRole.
- For each member account, follow these steps:
-
- Switch role to the member account using the account Id and the AzureAdFederationAssumeRole.
- Access the AWS Secrets Manager console.
- Choose the AzureADFederation/CFNUserSecretAccessKey secret and retrieve the stored secrets.
- In the Azure AD EA for the management account, enable user provisioning using the secret values AccessKey and SecretKey.
The following diagram visualizes the process of configuring user provisioning for the member accounts.
Conclusion
In this post, I demonstrated how customers using the Customizations for AWS Control Tower solution can use Azure Active Directory single sign-on and enable SAML 2.0 federation faster in their AWS accounts while maintaining Azure Active Directory as the source of authentication and authorization.
The solution uses automation to accelerate the onboarding of new member accounts by securely allowing Active Directory admins to directly configure user provisioning. Review the GitHub code and get started using this solution today in your AWS Control Tower environment.
Field Notes provides hands-on technical guidance from AWS Solutions Architects, consultants, and technical account managers, based on their experiences in the field solving real-world business problems for customers.