AWS Official Blog

New release: tutorial for ADFS with Amazon EC2

by Jeff Barr | on | in Amazon EC2, Announcements, Security, Windows | | Comments

In January I wrote about the availability of a conceptual whitepaper describing various scenarios for using Windows ADFS to federate with services running on Amazon EC2 and mentioned that a step-by-step guide was forthcoming. I’m very pleased to announce that the guide is now finished and available for download. To give you a flavor for what you can learn by following the steps in the guide, I’ll quote from its introduction:

This document provides step-by-step instructions for creating a test lab demonstrating identity federation between an on-premise Windows Server Active Directory domain and an ASP.NET web application hosted on Amazons Elastic Compute Cloud (EC2) service, using Microsofts Active Directory Federation Services (ADFS) technology. The document is organized in a series of scenarios, with each building on the ones before it. It is strongly recommended that the reader follow the documents instructions in the order they are presented. The scenarios covered are:

  1. Corporate application, accessed internally: Domain-joined Windows client (i.e. in the corporate office) accessing an Amazon EC2-hosted application operated by same company, using ADFS v1.1.
  2. Corporate application, accessed from anywhere: External, not-domain-joined client (i.e. at the coffee shop) accessing the same EC2-hosted application, using ADFS v1.1 with an ADFS proxy. In addition to external (forms-based) authentication, the proxy also provides added security for the corporate federation server.
  3. Service provider application: Domain-joined and external Windows clients accessing an EC2-hosted application operated by a service provider, using one ADFS v1.1 federation server for each organization (with the service providers federation server hosted in EC2) and a federated trust between the parties.
  4. Service provider application with added security: Same clients accessing same vendor-owned EC2-hosted application, but with an ADFS proxy deployed by the software vendor for security purposes.
  5. Corporate application, accessed internally (ADFS 2.0): Domain-joined Windows client accessing EC2-based application owned by same organization (same as Scenario 1), but using the currently-in-beta ADFS 2.0 as the federation server and the recently-released Windows Identity Foundation (WIF) .NET libraries on the web server.

We hope you find this information useful and that it helps to simplify migrating existing applications or developing entirely new solutions that leverage the power of Amazon EC2 with your existing internal IT environment.

> Steve <