Using Single Sign-on with Azure Active Directory and Cloud Migration Factory for simplified identity management
In this blog post we’ll look at how to configure the AWS Cloud Migration Factory (CMF) solution to use SAML authentication. We will use an existing identity provider (in this case Azure Active Directory). However, this can be replicated with any IDP that offers SAML authentication. By federating existing logins and accounts with CMF, the operational overhead of managing multiple accounts is reduced and security improved via the central management of corporate identities.
Beyond the solution described in this post, there are additional use cases where SSO integrates with AWS via AWS IAM Identity Center (successor to AWS Single Sign-On). One common example is to enable a single sign-on access to cloud-based applications.
Overview of Cloud Migration Factory
The Cloud Migration Factory is a solution built by AWS which allows you to perform migrations to AWS at scale. It is deployed via AWS CloudFormation into an existing AWS account and provides all the backend components to scale and accelerate migrations. It uses automation scripts and leverages the AWS Application Migration Service.
In addition, a front-end, web-based GUI is provided for teams to manage the migration and keep track of progress. To access the GUI, CMF users are created and assigned a role (for example Administrator and Read-Only), within an Amazon Cognito user pool. Many customers have an existing Identity Provider (IdP). Managing a second set of credentials adds to operational overhead and may not conform to existing security policies.
To understand the benefits of Single Sign On (SSO) and its operation, please review this What is SSO document.
Please review the CMF implementation guide to deploy the CMF solution. IMPORTANT: When deploying the CloudFormation template, you must set the Allow additional identity provider to be configured in Cognito parameter to true. This will configure Amazon Cognito to allow SAML identity providers to be added to Amazon Cognito and used to sign in.
SSO Integration with Cloud Migration Factory
First, we will need to extract some information from the Amazon Cognito deployment as part of the Cloud Migration Factory.
- Navigate to the AWS CloudFormation console and select the Cloud Migration Factory on AWS stack.
- Select the Outputs tab.
- In the Key column, locate UserPoolId and record the Value to use later during setup.
- Navigate to the Amazon Cognito console.
- Choose the User pool that matches the User pool ID from the solution stack output.
- Choose the App Integration tab and record the Cognito domain to use later during setup.
Figure 1: How to locate the UserPoolID from within Amazon Cognito.
Figure 2: How to locate the Cognito Domain from the “App Integration” tab within Amazon Cognito.
We’ll start by creating a new application in Azure.
- Navigate to the Azure Active Directory homepage.
- In the left-hand side panel, select Enterprise Applications. Then, choose the + New Application button.
- On the Browse Azure AD Gallery page select the + Create your own application option.
- In the pop-up menu that appears on the right-hand side, enter the name of your application (e.g. AWS Cloud Migration Factory). Then select the radio button next to Integrate any other application you don’t find in the gallery (Non-gallery).
- Choose Create. The new application will now be added to the list of Enterprise Applications with Azure AD.
Figure 3: How to create a new application within Azure AD.
Figure 4: Creating and registering a custom enterprise application within Azure AD
Next let’s configure the new application to use SSO. There are several ways to configure an application for SSO; we are using SAML in this example.
- Cloud applications can use OpenID Connect, OAuth, SAML, password-based, or linked for SSO.
- On-premises applications can use password-based, Integrated Windows Authentication, header-based, or linked for SSO.
- On the AWS CMF Overview page, choose Get started on the box that says
- Set up single sign on.
- Select the SAML option as the mechanism used to enforce single sign on.
Figure 5: Configuring single sign on for the enterprise application created in Azure AD.
Figure 6: Here we are selecting SAML as the mechanism to enforce SSO.
Now we’ll set up the trust between Amazon Cognito (specifically the user pool for Cloud Migration Factory) and Azure AD.
- In the Basic SAML Configuration select the Edit button to update the Identifier (Entity ID) and Reply URL (Assertion Consumer Service URL).
- Populate the Identifier (Entity ID) in the following format: urn:amazon:cognito:sp:<UserPoolIdrecorded earlier>. The Entity ID is a unique identifier which resolves the IdP to your Amazon Cognito user pool.
- Populate the Reply URL (Assertion Consumer Service URL) in the following format: https://<Amazon
Cognito domain recorded earlier>/saml2/idpresponse. This is the URL that Azure AD will redirect to after you have successfully authenticated.
- Download the metadata file required to complete the Amazon Cognito configuration
- Make note of the Attributes and claims section for use in step 3 of the next section. These claims provide user information inside the SAML token that is passed to Amazon Cognito.
Figure 7: Configuring the SAML properties within the Azure AD console
Figure 8: How to download the XML Metadata file from Microsoft Azure AD.
AWS Configuration Continued
Now we need to complete the configuration within the Amazon Cognito console.
- Open the Amazon Cognito console and select the Cloud Migration Factory user pool. Then select Sign-in experience and choose Add identity provider. Choose SAML, and choose Add identity provider.
- Scroll down to the Metadata document source and choose Choose file. Upload the metadata file which you downloaded from Azure.
- In the Map attributes section, choose Add another attribute.
- Choose email for the User pool attribute value. For the SAML attribute, enter the name of the attribute that your external IdP will provide the email address to e.g. user.mail
- Choose Add identity provider to save this configuration.
- Choose the App integration tab.
- From within the App client list section, choose the migration factory application client (there should only be one listed) by selecting the name.
- From the Hosted UI section, choose Edit.
- Update the Identity providers selected by selecting the new IdP name you added (in this case Azure AD) and deselecting Cognito User Pool.
- Choose Save changes.
Figure 9: Adding Azure AD as an identity provider in Amazon Cognito
Figure 10: Upload the metadata file that was downloaded from Azure AD
Figure 11: Providing the mapping between the Identity Provider and Amazon Cognito
Figure 12: Selecting AzureAD to be the IDP of choice for this Cognito Application
To validate the federation is working, navigate to the log-in page for your Cloud MIgration Factory web GUI. This is the Amazon CloudFront distribution that was created as part of the AWS CloudFormation stack. You will see the following:
Figure 13: Amazon Cognito log-in page with a new option to sign in with a corporate ID
Choose Sign in with your corporate ID and then choose the IdP defined in this blog. You will now be navigated to the IdP log-in page where you can enter your Azure AD credentials. The SSO process will initialize, redirecting back to the CMF application and automatically logging you in.
Please review these special considerations for any identity provider (IdP) to interoperate successfully with AWS IAM Identity Center.
To clean up the environment, delete the following:
- The Cloud Migration Factory CloudFormation stack
- The Azure AD Enterprise Application
This post explored how to set up the AWS Cloud Migration Factory solution to use SAML authentication through an existing identity provider. A large performance improvement is achieved as this reduces the operational overhead of managing users and improves security by centrally managing corporate identities. To dive deeper into CMF and understand how it can benefit your needs, please review the solution overview.
About the authors