I want to use Active Directory Federation Services (AD FS) as Security Assertion Markup Language 2.0 (SAML 2.0) identity provider (IdP) with an Amazon Cognito user pool. How do I set up AD FS on an Amazon Elastic Compute Cloud (Amazon EC2) Windows instance?

Set up an AD FS server and domain controller using Server Manager on an EC2 Windows instance.

Note: Before you begin, see the instructions in How do I set up AD FS as SAML identity provider with an Amazon Cognito user pool? You'll need an Amazon Cognito user pool with an app client to complete the setup in this article.

You'll also need a domain name that you own. If you don't own a domain, you can register a new domain with Amazon Route 53 or another Domain Name System (DNS) service.

Configure and launch an EC2 Windows instance

  1. Open the Amazon EC2 console.
  2. From the console dashboard, choose Launch Instance to start the Launch Instance wizard.
  3. On the Choose an Amazon Machine Image (AMI) page, choose an AMI for Windows Server, such as the Microsoft Windows Server 2016 Base AMI. For more information, see Finding a Windows AMI.
  4. On the Configure Security Group page, create a security group for your instance, and then add these rules to it:
    Type:
    RDP
    Source:
    an IP address in CIDR notation (a.b.c.d/z), or a CIDR block
    Note:
    For the IP address or block you specify in Source, it's a best practice to use a set of whitelisted IP addresses.

    Type:
    HTTP
    Source:
    Anywhere

    Type:
    HTTPS
    Source:
    Anywhere

    For more information, see Amazon EC2 Security Groups for Windows Instances and Adding Rules to a Security Group.
  5. On the Review Instance Launch page, choose Launch.
  6. In the Select an existing key pair or create a new key pair dialog, follow the instructions to choose an existing key pair. Or, create a new one. For more information, see Amazon EC2 Key Pairs.

    Important:
    Save the private key .pem file for your key pair. You use it to connect to your EC2 Windows instance.
  7. Choose Launch Instances.

Associate an Elastic IP address with your EC2 Windows instance

  1. If you haven't already done so, allocate an Elastic IP address to your AWS account.
  2. Associate your Elastic IP address with your EC2 Windows instance so that you have a persistent public IP address for it.

Create a record for your domain using your Elastic IP address

The domain that you use for Active Directory Domain Services (AD DS) must have an A (IPv4 address) record with an Elastic IP address as the value. Create this record for your domain using the Elastic IP address associated with your EC2 Windows instance.

For more information, see Creating Records by Using the Amazon Route 53 Console.

Install AD DS, web server (IIS), and AD FS on your EC2 Windows instance

  1. Connect to your EC2 Windows instance.
  2. In Windows, open Server Manager, and then use the Add Roles and Features Wizard to install these roles:
    Active Directory Domain Services
    Active Directory Federation Services
    Web Server (IIS)

    For more information about using the wizard, see Install roles, role services, and features by using the add Roles and Features Wizard on the Microsoft Docs website.

Configure AD DS on your EC2 Windows instance

  1. In Server Manager, use the Active Directory Domain Services Configuration Wizard to configure AD DS. For more information, see Installing AD DS by using Server Manager on the Microsoft Docs website. Follow the instructions under To install AD DS by using Server Manager, beginning with step 9.

    Note:
    In the wizard, on the Deployment Configuration page, enter your domain. For example, example.com.
  2. After your configuration finishes installing, Windows notifies you that you're about to be signed out. This is expected. Wait a few minutes for the server to restart, and then connect to your EC2 Windows instance again.

Configure http site binding in IIS

In Server Manager, use IIS to edit the http site binding for your website. For more information, see How to add binding information to a site on the Microsoft Docs website.

Important: When editing the http binding in IIS, for Host name, enter your domain name. For example, example.com. However, don't change IP address (All Unassigned) or Port (80).

Configure your EC2 Windows instance to allow file downloads

For more information, see How do I configure an EC2 Windows instance to allow file downloads using Internet Explorer?

Request a digital certificate for your domain

You need an SSL server certificate for https binding for your IIS website. Request a third-party certificate for your domain by downloading and then using a trusted third-party certificate creation tool that you prefer.

For more information, see Choosing a Certificate on the Microsoft Docs website.

(Optional) Configure https site binding in IIS

If the certificate creation tool that you used doesn't add https site binding in IIS automatically, then add the site binding yourself, as you did for http previously.

For more information, see Create an SSL Binding on the Microsoft Docs website.

Configure AD FS on your EC2 Windows instance

In Server Manager, use the AD FS Federation Server Configuration Wizard to configure the EC2 Windows instance as a federation server. For more information, see Windows Server 2008 or 2008 R2 Domain Controllers on the Microsoft Docs website.

Note: On the Specify Service Account page of the wizard, when you get to the Select User or Service Account dialog box, select the user named Administrator, and then enter the password that you used for Remote Desktop to connect to the EC2 Windows instance.

Create a user in Active Directory

Use the Active Directory Users and Computers tool to create a new user in Active Directory. Add the new user to the group Administrators.

For more information, see Create a user and add to a group on the Microsoft Docs website.

Add an email address for your Active Directory user

  1. After creating a new user, in the Active Directory Users and Computers tool, double-click Users to open a list of users.
  2. In the list of users, find the user that you created. Right-click the user to open the context menu, then choose Properties.
  3. In the Properties window for the user name, for E-mail, enter a valid email address for the user. This email address is included in the SAML assertion later.

For more information, see General Property Page on the Microsoft Docs website.

Add a claims-aware relying party trust in AD FS

Note: For this part, you need information from your Amazon Cognito user pool in the Amazon Cognito console. For more information, see Adding SAML Identity Providers to a User Pool.

In Server Manager, use the Add Relying Party Trust Wizard to add a claims-aware relying party trust. Be sure to do the following:

  • On the Configure URL page of the wizard, select the Enable support for the SAML 2.0 WebSSO protocol check box. For Relying party SAML 2.0 SSO service URL, enter an assertion consumer endpoint URL, formatted like this: https://yourDomainPrefix.auth.region.amazoncognito.com/saml2/idpresponse

    Note: Replace yourDomainPrefix with your Amazon Cognito user pool's domain prefix. Replace region with the user pool's AWS Region (for example, "us-east-1").
  • On the Configure Identifiers page of the wizard, for Relying party trust identifier, enter this URN: urn:amazon:cognito:sp:yourUserPoolID

    Note: Replace yourUserPoolID with your Amazon Cognito user pool's ID. For example, "us-east-1_g2zxiEbac."

For more information, see To create a claims aware Relying Party Trust manually on the Microsoft Docs website.

Edit your application's claims issuance policy in AD FS

Add a rule to the trust you created to send LDAP attributes as claims. Use the Add Relying Party Trust Wizard to add the rule. On the Configure Rule page, do the following:

  • For Claim rule name, enter Email.
  • For Attribute store, choose Active Directory.
  • For LDAP Attribute, choose E-Mail-Addresses.
  • For Outgoing Claim Type, choose E-Mail Address.

For more information, see To create a rule to send LDAP attributes as claims for a Relying Party Trust in Windows Server 2016 on the Microsoft Docs website.

Note: To have both the Email ID and Name ID claims appear as the user's email address in the SAML assertion in the SAML response, map the incoming email address from Active Directory to the outgoing Name ID claim. If you use that approach, then create a rule to send LDAP attributes as claims instead. For more information, see To create a rule to send LDAP attributes as claims for Windows Server 2012 R2 on the Microsoft Docs website.

Test the SAML IdP metadata URL for your server

Enter this metadata document endpoint URL in your web browser, replacing example.com with your domain:

https://example.com/federationmetadata/2007-06/federationmetadata.xml

If you're prompted to download the file federationmetadata.xml, everything is configured correctly. Note the URL that you used here, or download the .xml file—you need either the URL or the file to configure SAML in the Amazon Cognito console. For more information, see Integrating Third-Party SAML Identity Providers with Amazon Cognito User Pools.

Configure AD FS as SAML IdP in Amazon Cognito

After you complete all the steps in this article, continue setup in the Amazon Cognito console. For more information, see How do I set up AD FS as SAML identity provider with an Amazon Cognito user pool?


Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2019-02-07