How do I set up AD FS on an Amazon EC2 Windows instance to work with federation for an Amazon Cognito user pool?
Last updated: 2021-09-27
I want to use Active Directory Federation Services (AD FS) as Security Assertion Markup Language 2.0 (SAML 2.0) identity provider (IdP) with an Amazon Cognito user pool. How do I set up AD FS on an Amazon Elastic Compute Cloud (Amazon EC2) Windows instance?
Use Server Manager to set up an AD FS server and domain controller on an EC2 Windows instance.
Before you begin, see the instructions in How do I set up AD FS as a SAML identity provider with an Amazon Cognito user pool? You need an Amazon Cognito user pool with an app client to complete the setup in this article.
You also need a domain name that you own. If you don't own a domain, you can register a new domain with Amazon Route 53 or another Domain Name System (DNS) service.
Configure and launch an EC2 Windows instance
- Open the Amazon EC2 console.
- From the console dashboard, choose Launch Instance to start the Launch Instance wizard.
- On the Choose an Amazon Machine Image (AMI) page, choose an AMI for Windows Server, such as the Microsoft Windows Server 2016 Base AMI. For more information, see Finding a Windows AMI.
- On the Configure Security Group page, create a security group for your instance, and then add the following rules to the security group:
Source: an IP address in CIDR notation (a.b.c.d/z), or a CIDR block
Note: For the IP address or block you specify in Source, it's a best practice to use a set of known allowed IP addresses.
For more information, see Amazon EC2 security groups for Windows instances and Adding rules to a security group.
- On the Review Instance Launch page, choose Launch.
- In the Select an existing key pair or create a new key pair dialog box, follow the instructions to choose an existing key pair or create a new key pair. For more information, see Amazon EC2 key pairs and Linux instances.
Important: Save the private key .pem file for your key pair. You use it to connect to your EC2 Windows instance.
- Choose Launch Instances.
Associate an Elastic IP address with your EC2 Windows instance
- If you haven't already done so, allocate an Elastic IP address to your AWS account.
- Associate your Elastic IP address with your EC2 Windows instance so that you have a persistent public IP address for it.
Create a record for your domain using your Elastic IP address
The domain that you use for Active Directory Domain Services (AD DS) must have an A (IPv4 address) record with an Elastic IP address as the value. Create this record for your domain using the Elastic IP address associated with your EC2 Windows instance.
For more information, see Creating records by using the Amazon Route 53 console.
Install AD DS, web server (IIS), and AD FS on your EC2 Windows instance
- Connect to your EC2 Windows instance.
- In Windows, open Server Manager, and then use the Add Roles and Features Wizard to install the following roles:
Active Directory Domain Services
Active Directory Federation Services
Web Server (IIS)
For more information about using the wizard, see Install or uninstall roles, role services, or features on the Microsoft website.
Configure AD DS on your EC2 Windows instance
- In Server Manager, use the Active Directory Domain Services Configuration Wizard to configure AD DS. For more information, see Installing AD DS by using Server Manager on the Microsoft website. Follow the instructions under To install AD DS by using Server Manager, beginning with step 9.
Note: In the wizard, on the Deployment Configuration page, enter your domain (for example, example.com).
- After your configuration finishes installing, Windows notifies you that you're about to be signed out. This is expected. Wait a few minutes for the server to restart, and then connect to your EC2 Windows instance again.
Configure http site binding in IIS
In Server Manager, use IIS to edit the http site binding for your website. For more information, see How to add binding information to a site on the Microsoft website.
Important: When editing the http binding in IIS, for Host name, enter your domain name (for example, example.com). However, don't change IP address (All Unassigned) or Port (80).
Configure your EC2 Windows instance to allow file downloads
For more information, see How do I configure an EC2 Windows instance to allow file downloads using Internet Explorer?
Request a digital certificate for your domain
You need an SSL server certificate for HTTPS binding for your IIS website. Request a third-party certificate for your domain by downloading and then using a trusted third-party certificate creation tool that you prefer.
For more information, see Choosing a certificate on the Microsoft website.
(Optional) Configure HTTPS site binding in IIS
If the certificate creation tool that you used doesn't add https site binding in IIS automatically, then add the site binding yourself, as you did for http previously.
For more information, see Create an SSL binding on the Microsoft website.
Configure AD FS on your EC2 Windows instance
In Server Manager, use the AD FS Federation Server Configuration Wizard to configure the EC2 Windows instance as a federation server. For more information, see Windows Server 2008 or 2008 R2 Domain Controllers on the Microsoft website.
Note: On the Specify Service Account page of the wizard, when you get to the Select User or Service Account dialog box, select the user named Administrator, and then enter the password that you used for Remote Desktop to connect to the EC2 Windows instance.
Create a user in Active Directory
Use the Active Directory Users and Computers tool to create a new user in Active Directory. Add the new user to the group Administrators.
For more information, see Create a user and add to a group on the Microsoft website.
Add an email address for your Active Directory user
- After creating a new user, in the Active Directory Users and Computers tool, double-click Users to open the list of users.
- In the list of users, find the user that you created. Right-click on the user to open the context menu, and then choose Properties.
- In the Properties window, for the user name, for E-mail, enter a valid email address for the user. This email address is included in the SAML assertion later.
For more information, see General property page on the Microsoft website.
Add a claims-aware relying party trust in AD FS
In Server Manager, use the Add Relying Party Trust Wizard to add a claims-aware relying party trust.
On the Configure URL page of the wizard, select Enable support for the SAML 2.0 WebSSO protocol. For Relying party SAML 2.0 SSO service URL, enter an assertion consumer endpoint URL, formatted as follows: https://yourDomainPrefix.auth.region.amazoncognito.com/saml2/idpresponse
Note: Replace yourDomainPrefix with your Amazon Cognito user pool's domain prefix. Replace region with the user pool's AWS Region (for example, "us-east-1").
On the Configure Identifiers page of the wizard, for Relying party trust identifier, enter this URN: urn:amazon:cognito:sp:yourUserPoolID
Note: Replace yourUserPoolID with your Amazon Cognito user pool's ID (for example, "us-east-1_g2zxiEbac").
For more information, see To create a claims aware relying party trust manually on the Microsoft website.
Edit your application's claims issuance policy in AD FS
Add a rule to the trust you created to send LDAP attributes as claims. Use the Add Relying Party Trust Wizard to add the rule. On the Configure Rule page, do the following:
- For Claim rule name, enter Email.
- For Attribute store, choose Active Directory.
- For LDAP Attribute, choose E-Mail-Addresses.
- For Outgoing Claim Type, choose E-Mail Address.
For more information, see To create a rule to send LDAP attributes as claims for a relying party trust in Windows Server 2016 on the Microsoft website.
Note: To have both the Email ID and Name ID claims appear as the user's email address in the SAML assertion in the SAML response, map the incoming email address from Active Directory to the outgoing Name ID claim. If you use that approach, then create a rule to send LDAP attributes as claims instead. For more information, see To create a rule to send LDAP attributes as claims for Windows Server 2012 R2 on the Microsoft website.
Test the SAML IdP metadata URL for your server
Enter this metadata document endpoint URL in your web browser after replacing example.com with your domain:
If you're prompted to download the file federationmetadata.xml, everything is configured correctly. Note the URL that you used here, or download the .xml file. You need either the URL or the file to configure SAML in the Amazon Cognito console. For more information, see Integrating third-party SAML identity providers with Amazon Cognito user pools.
Configure AD FS as SAML IdP in Amazon Cognito
After you complete all the steps in this article, continue setup in the Amazon Cognito console. For more information, see How do I set up AD FS as a SAML identity provider with an Amazon Cognito user pool?