In this post I will continue with IAM identity providers. Sometimes we need to integrate our systems with AWS like Active Directory and use single-sign on feature for our users. Another case can be a application needs to access our resources on AWS. We can use our web identity federation and we can make users access our resources via their logins like facebook. Today I will explain how to integrate our Active directory with AWS and give users access according to their domain groups. I won’t explain how to install active directory and federation services.
Here are the steps we have to follow:
1- We will create two domain groups, “aws_admins” and “aws_users”
2- We will create one user for each group.
3- We will create an identity provider in AWS and upload our SAML metadata.
4- We will create two roles for each group, “aws_admin_role” and “aws_user_role”.
5- We will configure AWS as a Trusted Relying Party in ADFS and add some claim rules.
6- Finally we will test it.
Before starting, it is better to read and understand ADFS
Ok let’s start step by step:
1- I have created my test domain on a Windows 2008 R2 instance and my domain is demo.local. I will create two groups named as “aws_admins” and “aws_users”.
2- I will create one user for each group and add them to the corresponding groups.
3- Now it is time to create our identity provider in AWS. In IAM console I click “Create SAML Provide” and name it as “demo”.
In the next screen I have to upload my SAML metadata. I use ADFS 2.0 and by default, metadata can be downloaded by using the link below on the federation server.
P.S:(I renamed it as aws.xml)
As you see we successfully created our provider and it says that we have to create an IAM role using this provider in the trust policy. In next step we will create our roles.
4- In this step I will create two different roles with different policies. “aws_admin_role” will have and “aws_user_role”.
5- Last step in configuring AWS as a Trusted Relying Party in ADFS and adding some claim rules.
Now I will configure our claim rules. Again right click on “AWS_SAML_Demo” and edit claim rules. We will setup the AWS requested attributes NameId,RoleSessionName and Role.
Now I will use a custom rule and get AD groups and put them in a variable. Then I will match them with our “aws_admins” and “aws_users” groups and assign the roles with them.
I will again select custom rule and add the following rules.
Here I want to explain these rules. In previous rule we get the AD groups an put them in a variable. Then in these rules, we match the “aws_admins” group and redirect the user to our saml-provider “demo” and use the role “aws_admin_role”. It is same with the “aws_users” group. We can also use regex here. If you want to learn more about the ADFS claim rule language refer to this link. And also for ADFS regex refer to this link
We finished our configuration and it is time to test it.
I go to adfs created sign-in page https://220.127.116.11/adfs/ls/IdpInitiatedSignOn.aspx.
Now you can add/remove user to the specific domain groups and redirect them to AWS console with their granted permissions.
If you have any question or comment please feel free to write and don’t forget to share please.