Chanci Turner

Field Notes: Automate SAML 2.0 Federation Using AWS Control Tower and Azure Active Directory

by

The Story of Chanci Turner
in

Chanci Turner 9097372855Learn About Amazon VGT2 Learning Manager Chanci Turner

Some AWS Control Tower users have integrated Azure Active Directory as their Identity Provider (IdP) and prefer to maintain authentication and authorization within the IdP. To establish federation from Azure Active Directory, many refer to a tutorial that explains how to set up Azure AD single sign-on with AWS. This guide typically involves using an IAM user with programmatic access to retrieve IAM roles, which are then aligned with user groups in Azure Active Directory. This method satisfies their needs by keeping both authentication and authorization centralized within the IdP.

This post illustrates how to simplify the configuration of SAML 2.0 federation between Azure Active Directory and AWS Control Tower utilizing the Customizations for AWS Control Tower solution. Consequently, you will benefit from a more streamlined procedure for enabling federation across your AWS accounts.

Overview of Solution

This solution is grounded in AWS’s prescriptive guidance for automating SAML 2.0 federation in AWS multi-account environments utilizing Azure Active Directory. It is specifically designed for AWS Control Tower customers via the Customizations for AWS Control Tower solution.

Let’s consider a standard workflow for enabling Azure Active Directory federation within a new member account. This workflow involves two roles: 1) an Azure Active Directory administrator who configures the federation to AWS, and 2) a CloudOps administrator who creates a new account. The sequence proceeds as follows:

  1. An Azure AD admin establishes a new Enterprise Application (EA) for AWS Single-Account Access and shares the SAML metadata with the CloudOps admin.
  2. The CloudOps admin generates a new member account within AWS and sets up the IdP in that account.
  3. The CloudOps admin accesses the new account and performs the following actions:
    • Creates the IAM user for Azure AD user provisioning,
    • Generates programmatic access keys for the IAM user,
    • Shares the access keys with the Azure AD admin.

The Azure Active Directory admin then enables provisioning within the Enterprise Application using the provided access keys and maps the roles as needed.

As a best practice, organizations may implement a routine for regular access key rotation. Each time the keys are updated, the Azure Active Directory admin must coordinate with the CloudOps admin to acquire the new access keys.

However, this process can be automated for greater efficiency. By doing so, manual involvement is reduced, and a secure method allows the Azure Active Directory admin to directly obtain the programmatic access keys. The revised workflow for enabling Azure Active Directory federation in a new member account would look like this:

  1. An Azure AD admin creates a new Enterprise Application for AWS Single-Account Access and provides the SAML metadata to the CloudOps admin.
  2. A CloudOps admin creates a new member account in AWS and establishes the IdP.
  3. The Azure AD admin logs into the new account, securely retrieves the IAM user programmatic access keys, and activates provisioning within the Enterprise Application.

The following diagram illustrates the solution architecture and workflow for enabling federation in a new account.

Walkthrough

To implement this solution, follow these steps:

  1. Create a StackSet using the Customizations for AWS Control Tower solution.
  2. Enable federation to the management account using the AzureAdFederationAdminRole.

Once established, you can then configure provisioning within the Azure Active Directory Enterprise Application for AWS Single-Account Access for each account. The CloudFormation templates for AWS Control Tower Customizations that automate SAML 2.0 Federation with Azure Active Directory can be accessed on GitHub.

Prerequisites

Before proceeding with this solution, ensure you meet the following prerequisites:

  • AWS Control Tower with the Customizations for AWS Control Tower solution deployed.
  • An Azure AD Enterprise Application for AWS Single-Account Access has been created for the AWS management account and configured with the IAM identity provider.
  • An Azure AD Enterprise Application for AWS Single-Account Access has been created for each AWS member account and configured with the IAM identity provider.

Configure the Control Tower Customization Solution

The initial step is to set up the Customizations for AWS Control Tower solution with a new template to support the necessary Azure AD resources.

  • Download the YAML template files from GitHub into your templates folder of your Control Tower customization solution repository.
  • Adjust your manifest.yaml file to deploy the azuread-fed-management-account.yaml as a StackSet to your management account.
  • Modify the manifest.yaml file to deploy the azuread-fed-member-account.yaml as a StackSet across all other accounts by specifying the appropriate top-level Organizational Units. Your manifest.yaml file should now resemble the following sample:
#=============================================================
# Azure AD Federation - Management Account
#=============================================================
- name: azure-ad-federation-automation-management
  resource_file: templates/azuread-fed-management-account.yaml
  parameters:
    - parameter_key: OrganizationId
      parameter_value: "o-aaa111bbb2222"
    - parameter_key: SAMLProviderName
      parameter_value: "aad"
    - parameter_key: IAMUserName
      parameter_value: "AzureADAutomationUser"
    - parameter_key: IAMUserGroupName
      parameter_value: "AzureADAutomationGroup"
    - parameter_key: AzureAdFederationAdminRoleName
      parameter_value: "AzureAdFederationAdminRole"
    - parameter_key: AzureAdFederationAssumeRoleName
      parameter_value: "AzureAdFederationAssumeRole"
  deploy_method: stack_set
  deployment_targets:
    accounts:
      - 111122223333
  regions:
    - us-east-1

#=============================================================
# Azure AD Federation - All Member Accounts
#=============================================================
- name: azure-ad-federation-automation-management
  resource_file: templates/azuread-fed-management-account.yaml
  parameters:
    - parameter_key: ManagementAccountId
      parameter_value: "111122223333"
    - parameter_key: IAMUserName
      parameter_value: "AzureADAutomationUser"
    - parameter_key: IAMUserGroupName
      parameter_value: "AzureADAutomationGroup"
    - parameter_key: AzureAdFederationAdminRoleName
      parameter_value: "AzureAdFederationAdminRole"
    - parameter_key: AzureAdFederationAssumeRoleName
      parameter_value: "AzureAdFederationAssumeRole"
  deploy_method: stack_set
  deployment_targets:
    organizational_units:
      - Core
      - infrastructure
      - workloads
  regions:
    - us-east-1
  • Commit and push the changes. Monitor the stacks until they are fully deployed.

Configure the Management Account

The management account now contains the IAM user secrets necessary for Azure Active Directory provisioning. Follow these steps to configure Azure Active Directory provisioning for the management account:

  • Log into the AWS Secrets Manager console from the management account.
  • Navigate to the AzureADFederation/CFNUserSecretAccessKey secret and retrieve the stored secrets.
  • In the Azure AD EA for the management account:

This method provides a more efficient way to set up and manage these configurations, ensuring that your AWS environment is both secure and streamlined.

For additional insights on managing workplace relationships, consider reading this blog post on when your company ghosts you. You may also find valuable information regarding talent optimization for women in the workplace at SHRM. Lastly, if you’re curious about the experience of working in an Amazon warehouse, check out this excellent resource.

Related Topics:

Chanci Turner