AWS, Azure, Cloud Computing

3 Mins Read

Integrating Azure AD with AWS IAM Identity Center for Seamless SSO

Voiced by Amazon Polly

Introduction

Integrating Azure Active Directory (Azure AD) with AWS IAM Identity Center (formerly AWS Single Sign-On) allows organizations to manage access to AWS resources using Azure AD credentials. This blog will guide you through configuring Single Sign-On (SSO) with SAML and setting up automatic user provisioning using SCIM (System for Cross-domain Identity Management).

Pioneers in Cloud Consulting & Migration Services

  • Reduced infrastructural costs
  • Accelerated application deployment
Get Started

Step-by-Step Guide

Step 1: Enable AWS IAM Identity Center

  1. Enable AWS IAM Identity Center: Log in to the AWS Management Console, navigate to AWS IAM Identity Center, and ensure it is enabled.
  2. In the AWS IAM Identity Center console, choose Settings.
  3. Go to the Identity source tab, and select Actions > Change identity source.
  4. On the Choose Identity source page, select External Identity Provider and choose Next.
  5. On the Configure external identity provider page:
    • Under Service Provider metadata, choose Download metadata file to download the XML file.
    • Copy the AWS access portal sign-in URL.

Step 2: Set Up SAML-Based Single Sign-On in Azure AD

  1. Open the Microsoft Entra admin center (Azure AD portal), navigate to Identity > Applications > Enterprise applications, and select AWS IAM Identity Center.
  2. In the left pane, select Set up Single sign-on.
  3. On the Set up Single Sign-On with SAML page, choose SAML.
  4. Choose Upload metadata file, select the service provider metadata file downloaded in Step 1, and then choose Add.
  5. Download the Federation Metadata XML file under the SAML Certificates section. Save this file; you’ll need it to complete the configuration in AWS.

Step 3: Complete SSO Configuration in AWS IAM Identity Center

  1. Return to the browser session left open from Step 1.4 in the AWS IAM Identity Center console.
  2. On the Configure external identity provider page, under Identity provider metadata, choose Choose file and upload the Federation Metadata XML file downloaded from Azure AD.
  3. Choose Next.
  4. Review the disclaimer, enter ACCEPT, and choose Change identity source to apply your changes.

Step 4: Enable Automatic User Provisioning in AWS IAM Identity Center

  1. Choose Settings from the left navigation pane in the AWS IAM Identity Center console.
  2. Under the Identity source tab, verify that the Provisioning method is set to Manual.
  3. Locate the Automatic Provisioning section and choose Enable. This enables SCIM to provision automatically and displays the necessary SCIM endpoint and access token.
  4. Copy the values for:
    • SCIM endpoint (e.g., https://scim.us-east-2.amazonaws.com/11111111111-2222-3333-4444-555555555555/scim/v2)
    • Access token (choose Show token to copy the value).

Warning: This is the only time you can access the SCIM endpoint and access token. Ensure you copy these values before proceeding.

  1. Close the dialog box and confirm that the Provisioning method is now set to SCIM.

Step 5: Configure Automatic Provisioning in Microsoft Entra ID

  1. In the Microsoft Entra admin center console, navigate to Identity > Applications > Enterprise applications and choose AWS IAM Identity Center.
  2. Under Manage, select Provisioning, then choose Provisioning again.
  3. Set the Provisioning Mode to Automatic.
  4. Under Admin Credentials:
    • Paste the SCIM endpoint URL value copied earlier in the Tenant URL.
    • Paste the Access token value in Secret Token.
  5. Choose Test Connection. You should receive a message indicating that the credentials were successfully authorized for provisioning.
  6. Choose Save.
  7. Navigate to Overview and choose Start Provisioning.

Step 6: Test SSO Configuration

  1. Return to the Single Sign-On page in Microsoft Entra ID.
  2. Click on Test to ensure that the SSO configuration works correctly.

Troubleshooting Automatic Provisioning

  • If automatic provisioning does not start, restart provisioning.
  • Ensure the correct URL and token are pasted into Azure AD. If necessary, regenerate the AWS IAM Identity Center token and update it in Azure AD.

Conclusion

Following these steps, you have successfully integrated Azure AD with AWS IAM Identity Center, enabling seamless SSO and automatic user provisioning.

This setup ensures centralized management and enhanced security, allowing users to access AWS resources using their Azure AD credentials.

Drop a query if you have any questions regarding Azure AD or AWS IAM and we will get back to you quickly.

Making IT Networks Enterprise-ready – Cloud Management Services

  • Accelerated cloud migration
  • End-to-end view of the cloud environment
Get Started

About CloudThat

CloudThat is a leading provider of Cloud Training and Consulting services with a global presence in India, the USA, Asia, Europe, and Africa. Specializing in AWS, Microsoft Azure, GCP, VMware, Databricks, and more, the company serves mid-market and enterprise clients, offering comprehensive expertise in Cloud Migration, Data Platforms, DevOps, IoT, AI/ML, and more.

CloudThat is the first Indian Company to win the prestigious Microsoft Partner 2024 Award and is recognized as a top-tier partner with AWS and Microsoft, including the prestigious ‘Think Big’ partner award from AWS and the Microsoft Superstars FY 2023 award in Asia & India. Having trained 650k+ professionals in 500+ cloud certifications and completed 300+ consulting projects globally, CloudThat is an official AWS Advanced Consulting Partner, Microsoft Gold Partner, AWS Training PartnerAWS Migration PartnerAWS Data and Analytics PartnerAWS DevOps Competency PartnerAWS GenAI Competency PartnerAmazon QuickSight Service Delivery PartnerAmazon EKS Service Delivery Partner AWS Microsoft Workload PartnersAmazon EC2 Service Delivery PartnerAmazon ECS Service Delivery PartnerAWS Glue Service Delivery PartnerAmazon Redshift Service Delivery PartnerAWS Control Tower Service Delivery PartnerAWS WAF Service Delivery Partner and many more.

To get started, go through our Consultancy page and Managed Services PackageCloudThat’s offerings.

FAQs

1. What is the purpose of integrating Azure AD with AWS IAM Identity Center?

ANS: – Integrating Azure AD with AWS IAM Identity Center allows organizations to centralize identity and access management. Users can sign into AWS resources using their Azure AD credentials, simplifying login processes and improving security. 

2. What is SAML, and why is it used in this integration?

ANS: – SAML (Security Assertion Markup Language) is a protocol that enables single sign-on (SSO) by exchanging authentication and authorization data between an identity provider (Azure AD) and a service provider (AWS). It allows users to log in once and access multiple services. 

WRITTEN BY Samarth Kulkarni

Share

Comments

    Click to Comment

Get The Most Out Of Us

Our support doesn't end here. We have monthly newsletters, study guides, practice questions, and more to assist you in upgrading your cloud career. Subscribe to get them all!