Integrating Azure AD with AWS IAM Identity Center for Seamless SSO

Introduction

Integrating Azure Active Directory (Azure AD) with AWS IAM Identity Center (formerly AWS Single Sign-On) allows organizations to manage access to AWS resources using Azure AD credentials. This blog will guide you through configuring Single Sign-On (SSO) with SAML and setting up automatic user provisioning using SCIM (System for Cross-domain Identity Management).

Step-by-Step Guide

Step 1: Enable AWS IAM Identity Center

1. Enable AWS IAM Identity Center: Log in to the AWS Management Console, navigate to AWS IAM Identity Center, and ensure it is enabled.
2. In the AWS IAM Identity Center console, choose Settings.
3. Go to the Identity source tab, and select Actions > Change identity source.
4. On the Choose Identity source page, select External Identity Provider and choose Next.
5. On the Configure external identity provider page:
   • Under Service Provider metadata, choose Download metadata file to download the XML file.
   • Copy the AWS access portal sign-in URL.

Step 2: Set Up SAML-Based Single Sign-On in Azure AD

1. Open the Microsoft Entra admin center (Azure AD portal), navigate to Identity > Applications > Enterprise applications, and select AWS IAM Identity Center.
2. In the left pane, select Set up Single sign-on.
3. On the Set up Single Sign-On with SAML page, choose SAML.
4. Choose Upload metadata file, select the service provider metadata file downloaded in Step 1, and then choose Add.
5. Download the Federation Metadata XML file under the SAML Certificates section. Save this file; you’ll need it to complete the configuration in AWS.

Step 3: Complete SSO Configuration in AWS IAM Identity Center

1. Return to the browser session left open from Step 1.4 in the AWS IAM Identity Center console.
2. On the Configure external identity provider page, under Identity provider metadata, choose Choose file and upload the Federation Metadata XML file downloaded from Azure AD.
3. Choose Next.
4. Review the disclaimer, enter ACCEPT, and choose Change identity source to apply your changes.

Step 4: Enable Automatic User Provisioning in AWS IAM Identity Center

1. Choose Settings from the left navigation pane in the AWS IAM Identity Center console.
2. Under the Identity source tab, verify that the Provisioning method is set to Manual.
3. Locate the Automatic Provisioning section and choose Enable. This enables SCIM to provision automatically and displays the necessary SCIM endpoint and access token.
4. Copy the values for:
   • SCIM endpoint (e.g., https://scim.us-east-2.amazonaws.com/11111111111-2222-3333-4444-555555555555/scim/v2)
   • Access token (choose Show token to copy the value).

Warning: This is the only time you can access the SCIM endpoint and access token. Ensure you copy these values before proceeding.

1. Close the dialog box and confirm that the Provisioning method is now set to SCIM.

Step 5: Configure Automatic Provisioning in Microsoft Entra ID

1. In the Microsoft Entra admin center console, navigate to Identity > Applications > Enterprise applications and choose AWS IAM Identity Center.
2. Under Manage, select Provisioning, then choose Provisioning again.
3. Set the Provisioning Mode to Automatic.
4. Under Admin Credentials:
   • Paste the SCIM endpoint URL value copied earlier in the Tenant URL.
   • Paste the Access token value in Secret Token.
5. Choose Test Connection. You should receive a message indicating that the credentials were successfully authorized for provisioning.
6. Choose Save.
7. Navigate to Overview and choose Start Provisioning.

Step 6: Test SSO Configuration

1. Return to the Single Sign-On page in Microsoft Entra ID.
2. Click on Test to ensure that the SSO configuration works correctly.

Troubleshooting Automatic Provisioning

• If automatic provisioning does not start, restart provisioning.
• Ensure the correct URL and token are pasted into Azure AD. If necessary, regenerate the AWS IAM Identity Center token and update it in Azure AD.

Conclusion

Following these steps, you have successfully integrated Azure AD with AWS IAM Identity Center, enabling seamless SSO and automatic user provisioning.

Drop a query if you have any questions regarding Azure AD or AWS IAM and we will get back to you quickly.

About CloudThat

CloudThat is a leading provider of Cloud Training and Consulting services with a global presence in India, the USA, Asia, Europe, and Africa. Specializing in AWS, Microsoft Azure, GCP, VMware, Databricks, and more, the company serves mid-market and enterprise clients, offering comprehensive expertise in Cloud Migration, Data Platforms, DevOps, IoT, AI/ML, and more.

CloudThat is the first Indian Company to win the prestigious Microsoft Partner 2024 Award and is recognized as a top-tier partner with AWS and Microsoft, including the prestigious ‘Think Big’ partner award from AWS and the Microsoft Superstars FY 2023 award in Asia & India. Having trained 650k+ professionals in 500+ cloud certifications and completed 300+ consulting projects globally, CloudThat is an official AWS Advanced Consulting Partner, Microsoft Gold Partner, AWS Training Partner, AWS Migration Partner, AWS Data and Analytics Partner, AWS DevOps Competency Partner, AWS GenAI Competency Partner, Amazon QuickSight Service Delivery Partner, Amazon EKS Service Delivery Partner,  AWS Microsoft Workload Partners, Amazon EC2 Service Delivery Partner, Amazon ECS Service Delivery Partner, AWS Glue Service Delivery Partner, Amazon Redshift Service Delivery Partner, AWS Control Tower Service Delivery Partner, AWS WAF Service Delivery Partner and many more.

To get started, go through our Consultancy page and Managed Services Package, CloudThat’s offerings.