Using SAML to access AWS from Active Directory Domain

Leave a reply

This article uses steps presented by Jeff Wierer’s article written on December 10, 2013: enabling-federation-to-aws-using-windows-active-directory-adfs-and-saml-2-0. The only differences between this article and the reference above is the Windows OS and ADFS version. All credits go to Jeff and AWS.

My test environment uses VMWare Workstation 12 to create virtual machines (VM) with NAT network connection rather than bridged.

Requirements:

  1. Familiarity running server operating systems and main roles
  2. Windows Server 2016 running Active Directory Domain Services (AD DS) and ADFS 3.0
  3. Test user accounts and groups created in Active Directory
  4. ADFS service account
  5. AWS SAML enabling and IAM roles

Phase One

  • Create a VM (CPU=4,RAM=4GB,Network=NAT,HDD=80GB)
  • Install Windows Server 2016 (180 day evaluation is available, just go to Microsoft and download)
  • Configure the local server (servername, time, RDP, static IPv4) – reboot needed if this is done
  • Install server roles: AD DS and ADFS. A reboot will be needed at certain points, do so when prompted.
  • Configure ADFS: locate section “Configuring ADFS” from Jeff’s article.

    You will need to run the command below as it still seems to be occurring:

    setspn -a host/localhost adfssvc

Note: Even though IIS is no longer necessary as it contains pieces of IIS components natively, I installed it anyway so that I can create a self-signed certificate for ADFS configuration.

Phase Two

  • Create three users for this test. In my case, andy, bob and john.
  • Create three groups: AWS-admin, AWS-poweruser and AWS-readonly.
  • Assign a user to a group. For me, andy=AWS-admin, bob=AWS-poweruser and john=AWS-readonly.

Phase Three

I followed Jeff’s article for configuring AWS, AWS as a Trusted Relying Party and Claims Rule.

Note: RoleSessionName using Email Addresses did not work out so I used SAM Account Name instead.

screenshot-from-2016-12-04-17-17-13

Phase Four

This is the testing phase using URL: https://localhost/adfs/ls/IdpInitiatedSignOn.aspx

Ignore the certificate error.

I encountered an ADFS error of the page (resource) not found because the web page is not initialized. Run the following commands in elevated PowerShell CLI:

Set-Adfsproperties -enableIdPInitiatedSignonPage $true

Restart-Service adfssrv

Many thanks to Radhakrishnan Govindan’s post: http://windowstechpro.com/adfs-2016-the-resource-you-are-trying-to-access-is-not-available-error/

My example below:

screenshot-from-2016-12-04-17-26-23

Clicked on the radio button of the second option and that leads to a login page. Logged in with one the users above.

For andy:

screenshot-from-2016-12-04-17-30-22

 

As you can see from above, ADFS-admin is related to AWS-admin group which andy is a member of in AD.

All that remains is to add a policy to each of the IAM roles created thereby allowing or limiting AWS services to federated users.

Leave a comment