0. Introduction to Federation Architecture

Federation allows centralized user authentication across multiple service providers through a trusted identity provider. This document explains how to implement SAML 2.0-based federation between Azure Active Directory (Azure AD) and Amazon Web Services (AWS), enabling users to log in to AWS with their Azure AD credentials.

1. Federation Benefits

Centralized Identity Management: Maintains a single source of truth for user identities
Enhanced Security Posture: Eliminates the need for multiple credentials across systems
Streamlined Access Management: Enables role-based access control (RBAC) through Azure AD groups
Operational Efficiency: Reduces administrative overhead for user provisioning and deprovisioning

2. Architectural Overview

Azure AD AWS Federation Architecture

The federation architecture consists of:

Identity Provider (IdP): Azure Active Directory
Service Provider (SP): AWS
Authentication Protocol: SAML 2.0
Token Exchange: STS (Security Token Service) for temporary credential issuance

3. Authentication Flow

Detailed Workflow Steps:

User Initiates Login: The user starts the login process, typically by accessing an application or service that requires authentication.
Azure AD Authenticates User: Azure Active Directory (Azure AD) verifies the user's credentials.
Azure AD Sends Token: Upon successful authentication, Azure AD issues a token to the user.
AWS SSO Validates Token: The token is sent to AWS Single Sign-On (SSO), which validates it against the configured identity provider.
AWS Identity Provider Issues Temporary Credentials: AWS Identity Provider (IdP) issues temporary security credentials via AWS Security Token Service (STS).
AWS STS Provides Access: These temporary credentials grant the user access to AWS resources.
User Accesses Resources: The user can now interact with the AWS resources they have permissions for.
Application/Service Returns Response: The application or service processes the user's request and returns the appropriate response.
CloudTrail Logs Activity: AWS CloudTrail logs all activities for auditing and monitoring purposes.
Security Team Monitors and Audits: The security team reviews logs and monitors for any suspicious activities.
User Logs Out: The user logs out, ending the session.

4. Prerequisites

[x] Terraform code
Note: Replace resource names and variables as per your requirement in terraform code
- Update terraform.tfvars

5. Implementation Procedure

5.1 Azure AD Configuration

5.1.1 Register Enterprise Application for AWS

Navigate to Azure Portal > Search for "Microsoft Entra ID" > Enterprise applications
Select "New application"
In the Search page filter with "Categories: Developer Services"

Search for "Amazon Web Services" (non-Console version)

Provide a name for the application and add it.

5.1.2 Configure SAML SSO

Note: AWS SSO does not support automatic SCIM provisioning from Azure AD.

In the enterprise application, navigate to "Single sign-on"

Select "SAML" as the authentication method

It will prompt for save setting, click on Yes.

note:: Refresh the page and you will noticed that identifier (Entity ID) is auto added.

If you don't found Attributes & Claims is not updated automaticaly then you have to following steps (5.1.3)

Download the Federation Metadata XML file for use in AWS configuration

5.1.3 Configure User `Attributes and Claims` (Optional)

Configure the following SAML attributes & claims:

Role Claim:
- Name: https://aws.amazon.com/SAML/Attributes/Role
- Source: Attribute
- Source attribute: user.assignedroles
Session Duration:
- Name: https://aws.amazon.com/SAML/Attributes/SessionDuration
- Value: 3600 (or desired duration in seconds)
Session Name:
- Name: https://aws.amazon.com/SAML/Attributes/RoleSessionName
- Source: Attribute
- Source attribute: user.objectid (or user.userprincipalname)
Download the Federation Metadata XML file for use in AWS configuration

5.2 AWS Configuration

I have created a Terraform code to set up the Identity providers, including the Roles, Policy, and User automatically created.

First, we'll create the necessary virtual machines using terraform code.

Below is a terraform Code:

Once you clone repo and run the terraform command.

  $ ls -l
     -rw-r--r-- 1 bsingh 1049089  2200 Apr  7 09:00 aws.tf
     -rw-r--r-- 1 bsingh 1049089  2451 Apr  7 09:12 output.tf
     -rw-r--r-- 1 bsingh 1049089 13978 Apr  4 17:22 saml_metadata.xml
     -rw-r--r-- 1 bsingh 1049089   548 Apr  7 09:17 terraform.tfvars
     -rw-r--r-- 1 bsingh 1049089  1522 Apr  7 09:00 variables.tf

You need to run the terraform command.

Run the following command.

  terraform init
  terraform fmt
  terraform validate
  terraform plan
  terraform apply 
  # Optional <terraform apply --auto-approve>

After you run the terraform command, we will verify the following things to ensure everything is set up correctly using terraform.

- Verify the `Identity providers`

- Verify the `Policy`

- Verify the `Roles`

- Verify the `Users`

5.2.1 Create SAML Identity Provider

Sign in to AWS Management Console
Navigate to IAM > Identity providers
Select existing SAML provider:
- Provider name: (e.g., AzureAD-SAML-Provider)
- Click on Replace metadata

To confirm replacement, type confirm in the field.

Upload the metadata document from Azure AD

5.2.2 Create IAM Roles for Federation

Verify the existing roles.

Note: If above roles doesn't work then create the new role with help of the following steps.

Navigate to IAM > Roles
Create a role for SAML 2.0 federation:
- Select your SAML identity provider
- Enable both programmatic and AWS Management Console access
- Select appropriate permissions policies (e.g., AdministratorAccess, AmazonS3ReadOnlyAccess)
- Name the role appropriately (e.g., AzureAD-Admin, AzureAD-S3ReadOnly)

5.2.3 Create `access` and `secret` keys for user `AzureSSOUser`

User> Security Credentials> Create Access Key

Download the .csv file

5.3 Azure AD Group and Role Mapping

5.3.1 Create Azure AD Groups

Navigate to Azure Active Directory > Groups
Create groups corresponding to AWS roles (e.g., AWS-Admin, AWS-S3ReadOnly)

Note: I don't have P1/P2 license so I'll demonistrate in basic account and will use user account for demonstration.

5.3.2 Configure Provisioning Role

Navigate to Microsoft Entra ID > Manage > Enterprise Applications >

Select Provisioning from manage.

Select the provisioning mode to Automatic from Manual.

Select Admin Credentials and put access and secret keys for user which we have created in AWS.

Click on Test Connection.

I was getting an error message while validating the connection.

Troubleshooting:

Fixed:
- I noticed that I was using these permission [s3:ListBucket", "s3:GetObject", "ec2:DescribeInstances] in custom policy, while I should use [iam:ListRoles].
- I have updated the terraform code forthe updated policy.

Now, click on the Test Connection and Save.

Refresh the page and change the provisioning state to on from off.

Click on Save.

5.3.3 Verify the Role status of Provisioning

Navigate to Microsoft Entra ID > Manage > Enterprise Applications > Provisioning.
- Click on Overview from the Provisioning page for Role Sync.

5.3.4 Configure Application Role Assignments

Assign users or groups to these roles in the enterprise application:
- Navigate to Enterprise application > Users and groups
  
  Add users/groups and assign appropriate roles

5.4 Testing the Federation

Access the User Access URL from Enterprise Application properties

or
Try the following URL [https://myapplications.microsoft.com/]

Sign in with Azure AD credentials
If assigned multiple roles, select the desired role

I am getting the above error.

Troubleshooting:

Fixed:
- I noticed that I was using the following Trusted Entities in Role and I removed it.

Now Trusted Entities in Role as below

I have updated the terraform code for the updated policy.

I tried to reaccess the page, and the issue got resolved. assigned multiple roles are visible, select the desired role

Verify successful redirection to AWS Management Console with appropriate permissions.

6. License Requirements

Azure AD P1: Supports user-based SAML application assignments
Azure AD P2: Required for group-based SAML application assignments
- Recommended for enterprise deployments
- Enables dynamic group membership and conditional access features

7. Security Considerations

Implement appropriate session duration based on organizational security policies
Consider using conditional access policies in Azure AD Premium
Regularly audit role assignments in both Azure AD and AWS
Monitor federation activity through Azure AD sign-in logs and AWS CloudTrail

8. Troubleshooting

Verify SAML claim configurations if role assumption fails
Check role ARN and identity provider ARN syntax in Azure AD role mappings
Ensure users have appropriate group memberships in Azure AD
Review AWS identity provider trust configuration

By implementing this federation architecture, organizations can centralize authentication and authorization while maintaining fine-grained access control to AWS resources.

9. Environment Cleanup:

Azure
- Navigate to Microsoft Entra ID > App Registrations

Select AWS Single-Account Access application
Delete application

AWS

As we are using Terraform, we will use the following command to delete AWS Setup.
Run the terraform command.
```
  Terraform destroy --auto-approve
```

Ref Link

Zero Trust Identity: Implementing Azure AD Federation with AWS IAM Roles

Table of contents

0. Introduction to Federation Architecture

1. Federation Benefits

2. Architectural Overview

3. Authentication Flow

4. Prerequisites