To create a Single Sign-On on AWS follow the steps below:
AZURE
- Open Azure Active Directory: https://aad.portal.azure.com and enter on Enterprise application:
![](https://lopes.cloud/wp-content/uploads/2023/01/pasted-61.png)
- Click on “New application” search for AWS Single-Account Access and then click on “Create“
![](https://lopes.cloud/wp-content/uploads/2023/02/pasted.png)
- Once it´s done, access the new application
![](https://lopes.cloud/wp-content/uploads/2023/02/pasted-1.png)
- Click on the left menu, access “Single Sign-on” and select the SSO method to SAML
![](https://lopes.cloud/wp-content/uploads/2023/02/pasted-2.png)
- As soon SAML is open you will receive a notification “Save single sign-on setting“. Click on Yes.
![](https://lopes.cloud/wp-content/uploads/2023/01/pasted-8.png)
After the warning of save successfully, refresh the page… It will display the Identifier and Reply URL correctly.
- Scroll down to step 03 and download Federation Metadata XML. We´ll use it on AWS. Don´t forget to double-check the notification email.
![](https://lopes.cloud/wp-content/uploads/2023/02/pasted-3.png)
- Go back to AAD, and create an assigned security group. Assign the users to it and take note of the name of the group because we´ll use it with SSO on AWS.
![](https://lopes.cloud/wp-content/uploads/2023/01/pasted-10.png)
AWS
- It´s time to setup the AWS. Open the AWS console with your ROOT ACCOUNT https://aws.amazon.com/
- Once you are in, search for IAM
![](https://lopes.cloud/wp-content/uploads/2023/01/pasted-12.png)
- On left panel, open Identity providers
![](https://lopes.cloud/wp-content/uploads/2023/01/pasted-13.png)
- Select on provider type select SAML,
- Give a name for your Provider – in my case, I called AzureAD
- From the Metadata document, choose the XML that you download from Azure
- and then click on Add Provider
![](https://lopes.cloud/wp-content/uploads/2023/01/pasted-14.png)
- Access again the provider. Now we´ll add the IAM role to it.
![](https://lopes.cloud/wp-content/uploads/2023/01/pasted-16.png)
- Click on Assign role
![](https://lopes.cloud/wp-content/uploads/2023/01/pasted-17.png)
- Create a new role – > NEXT
![](https://lopes.cloud/wp-content/uploads/2023/01/pasted-18.png)
- Select SAM 2.0 Federation
- SAML Provider -> select the name of the Provider – in my case AzureAD
- Check “Allow programmatic and AWS Management Console Access“
![](https://lopes.cloud/wp-content/uploads/2023/01/pasted-19.png)
- On the next page search for the permission that you want to assign to users when they log in. I used the system administrator here.
![](https://lopes.cloud/wp-content/uploads/2023/01/pasted-22.png)
![](https://lopes.cloud/wp-content/uploads/2023/01/pasted-24.png)
- At review page, write the role name
- Role name: THE-NAME-OF-GROUP-ON-AZURE-AD
- REMEMBER: If you don´t do it this way it won’t going to work…
![](https://lopes.cloud/wp-content/uploads/2023/01/pasted-26.png)
![](https://lopes.cloud/wp-content/uploads/2023/01/pasted-28.png)
- Now we need to create a new Policy.
- Select Policies from left menu
- and click on Create Policy:
![](https://lopes.cloud/wp-content/uploads/2023/01/pasted-29.png)
- Change the view to JSON and paste the data below:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iam:ListRoles" ], "Resource": "*" } ] }
![](https://lopes.cloud/wp-content/uploads/2023/01/pasted-30.png)
![](https://lopes.cloud/wp-content/uploads/2023/01/pasted-32.png)
- Policy Name: AzureAD_SSOUserRole_Policy
![](https://lopes.cloud/wp-content/uploads/2023/01/pasted-33.png)
![](https://lopes.cloud/wp-content/uploads/2023/01/pasted-34.png)
- Now we need to create a user with API access.
- On left menu click on Users and ADD USERS
![](https://lopes.cloud/wp-content/uploads/2023/01/pasted-35.png)
- User name: AzureADRoleManager
![](https://lopes.cloud/wp-content/uploads/2023/01/pasted-37.png)
- Permission options: Attach policies directly
- Select the policy that we created before: AzureAD_SSO_user_role_Policy
![](https://lopes.cloud/wp-content/uploads/2023/01/pasted-43.png)
- Click on next to review and create.
- Access the new user again
![](https://lopes.cloud/wp-content/uploads/2023/01/pasted-38.png)
- Go to Security Credentials and click on Create Access Key
![](https://lopes.cloud/wp-content/uploads/2023/02/pasted-4.png)
- Select the use case Other
![](https://lopes.cloud/wp-content/uploads/2023/01/pasted-40.png)
- Click on Create Access Key
![](https://lopes.cloud/wp-content/uploads/2023/01/pasted-41.png)
- At the next screen, take note of the Access Key and Secret Access Key. We´ll use it back on Azure AD.
![](https://lopes.cloud/wp-content/uploads/2023/01/pasted-42.png)
AZURE
- Back to Azure -> Access the Enterprise Application and open the app AWS Single-Account Access
![](https://lopes.cloud/wp-content/uploads/2023/01/pasted-48.png)
![](https://lopes.cloud/wp-content/uploads/2023/01/pasted-47.png)
- Go to Provisioning -> Get- started
![](https://lopes.cloud/wp-content/uploads/2023/01/pasted-46.png)
- Change the Provisioning Mode: Automatic
- Admin Credentials:
- clientsecret: AWS-ACCESS-KEY
- Secret Token: AWS-SECRET-ACCESS-KEY
- Both you get from user that you create on AWS
- Click on Test Connection -> Save
![](https://lopes.cloud/wp-content/uploads/2023/01/pasted-50.png)
![](https://lopes.cloud/wp-content/uploads/2023/01/pasted-54.png)
- Go out from the Provisioning screen and access again – It´s necessary just to refresh the page.
- Now click on Edit Provisioning
![](https://lopes.cloud/wp-content/uploads/2023/01/pasted-55.png)
- Turn on Provision Status
![](https://lopes.cloud/wp-content/uploads/2023/01/pasted-56.png)
- At last, Go to Users and Groups from the enterprise application and add who is going to have access.
- If you don´t have Azure AD Premium you cannot add a GROUP here.
- The users must be members of the security group even if it is added manually at Users and Groups from the enterprise application.
- The security group must be direct members
![](https://lopes.cloud/wp-content/uploads/2023/01/pasted-57.png)
![](https://lopes.cloud/wp-content/uploads/2023/01/pasted-58.png)
- You must wait the provision time of synchronization (could take up to 40min)
- To test, access the: https://myapplications.microsoft.com/ end click on AWS icon
![](https://lopes.cloud/wp-content/uploads/2023/01/pasted-59.png)
![](https://lopes.cloud/wp-content/uploads/2023/01/pasted-60.png)