Getting started

Prerequisites

Creating an Organization

Creating Audit and Log Archive AWS Accounts

Management

Creating an AWS Account

Initial Setup

Billing Alerts

Configuring AWS SSO (IAM Identity Center)

Generating As-Built Documentation

Alliance Mode

Environments

Environments

Configuring AWS Client VPN

Configuring Private Bastion

Deleting an Environment

Domains

Service Roles

Compliance

Compliance standards

Compliance status

Configuring a standard

Reference

Choosing Email Addresses for your AWS Accounts

Checklist end-of-deployment

Configuring SSO for Microsoft Azure

Configuring SSO for G-Suite

Deploying Applications

Notification History

Removing NX1 Access from AWS Accounts

Reduce permission access for NX1

What’s deployed in my account

Troubleshooting

Troubleshooting

Common Issues

Finding the Root Cause of a Failed Job

Creating new environment failed

Fixing Network Access is not connecting to RDS

SSO G-Suite - Deploy Lambda Error

Configure Azure Active Directory single sign-on (SSO) integration with Amazon Web Services (AWS)

Configure Azure Active Directory single sign-on (SSO) integration with Amazon Web Services (AWS)

Introduction

In this tutorial, you'll learn how to integrate Amazon Web Services (AWS) with Azure Active Directory (Azure AD). When you integrate Amazon Web Services (AWS) with Azure AD, you can:

• Control in Azure AD who has access to Amazon Web Services (AWS).
• Enable your users to be automatically signed-in to Amazon Web Services (AWS) with their Azure AD accounts.
• Manage your accounts in one central location - the Azure portal.

Prerequisites

To get started, you need the following items:

• An Azure AD subscription. If you don't have a subscription, you can get a free account.
• An AWS Identity Center (SSO) enabled subscription

Step 1 - On Azure Active Directory Create one application for AWS Identity Center

Adding AWS IAM Identity Center (successor to AWS SSO) from the gallery

To configure the integration of Amazon Web Services (AWS) into Azure AD, you need to add AWS IAM Identity Center (successor to AWS Single-Sign-On) from the gallery to your list of managed SaaS apps.

1. Sign in to the Azure portal using a Microsoft account.
2. In the Azure portal, search for and select Azure Active Directory.
3. Within the Azure Active Directory overview menu, choose Enterprise Applications > All applications.
4. Select New application to add an application.
5. In the Add from the Gallery section, type AWS IAM Identity Center in the search box.
6. Create the application.

Step 2 - Configure Azure AD SSO**

1. In the Azure portal, on the AWS IAM Identity Center application integration page, find the Manage section and select single sign-on.
2. On the Select a single sign-on method page, select SAML.
3. On the Set up single sign-on with SAML page, click the pencil icon for Basic SAML Configuration to edit the settings.

4. Edit Basic SAML Configuration
5. If you have Service Provider metadata file, on the Basic SAML Configuration section, perform the following steps:
1. Click Upload metadata file.
2. Click on folder logo to select metadata file which is explained to download in Configure AWS IAM Identity Center SSO section and click Add.

3. Once the metadata file is successfully uploaded, the Identifier and Reply URL values get auto-populated in the Basic SAML Configuration section.
6. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find Certificate(Base64) and select Download to download the certificate and save it on your computer.

Step 3 - Configure AWS IAM Identity Center SSO

1. In a different web browser window, sign in to your AWS IAM Identity Center company site as an administrator
2. Go to the Services -> Security, Identity, & Compliance -> AWS IAM Identity Center.
3. In the left navigation pane, choose Settings.
4. On the Settings page, find Identity source, click on Actions pull-down menu, and select Change identity source.

5. On the Change identity source page, choose External identity provider.

6. Perform the below steps in the Configure external identity provider section:

7. In the Service provider metadata section, find AWS SSO SAML metadata, select Download metadata file to download the metadata file and save it on your computer and use this metadata file to upload on Azure portal.
8. Copy AWS access portal sign-in URL value, paste this value into the Sign on URL text box in the Basic SAML Configuration section in the Azure portal.
9. In the Identity provider metadata section, select Choose file to upload the metadata file which you have downloaded from the Azure portal.
10. Choose Next: Review.
11. In the text box, type ACCEPT to change the identity source.

12. Click Change identity source.

Step 4 - How to configure role provisioning in Amazon Web Services (AWS)

1. Select the Provisioning tab.

2. Set the Provisioning Mode to Automatic.

3. Under the Admin Credentials section, input your AWS IAM Identity Center Tenant URL and Secret Token retrieved earlier in Step 2. Click Test Connection to ensure Azure AD can connect to AWS IAM Identity Center.

4. In the Notification Email field, enter the email address of a person or group who should receive the provisioning error notifications and select the Send an email notification when a failure occurs check box.

5. Select Save.

Step 5 - Assign the Azure AD test user

In this section, you'll enable user to use Azure single sign-on by granting access to Amazon Web Services (AWS).

1. In the Azure portal, search for and select Azure Active Directory.
2. Within the Azure Active Directory overview menu, choose Enterprise Applications > All applications.
3. In the application list, select the AWS application.
4. In the app's overview page, find the Manage section and select Users and groups.

5. Select Add user, then select Users and groups in the Add Assignment dialog.

6. In the Users and groups dialog, select the user from the Users list, then click the Select button at the bottom of the screen.
7. Select the role, in the Select Role dialog, select the appropriate role for the user from the list and then click the Select button at the bottom of the screen.
8. In the Add Assignment dialog, select the role desired and click the Assign button.

Ps: Instead of adding User, you can add a group as well.

Step 6 - Test the SSO Access

1. Install My Apps Secure Sign-in Plugin
2. Firefox - https://addons.mozilla.org/en-US/firefox/addon/access-panel-extension/
3. Chrome - https://chrome.google.com/webstore/detail/my-apps-secure-sign-in-ex/ggjhpefgjjfobnfoldnjipclpcfbgbhl
4. Sign in with your Azure account

5. You will have access to all applications

People also view

Configuring SSO for G-Suite