AWS SSO Integration with Azure AD

Step by Step Instructions how to Integrate AWS SSO with Azure AD (Active Directory)

1. On Azure Side go to Azure Active Directory Enterprise applications

2. Click on + New application

3. Select Non-gallery application

4. Give it name, Example AWS-SSO, and click Add

5. Select Single sign-on and then SAML
6. Scroll down to SAML Signing Certificate and click edit

7. Change Sign SAML assertion to Sign SAML response and assertion

8. Download and Save Federated Metadata XML file for AWS SSO
 9. On AWS Side go to AWS SSO in Master Account if you are using AWS Organization, select any Region where AWS SSO is
available, settings will be anyway Global for AWS Account

10. Click Enable AWS SSO

11. Click on Step 1 Choose your identity source
12. Click on Change next to Identity source AWS SSO
13. Choose External identity provider
14. Download AWS SSO SAML metadata file for Azure AD

15. Upload SAML Metadata file from Azure AD and click Review

16. Type ACCEPT and click Change identity source

17.
17. On the Setting screen click Enable automatic provisioning

18. Copy your SCIM endpoint and Access token, this information you will need for Azure AD

19. On Azure side under Azure Active Directory Enterprise application AWS-SSO Single sign-on SAML, click on Upload metadata
file
20. Select Metadata file from AWS SSO , click Add and Save.
21. After that you can skip Test Single sign on, by click on No, I’ll test later

22. Now on Azure side in application AWS-SSO click on Provisioning and Get started

23. Provisioning Mode change to Automatic

23.

24. Under Admin Credentials set:

a. For Tenant URL paste content of SCIM endpoint
b. For Secret Token paste content of Access token
c. Click Test Connection, you should see green on the right side on Tenant URL and Secret Token
d. Don’t Forget to click SAVE

25. Now after you saved Admin Credentials, Under Mapping choose Provision Azure Active Directory Users to customappsso
a. Click on mailNickname and change Source attribute from mailNickname to objectId, and click OK
b. Delete not relevant fields(field which are not used in AWS) from Mapping, finally you should have mapping like this

c. Click SAVE and close Attribute Mapping.

26. Now you can start Auto Provisioning by turning it ON and click SAVE
26.

27. Last step is to add Users/Groups from Azure AD, who need access to AWS, into this Azure Enterprise application
28. On Azure side in application AWS-SSO click on Users and groups
29. Click on Users and groups(Not Selected) list will appear
30. From the list select Group/Users who will get access to AWS, then click Select and Assign.
31. Now Users and Group Provisioning to AWS will start by defined interval (!40 minutes), you can start it immediately by going to
Provisioning and click on Start provisioning

32. If you did all correct you will see number of Group and Users provisioned
 33. On AWS SSO side Refresh Browser and you should see same Groups and Users provisioned in AWS SSO
a. Groups

b. Users

34. Now you need to Provide AWS Permissions to those Users/Groups

35. On AWS side in AWS SSO AWS Accounts Permission sets you need to create permission Sets which will be used
This is not Your IAM Roles, and then you can assign them to Accounts Users/Groups from AzureAD per defined permission
Mapping.

Example of Azure User login to get access to AWS