Active Directory Federation Services Integration with AWS IAM

 Business Value:

  • Secure SAML Integration (Security Assertion Markup Language)
  • Connects with AWS IAM seamlessly
  • Using existing infrastructure
  • No need to recreate all our users in IAM
  • Map IAM policies to AD groups
  • Provides an audit trial (using Cloudtrail)

Microsoft Recommendations for ADFS

  • HA AD servers (recommended 4 AD servers)
  • Minimum dual ADFS 2.0 standalone servers
  • Load balancer for ADFS

ADFS and AWS Authentication Process:

Setting up AWS IAM with ADFS:

  • Requirements:
  • AD + ADFS setup
  • Downloaded ADFS metadata
  • Create default groups in AD – AWS-PROD and AWS-Dev groups
  • Create a test user in these groups
  • Create Identity provider on IAM
  • Create IAM roles and grant SSO permissions
  • Setup ADFS Trust and mappings

AWS steps:

  • Create identity provider on IAM

Upload the metadata:

Create a New Role:

Set permissions:

Create AD groups as new AWS Roles:

  • CIS compliant, the users and access policies are managed from a single console. Applied CIS GPO benchmarks are applied at Domain Controller level and applies controls.