{"id":13542468,"url":"https://github.com/rgl/example-aws-aad-sso","last_synced_at":"2025-03-14T08:32:37.849Z","repository":{"id":139751785,"uuid":"608335402","full_name":"rgl/example-aws-aad-sso","owner":"rgl","description":"This integrates the AWS IAM Identity Center with the Azure AD as a SSO solution.","archived":false,"fork":false,"pushed_at":"2023-08-30T07:51:46.000Z","size":23,"stargazers_count":4,"open_issues_count":0,"forks_count":1,"subscribers_count":2,"default_branch":"main","last_synced_at":"2024-10-05T18:21:43.722Z","etag":null,"topics":["aad","aws","aws-identitystore","aws-sso","azure","azure-sso","azuread","terraform"],"latest_commit_sha":null,"homepage":"","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rgl.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2023-03-01T20:04:13.000Z","updated_at":"2023-12-14T03:53:38.000Z","dependencies_parsed_at":"2024-01-16T15:50:03.335Z","dependency_job_id":"a48338fd-6a4f-4898-b381-48793b0e1b5f","html_url":"https://github.com/rgl/example-aws-aad-sso","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgl%2Fexample-aws-aad-sso","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgl%2Fexample-aws-aad-sso/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgl%2Fexample-aws-aad-sso/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgl%2Fexample-aws-aad-sso/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rgl","download_url":"https://codeload.github.com/rgl/example-aws-aad-sso/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":221449990,"owners_count":16823720,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aad","aws","aws-identitystore","aws-sso","azure","azure-sso","azuread","terraform"],"created_at":"2024-08-01T10:01:08.358Z","updated_at":"2024-10-25T18:41:05.484Z","avatar_url":"https://github.com/rgl.png","language":"HCL","funding_links":[],"categories":["HCL","terraform"],"sub_categories":[],"readme":"# About\n\n[![Lint](https://github.com/rgl/example-aws-aad-sso/actions/workflows/lint.yml/badge.svg)](https://github.com/rgl/example-aws-aad-sso/actions/workflows/lint.yml)\n\nThis integrates the AWS IAM Identity Center with the Azure AD as a SSO solution.\n\nThis will use [terraform](https://www.terraform.io/) to configure the AWS IAM Identity Center and the Azure AD services as described in the [Tutorial: Azure AD SSO integration with AWS IAM Identity Center](https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/aws-single-sign-on-tutorial).\n\nIt will create the Azure AD [Users](azure-users.tf), [Application, Application Roles, Enterprise Application (aka Service Principal)](azure-applications.tf) that can be used to login into AWS.\n\nIt will create the homologous AWS Identity Center [Users, Groups](aws-users.tf), and [Permissions Sets](aws-permissions.tf) to login into AWS.\n\nYou can test this in the Azure AD of [Free Microsoft 365 E5 instant sandbox](https://developer.microsoft.com/en-us/microsoft-365/dev-program) and in the [AWS Free Tier](https://aws.amazon.com/free/).\n\nBe aware that this is not configuring [Automatic User Provisioning](https://docs.aws.amazon.com/singlesignon/latest/userguide/provision-automatically.html). Its creating the users in both directories: Azure AD and AWS Identity Center.\n\nBe aware that the AWS IAM Identity Center can only be connected with a single Azure AD. For more information see the [FAQ: Can I connect more than one identity source to IAM Identity Center?](https://aws.amazon.com/iam/identity-center/faqs/#Identity_sources_and_applications_support).\n\nBe aware of the [AWS IAM Identity Center User Guide Troubleshooting section](https://docs.aws.amazon.com/singlesignon/latest/userguide/troubleshooting.html), especially the [Error 'An unexpected error has occurred' when a user tries to sign in using an external identity provider](https://docs.aws.amazon.com/singlesignon/latest/userguide/troubleshooting.html#issue8).\n\nBe aware that although AWS Single Sign-On was renamed to AWS IAM Identity Center, the `sso` and `identitystore` API namespaces (and terraform names) continue to retain their original name for backward compatibility purposes. For more information, see [IAM Identity Center rename](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html#renamed).\n\n# Usage\n\nCreate an Azure account.\n\nCreate an AWS account, choose a region, and then [just enable the IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/getting-started.html) (this will also enable the AWS Organizations service).\n\nInstall the required tools:\n\n* [terraform](https://github.com/hashicorp/terraform).\n* [azure-cli](https://github.com/Azure/azure-cli).\n* [aws-cli](https://github.com/aws/aws-cli).\n\nLogin into Azure:\n\n```bash\naz login --allow-no-subscriptions\n```\n\n**NB** If you are using the Free Microsoft 365 E5 instant sandbox, you should login as its administrator.\n\nEnsure the expected account is set as default:\n\n```bash\naz account show\naz account list\naz account set --subscription=\u003ctenantId or id\u003e\naz account show\n```\n\nConfigure the AWS CLI to use a Secret Key to access AWS:\n\n```bash\n# set the account credentials.\n# NB get these from your aws account iam console.\n#    see Managing access keys (console) at\n#        https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_CreateAccessKey\nexport AWS_ACCESS_KEY_ID='TODO'\nexport AWS_SECRET_ACCESS_KEY='TODO'\n# set the default region.\nexport AWS_DEFAULT_REGION='eu-west-1'\n# show the user, user amazon resource name (arn), and the account id.\naws sts get-caller-identity\n```\n\nInitialize terraform:\n\n```bash\nmake terraform-init\n```\n\nLaunch the example:\n\n```bash\nmake terraform-plan\nmake terraform-apply\n```\n\nOpen the AWS Identity Center page and:\n\n1. Go to the `Dashboard` page.\n2. Change the identity source to `External service provider`:\n   1. Click the `Choose your identity source` link.\n   2. Under the `Identity source` tab, click the `Actions` button, and choose `Change identity source`.\n   3. Click `External service provider`.\n   4. Click the `Next` button.\n3. Under the `Service provider metadata` section:\n   1. Copy the `IAM Identity Center Assertion Consumer Service (ACS) URL` and paste it into the `aws_saml_acs` variable value inside the `aws-permissions.tf` file.\n   2. Copy the `IAM Identity Center issuer URL` and paste it into the `aws_saml_entity_id` variable value inside the `aws-permissions.tf` file.\n   3. Execute `make terraform-plan` and review the plan.\n   4. Execute `make terraform-apply` and wait for it to finish.\n   5. Execute `terraform output -raw saml_metadata_document \u003eazure-ad-idp-saml-metadata.xml`\n4. Under the `Identity provider metadata`, `IdP SAML metadata` section:\n   1. Click the `Choose file` button, and upload the `azure-ad-idp-saml-metadata.xml` file created in the previous step.\n5. Click `Next`.\n6. Review and confirm.\n7. Click `Change identity source`.\n\nShow the `AWS access portal URL` (aka SSO start URL):\n\n```bash\nterraform output -raw aws_access_portal_url\n```\n\nOpen the `AWS access portal URL` in a web browser, and login with the `Alice` credentials:\n\n```bash\nterraform output -raw alice_email\nterraform output -raw alice_password\n```\n\nOpen a new shell session, and configure the AWS CLI to use a SSO generated\ntoken to access AWS as `Alice`:\n\n```bash\naws configure sso\n```\n\nThe questions, answers, and output will be something alike:\n\n```plain\nSSO session name (Recommended): cli\nSSO start URL [None]: https://d-0000000000.awsapps.com/start\nSSO region [None]: eu-west-1\nSSO registration scopes [sso:account:access]:\nAttempting to automatically open the SSO authorization page in your default browser.\nIf the browser does not open or you wish to use a different device to authorize this request, open the following URL:\n\nhttps://device.sso.eu-west-1.amazonaws.com/\n\nThen enter the code:\n\n0000-0000\nThe only AWS account available to you is: 00000000\nUsing the account ID 00000000\nThere are 2 roles available to you.\nUsing the role name \"Readers\"\nCLI default client Region [None]:\nCLI default output format [None]:\nCLI profile name [Readers-00000000]: Alice-Readers\n\nTo use this profile, specify the profile name using --profile, as shown:\n\naws s3 ls --profile Alice-Readers\n```\n\nUse the profile, and show the user, user amazon resource name (arn), and the account id:\n\n```\nunset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY\nexport AWS_PROFILE='Alice-Readers'\naws sts get-caller-identity\n```\n\nThis should show something alike:\n\n```json\n{\n    \"UserId\": \"000000000000000000000:example-aws-aad-sso-alice.doe@example.onmicrosoft.c\",\n    \"Account\": \"00000000\",\n    \"Arn\": \"arn:aws:sts::00000000:assumed-role/AWSReservedSSO_Readers_0000000000000000/example-aws-aad-sso-alice.doe@example.onmicrosoft.c\"\n}\n```\n\nAfter you are done testing as `Alice`, logout, and exit the shell:\n\n```bash\naws sso logout\nexit\n```\n\nWhen you later need to login again, you can skip the `aws configure sso` step,\nand use `aws sso login` as:\n\n```bash\nunset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY\nexport AWS_PROFILE='Alice-Readers'\naws sso login\naws sts get-caller-identity\n```\n\nAfter you are done testing, and are ready to destroy everything, return to the\noriginal shell, the one that is using the `AWS_ACCESS_KEY_ID` and\n`AWS_SECRET_ACCESS_KEY` environment variables, and destroy everything:\n\n```bash\nmake terraform-destroy\n```\n\n# References\n\n* [Tutorial: Azure AD SSO integration with AWS IAM Identity Center](https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/aws-single-sign-on-tutorial)\n* [Configuring the AWS CLI to use AWS IAM Identity Center (successor to AWS Single Sign-On)](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html)\n* [Environment variables to configure the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frgl%2Fexample-aws-aad-sso","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frgl%2Fexample-aws-aad-sso","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frgl%2Fexample-aws-aad-sso/lists"}