Azure AD - AWS Single Sign-On

Azure AD

AWS SSO supports automatic provisioning (synchronization) of user and group information from Azure AD into AWS SSO using the System for Cross-domain Identity Management (SCIM) v2.0 protocol. You configure this connection in Azure AD using your SCIM endpoint for AWS SSO and a bearer token that is created automatically by AWS SSO. When you configure SCIM synchronization, you create a mapping of your user attributes in Azure AD to the named attributes in AWS SSO. This causes the expected attributes to match between AWS SSO and your IdP.

The following steps walk you through how to enable automatic provisioning of users and groups from Azure AD to AWS SSO using the AWS Single Sign-On app in the Azure AD Application Gallery and the SCIM protocol.

Note

Before you begin deploying SCIM, we recommend that you first review Considerations for using automatic provisioning, and then continue reviewing Prerequisites and Additional considerations in the next sections.

Prerequisites

You will need the following before you can get started:

Additional considerations

If an attribute is removed from a user in Azure AD, that attribute will not be removed from the corresponding user in AWS SSO. This is a known limitation in Azure AD. If an attribute is changed to a different (non-empty) value on a user, that change will be synchronized to AWS SSO.

Step 1: Set up AWS SSO and configure automatic provisioning

To get started, you'll need to first follow the instructions in Tutorial: Configure AWS Single Sign-On for automatic user provisioning. These instructions walk you through the following:

  • Enable AWS SSO.

  • Install the AWS Single Sign-On app from the Azure AD Application Gallery.

  • Configure automatic provisioning (SCIM) within the Azure portal.

Step 2: (Optional) Configure attribute-based access control

Now that you have configured Azure AD to work with AWS SSO, you can optionally choose to configure attribute-based access control (ABAC). ABAC is an authorization strategy that defines permissions based on attributes.

With Azure AD, you have two different ways to configure ABAC for use with AWS SSO. Choose either of the following methods.

Method 1: Configure ABAC using Azure AD

This method can be used when you need to define which attributes in Azure AD can be used by AWS SSO to manage access to your AWS resources. Once defined, Azure AD sends these attributes to AWS SSO through SAML assertions. You will then need to Create a permission set in AWS SSO to manage access based on the attributes you passed from Azure AD.

Before you begin this procedure, you first need to enable the Attributes for access control feature. For more information about how to do this, see Enable and configure attributes for access control.

To configure user attributes in Azure AD for access control in AWS SSO

  1. While signed into the Azure portal, navigate to Azure Active Directory, Enterprise applications. Search for the name of the application that you created previously to form your SAML connection. Then choose the application.

  2. Choose Single sign-on.

  3. In the User Attributes & Claims section, choose Edit.

  4. On the User Attributes & Claims page, do the following:

    1. Choose Add new claim

    2. For Name, enter AccessControl:AttributeName. Replace AttributeName with the name of the attribute you are expecting in AWS SSO. For example, AccessControl:Department.

    3. For Namespace, enter https://aws.amazon.com/SAML/Attributes.

    4. For Source, choose Attribute.

    5. For Source attribute, use the drop-down list to choose the Azure AD user attributes. For example, user.department.

  5. Repeat the previous step for each attribute you need to send to AWS SSO in the SAML assertion.

  6. Choose Save.

Method 2: Configure ABAC using AWS SSO

With this method, you use the Attributes for access control feature in AWS SSO to pass an Attribute element with the Name attribute set to https://aws.amazon.com/SAML/Attributes/AccessControl:{TagKey}. You can use this element to pass attributes as session tags in the SAML assertion. For more information about session tags, see Passing session tags in AWS STS in the IAM User Guide.

To pass attributes as session tags, include the AttributeValue element that specifies the value of the tag. For example, to pass the tag key-value pair CostCenter = blue, use the following attribute:

<saml:AttributeStatement> <saml:Attribute Name="https://aws.amazon.com/SAML/Attributes/AccessControl:CostCenter"> <saml:AttributeValue>blue </saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement>

If you need to add multiple attributes, include a separate Attribute element for each tag.

Troubleshooting

The following can help you troubleshoot some common issues you might encounter while setting up automatic provisioning with Azure AD.

Azure AD users are not synchronizing to AWS SSO

This might be due to a syntax issue that AWS SSO has flagged when a new user is being added to AWS SSO. You can confirm this by checking the Azure audit logs for failed events, such as an 'Export'. The Status Reason for this event will state:

{"schema":["urn:ietf:params:scim:api:messages:2.0:Error"],"detail":"Request is unparsable, syntactically incorrect, or violates schema.","status":"400"}

You can also check AWS CloudTrail for the failed event. This can be done by searching in the Event History console of CloudTrail using the following filter:

"eventName":"CreateUser"

The error in the CloudTrail event will state the following:

"errorCode": "ValidationException", "errorMessage": "Currently list attributes only allow single item“

Ultimately, this exception means that one of the values passed from Azure contained more values than anticipated. The solution here is to review the attributes of the user in Azure AD, ensuring that none contain duplicate values. One common example of duplicate values is having multiple values present for contact numbers such as mobile, work, and fax. Although separate values, they are all passed to AWS SSO under the single parent attribute phoneNumbers.