Skip to content
Vaderaa Consulting
  • Home
  • Articles
    • Part 1. AWS-SSO Integrated with Azure AD
    • Part 2. AZURE AD Config for AWS SSO
  • Projects
    • I-SEM

Categories

  • Projects
  • Public Cloud

Recent Posts

  • I-SEM Tech Lead and Solution Architecture
  • Part 2. AZURE AD Config for AWS SSO
  • Part 1. AWS-SSO Integrated with Azure AD

Blog

Public Cloud

Part 1. AWS-SSO Integrated with Azure AD

  • 22nd August 202024th August 2020
  • by Kabir Vaderaa

In this article I will show you how to create Aws SSO and integrate it with you azure AD for Single Sign on (SSO)

Many organisations have multiple public cloud providers. The challenge with cloud for many organisation is having a good mechanism on user access management (UAM). Many organisation have also integrated there LDAP into Azure AD , and while there are better Identity provider( IdP) Microsoft have made good improvements in this space.

Aws SSO is amazon alternative to Azure AD and has many connector to 3rd parties however in this senario we are going to put Azure AD as the primary and use AWS SSO to integrate with an AWS organisation.

Before starting you should have setup an AWS organisation if you don’t know how here a guide guide on how to set it up

AWS Config

Login to you master AWS Organisation account and go to

When you login you will get a screen like bellow

1.png
Enable SSO

Click the Enable AWS SSO . In the background SSO is provisioned in each of the organisations accounts . you can see this but looking at the subscriptions IAM

IAM view of SSO

Once provisioned into SSO and click on choose Identity Source

Screenshot of AWS SSO successfully enabled page

Click Change identity Source from AWS SSO

AWS SSO Settings

Select External Identity provider and download the metadata file.

AWS SSO Identity Sources

Next go to Azure AD Config Part 2

Projects

I-SEM Tech Lead and Solution Architecture

  • 15th January 2023
  • by Kabir Vaderaa

Client : Bord Gáis Energy (2017 -2018)

We were responsible for ensuring the successful implementation and integration of the I-SEM (Integrated Single Electricity Market) suite of applications. Our role included designing and developing the application architecture across the programme, integrating a mixture of SaaS, PaaS and on-premise solutions, and ensuring the successful delivery for Day1 Go-live in the new I-SEM market. :

This project required the delivery of various systems and platforms, such as a market settlements platform, a bid management platform, enhancements to power station monitoring system, energy modelling platforms, a BI dashboard platform, an ODS (operation Data Store), Data Mart/DWH to provide real-time dashboard solutions for energy traders, and hundreds of API and data integration points across various systems and platforms. We were highly experienced in the energy markets and had a long track record of successful delivery of energy trading systems.

We understood the complexities of I-SEM and the requirements of the energy trading industry. We were confident that we could provide the expertise and technical skills necessary for the successful implementation of the I-SEM suite of applications.

Public Cloud

Part 2. AZURE AD Config for AWS SSO

  • 22nd August 202020th January 2022
  • by Kabir Vaderaa

Azure Config

Login to your azure portal and go to Active Directory and select Enterprise applications , then New applications

Select Non Gallery application as the AWS gallery application is for SSO into IAM not AWS SSO.

Give it a name and then go to the app click Single Sign on and select SAML

Then in the screen click on Upload the meta file and it will set the

When you upload the file it will set the Identifier and reply URL

Download the Azure MetaData XML

Quickly flip back to AWS and upload the file click next and that part of AWS is configured.

Now we need to setup provisioning so the users and groups who are added to this group in azure ad are provisioned on AWS SSO. To do this we need to go back to AWS SSO click on enable auto provisioning

AWS SSO Settings - Provisioning

AS part of this it will generate an SCIM ID and a Token take note of both of these as they will need to go into Azure

Add users and groups to the Azure APP, You can add as many groups as you need roles in AWS.

Setup Account Provisioning

In Azure AD go to provisioning, set to automatic. In the tenant URL enter the SCIM URL generated in AWS and for the secret enter the token Secret generated from AWS. Click the test button to validate.

Now we are still not done there are few other setting we needs to change on the mappings as outlined in the AWS Article but here are the highlights

Expand the mappings

Important:

  1. Make sure that all users in Azure AD have filled out First name, Last name, and Display name values in their user properties. Otherwise, automatic provisioning won’t work with Azure AD.
  2. On the Attibute Mapping page, delete the mappings for the two attributes facsimileTelephoneNumber and mobile.
  3. Choose mailNickname in the attribute table, under Edit Attribute, change Source attribute from mailNickname to objectId, and then choose OK.

For the groups you need to do point 3 Above only

Users should look something like bellow

Once you’re happy with your settings, Turn on the provisioning status and save the changes. 

Note Azure AD will now only provision every 40 minutes so if you make additional changes you need to wait for the next sync cycle .

Once the provisioning has completed you will see them in AWS SSO

Users been replicated
Azure AD Group been replicated

You are now ready to assign aws account permissions to the groups and users. Once you have done then when a users in the Azure AD group goes into office 365 or going to https://account.activedirectory.windowsazure.com/r#/applications and selects all app they should see the AWS Application now all they need to do is click on it

When they do they will be given a screen like bellow with a list of AWS account and permissions they are assigned in those accounts

Theme by Colorlib Powered by WordPress
  • Linkedin
  • Twitter
  • Linkedin Kabir Vaderaa
  • Facebook
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT