Professional Documents
Culture Documents
AWS Federated Authentication with AD FS
AWS Federated Authentication with AD FS
© 2022 Amazon Web Services, Inc. or its affiliates. All rights reserved. This work may not be reproduced or
redistributed, in whole or in part, without prior written permission from Amazon Web Services, Inc.
Commercial copying, lending, or selling is prohibited. All trademarks are the property of their owners.
Note: Do not include any personal, identifying, or confidential information into the lab environment.
Information entered may be visible to others.
Overview
This lab takes you through the process of configuring Active Directory Federation Services (AD FS) with
AWS Identity and Access Management (IAM), which enables Active Directory users and groups to access the
AWS Management Console. You will use the AWS support for Security Assertion Markup Language
(SAML), an open standard used by many identity providers (IdPs). This feature enables federated single sign-
on (SSO), which lets users sign in to the console or make programmatic calls to AWS application
programming interfaces (APIs) by using assertions from a SAML-compliant IdP like AD FS. With identity
federation, external identities or federated users are granted secure access to resources in the AWS account
without requiring you to create IAM users.
OBJECTIVES
After completing this lab, you will be able to:
PREREQUISITES
This lab requires:
Access to a notebook computer with Wi-Fi running Microsoft Windows, Mac OS X, or Linux
(Ubuntu, SuSE, or Red Hat)
For Microsoft Windows users: Administrator access to the computer
An internet browser such as Chrome, Firefox, or Internet Explorer 9 (previous versions of Internet
Explorer are not supported)
Note This lab is currently incompatible with Internet Explorer 11. Use a different browser to launch
this lab.
DURATION
This lab takes approximately 60 minutes to complete.
Note Once you click Start Lab, it takes about 10 minutes for the environment to deploy.
Step 1. The flow is initiated when a user browses to the AD FS sample site
(https://Fully.Qualified.Domain.Name.Here/adfs/ls/IdpInitiatedSignOn.aspx) inside their domain. When you
install AD FS, you get a new virtual directory named AD FS for your default website, which includes this
page.
Step 2. The sign-on page authenticates the user against Active Directory. Depending on the user’s browser,
they might be prompted for their Active Directory username and password.
Step 3. The user’s browser receives a SAML assertion in the form of an authentication response from AD FS.
Step 4. The user’s browser posts the SAML assertion to the AWS sign-in endpoint for SAML
(https://signin.aws.amazon.com/saml). Behind the scenes, sign-in uses the AssumeRoleWithSAML API to
request temporary security credentials and then constructs a sign-in URL for the AWS Management Console.
Step 5. The user’s browser receives the sign-in URL and is redirected to the console.
PROVISIONED INFRASTRUCTURE
To help you focus on the topics for this lab, you have been provided an automatically generated environment,
which contains a preinstalled Active Directory domain controller with a domain called mydomain.local.
The domain controller instance is in a private subnet. There is also public subnet with an instance for network
address translation (NAT) and an instance for Remote Desktop Gateway (RD Gateway). The public subnet is
also referred to as a DMZ. Routing tables, subnets, and an internet gateway have also been provisioned as
needed by Active Directory. The following diagram shows this setup, including the AD FS instance that you
will launch in the private subnet during the lab:
The NAT instance allows outbound internet access (e.g., for Windows Update or to reach IAM) for instances
in the private subnet. The RD Gateway instance allows only inbound administrative access over remote
desktop protocol (RDP) to instances in the private subnet.
Note To log in to your private subnet instances, you must first use an RDP client to connect to the public-
facing RD Gateway instance. Then you can open an RDP connection from the RD Gateway instance to the
domain controller instance or AD FS instance in the private subnet using the private IP address. In this case,
the RD Gateway instance acts as a bastion (jump) host.
Start lab
1. To launch the lab, at the top of the page, choose Start lab .
You must wait for the provisioned AWS services to be ready before you can continue.
If you see the message, You must first log out before logging into a different AWS account:
In some cases, certain pop-up or script blocker web browser extensions might prevent the Start Lab button
from working as intended. If you experience an issue starting the lab:
Add the lab domain name to your pop-up or script blocker’s allow list or turn it off.
Refresh the page and try again.
3. In the AWS Management Console, click Services, and then click EC2.
User name:
mydomain\Administrator
Password: Paste the value of AdministratorPassword value located to the left side of the lab page.
Remote
10.0.0.10
administrator
For Password, enter the AdministratorPassword value located to the left side of the lab page.
16. If prompted that the identity of the remote computer cannot be verified, click Yes.
18. On the domain controller instance (IP address 10.0.0.10), click Start , and type
Active Dir
19. In the search results, click Active Directory Users and Computers.
21. In the New Object - Group window, for Group name, enter
AWS-View-EC2
Note When working with AD FS and SAML, group names and user names in Active Directory and IAM are
case-sensitive. Type this name exactly as it appears.
Administrator
29. Click OK, and then click OK again to close the windows.
Now you will create a second group to see how you can restrict user AWS Management Console access using
Active Directory. In a production environment, you would assign users to groups as appropriate; however, for
this lab you will use a single user and put them in multiple groups so you can see the functionality.
30. At the top-right of the Active Directory Users and Computers window, click the left arrow icon to
return to the mydomain.local level.
AWS-View-S3
Note When working with AD FS and SAML, group names and user names in Active Directory and IAM are
case-sensitive.
Administrator
40. Click OK, and then click OK again to close the windows.
Now you need to create a user that will be used later to configure AD FS.
41. At the top-right of the Active Directory Users and Computers window, click the left arrow icon to
return to the mydomain.local level.
ADFSSVC
ADFSSVC
Note When working with AD FS and SAML, group names and user names in Active Directory and IAM are
case-sensitive.
45. Uncheck the User must change password at next logon check box.
Mypa$$word123
Remote
10.0.0.15
administrator
For Password, enter the AdministratorPassword value located to the left side of the lab page.
54. Click OK, and then click Yes.
55. If prompted that the identity of the remote computer cannot be verified, click Yes.
57. On the AD FS instance (IP address 10.0.0.15), click Start , and type
Windows PowerShell
C:\Windows\System32\control.exe ncpa.cpl
61. In the Ethernet Properties window, double-click Internet Protocol Version 4 (TCP/IPv4).
10.0.0.10
ping mydomain.local
This should resolve to 10.0.0.10, which is the IP address of the domain controller.
67. Open the System Properties window by running the following command in PowerShell:
systempropertiescomputername
adfsserver
mydomain.local
Administrator
Password: Paste the AdministratorPassword value from the left side of the lab page
76. The system prompts you to reboot the instance. Click Restart Now.
Note Make sure you log in to the AD FS domain by updating the user name.
Computer: Enter
10.0.0.15
mydomain\administrator
Password: Enter the AdministratorPassword value from the left side of the lab page
Note To enter the user name and password, you might need to click More choices and then Use a different
account.
83. In the AD FS instance (IP address 10.0.0.15), click Start , and then click Server Manager.
Note It may take a few seconds for Server Manager to load completely.
84. If you see a windows that says, Try managing servers with Windows Admin Center, click the X to
close the window.
89. On the Select server roles page, select Web Server (IIS). A dialog box opens.
96. Wait for the installation to finish, and then click Close.
97. Click Tools > Internet Information Services (IIS) Manager.
Note The Tools menu is at the top-right corner of the Server Manager dashboard.
100. In the Actions pane on the right, click Create Self-Signed Certificate.
adfs
Select a certificate store for the new certificate: Select Web Hosting
103. In the server certificates list, right-click the adfs certificate, and select Export.
C:\Users\administrator.mydomain\Desktop\adfs.pfx
Password: Enter
Mypa$$word123
Mypa$$word123
111. On the Select server roles page, select Active Directory Federation Services.
114. On the Active Directory Federation Services (AD FS) page, click Next.
115. On the Confirm installation selections page, select Restart the destination server
automatically if required.
118. Wait for the installation to complete. Then, click the Configure the federation service on
this server link.
Note If you closed the window before clicking the link, open the next wizard by clicking the notification icon
in the Server Manager menu bar.
119. On the Welcome page, make sure Create the first federation server in a federation server
farm is selected. Then, click Next.
120. On the Connect to Active Directory Domain Services page, verify that mydomain\
administrator is listed.
Click Change
For User name, enter
mydomain\administrator
For Password, enter the AdministratorPassword value from the left side of the lab page
Click OK
121. Click Next.
123. Select the adfs.pfx certificate file that you created earlier, and click Open.
Mypa$$word123
The SSL Certificate and Federation Service Name fields are updated.
AWSADFS
ADFSSVC
Mypa$$word123
133. On the Review Options page, review your options, and then click Next.
Note When the installation is finished, you may see an error message related to SPN configuration. This is a
known issue that sometimes occurs with AD FS setup. If you receive the error, open PowerShell and run the
following command:
setspn -a host/localhost adfssvc
This command registers the Service Principal Names. The success message should look like the following:
137. Open PowerShell, and run the following commands separately to download the SAML
metadata document for the AD FS instance:
cd Desktop
wget
https://adfsserver.mydomain.local/FederationMetadata/2007-06/FederationMet
adata.xml -OutFile FederationMetadata.xml
138. Open the FederationMetadata.xml file that you just created using a text editor such as
Notepad.
139. Copy the contents of the file to a text file on your personal desktop.
Note Depending on your version and settings for remote desktop, you can try to copy and paste the file itself
from the remote desktop to your local desktop.
FederationMetadata.xml
Next, you will upload the FederationMetadata.xml file to the AWS Management Console.
141. In the AWS Management Console, click Services, and click IAM.
ADFS
146. Browse to and select the FederationMetadata.xml file that you saved earlier.
For this lab two roles have been created for you to use for logging into the AWS Console with. One role AWS-
View-EC2, allows you to view all EC2 information, while the other, AWS-View-S3, allows you to view all S3
resources. You will setup the ADFS server to allow these roles to be assumed and examine the AWS Console
to see how access is restricted.
150. In the PROPERTIES section to the right, for IE Enhanced Security Configuration, click
the On link.
151. For both Administrators and Users, select Off, and then click OK.
Note The Tools menu is at the top-right corner of the Server Manager dashboard.
153. In the Actions pane on the right, click Add Relying Party Trust….
Note You can also click Required: Add a trusted relying party in the Overview section.
155. On the Select Data Source page, confirm that Import data about the relying party
published online or on a local network is selected.
https://signin.aws.amazon.com/static/saml-metadata.xml
157. Click Next.
161. On the Finish page, select Configure claims issuance policy for the application.
163. In the AD FS Management area of Server Manager, in the left navigation pane, click
the Relying Party Trusts folder.
Note To access the AD FS Management area of Server Manager, click Tools > AD FS Management.
The Tools menu is at the top-right corner of the Server Manager dashboard.
164. In the Actions pane on the right, click Edit Claim Issuance Policy.
Name ID
171. For Claim rule template, select Send LDAP Attributes as Claims.
172. Click Next.
RoleSessionName
https://aws.amazon.com/SAML/Attributes/RoleSessionName
176. For Claim rule template, select Send Claims Using a Custom Rule.
Get AD Groups
c:[Type ==
"http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountnam
e", Issuer == "AD AUTHORITY"] => add(store = "Active Directory", types =
("http://temp/variable"), query = ";tokenGroups;{0}", param = c.Value);
This rule uses the standard Active Directory schema to identify user groups from Active Directory and pass
them to IAM.
180. In the AWS Management Console, click Services, and click IAM.
Note Click the Provider Name, not the checkbox next to the provider.
183. Copy the Provider ARN value and save it to use later.
186. Copy the Role ARN value and save it to use later.
187. In your text editor, delete the word View-EC2 from the end of the role ARN.
Note The value should now look similar to the following: arn:aws:iam::111122223333:role/AWS-
189. In the Edit Claim Issuance Policy window, click Add Rule.
Note If you closed this window, follow these steps to open it:
190. For Claim rule template, select Send Claims Using a Custom Rule.
Roles
193. In the pasted text, replace SAMLARN with the provider ARN value you saved earlier.
Replace ROLEARN with the role ARN value that you saved earlier.
Note Check that you have removed the word Production from the end of the role ARN.
The custom rule text should now look similar to the following:
196. On the AD FS instance desktop, open PowerShell and run the following command:
You may use any browser; however, you may need to change security configuration settings based on the
browser type.
198. Copy and paste the following URL in the address bar:
https://localhost/adfs/ls/IdpInitiatedSignOn.aspx
Note If prompted that the connection is not private, click Advanced, and then click Proceed to localhost
(unsafe).
199. Select Sign in to one of the following sites, and then click Sign in.
mydomain\Administrator
Password: Enter the value of AdministratorPassword from the left side of the lab page
You should see three instances listed. This is because the role you assumed has read access to EC2.
Note If you do not see any resource information on the EC2 Dashboard, check the Region. Make sure the
Region you are using on the console within the RDP session matches the Region displayed to the left of these
instructions.
Since you logged in with a role that only allows you to view EC2 information, you are denied access to view
any information about Amazon S3.
205. Return to the localhost AD FS login page by copying and pasting the following URL in the
address bar:
https://localhost/adfs/ls/IdpInitiatedSignOn.aspx
You should see a warning indicating You are not authorized to perform this operation. This is because the role
you signed in with does not have permission to use EC2.
By creating IAM roles and AD FS groups, you are able to assign specific permissions to users to limit their
access to appropriate parts of the AWS Management Console.
For reference, see the following detailed blog article on this topic (with Windows Server 2008
R2): https://blogs.aws.amazon.com/security/post/Tx71TWXXJ3UI14/Enabling-Federation-to-AWS-using-
Windows-Active-Directory-ADFS-and-SAML-2-0
End lab
Follow these steps to close the console and end your lab.
212. At the upper-right corner of the page, choose AWSLabsUser, and then choose Sign out.
213. Choose End lab and then confirm that you want to end your lab.
Conclusion
Congratulations! You have now successfully:
Additional resources
Amazon EC2
For more information about AWS Training and Certification, see https://aws.amazon.com/training/.
Appendix
Access to a Microsoft Windows EC2 instance requires a secure connection using an RDP client. The following
directions walk you through the process of connecting to your Windows EC2 instance.
On Windows 7, click the Start button. In the search box, start typing
215. For the Computer field, enter the public IP address of the Windows instance.
Note You may need to click More choices and then Use a different account.
Note By default, the application uses your current Windows user name and domain. For the lab, you will use a
specified user name and domain in the RDP client.
Username: Enter
mydomain\Administrator
Password: Paste the value of AdministratorPassword located to the left of these instructions.
220. If prompted that the identity of the remote computer cannot be verified, click Yes.
The connection to your remote instance should start momentarily. To continue this lab, click here to go to the
next step.
WINDOWS RDG
mydomain\Administrator
Password: Paste the value of AdministratorPassword located to the left of these instructions.
225. Close the Edit Remote Desktops window by clicking the red close button at the top-left
corner.
226. In the Microsoft Remote Desktop window, select the WINDOWS RDGW connection, and
then click Start.
The connection to your remote instance should start momentarily. To continue this lab, click here to go to the
next step.