Implementing AWS Single Sign-On (SSO) Using AWS Managed Microsoft AD

AWS Single Sign-On (SSO), now known as IAM Identity Center, allows users to access both AWS and on-premises resources with a single set of credentials. Once integrated with your Managed AD and connected via a Site-to-Site VPN, it eliminates the need for multiple logins in a hybrid environment.

Previously, in our "Connecting Your On-Premises Network to AWS" blog series, we set up a Site-to-Site VPN (Part 1) and configured AWS Managed Microsoft AD as a Domain Controller (Part 2). 

This blog covers Part 3, the final step in our three-part series, which guides you through integrating AWS SSO with Managed AD to simplify access to both AWS and on-premises resources.

Prerequisites

Before starting, ensure the following are in place:

• AWS Managed AD: Your AWS Managed Microsoft AD should be set up and integrated with your on-premises Active Directory.

• VPN Connection: The Site-to-Site VPN must be active to ensure secure communication between your AWS and on-premises environments.

• Admin Access: You need admin access to both AWS SSO (IAM Identity Center) and Managed AD, as well as the required AWS permissions to manage AWS SSO.

• AD Group Structure: Ensure you understand how your Active Directory groups are organized and who requires access to specific resources.

Steps to Implement AWS SSO with Managed AD

Now that the prerequisites are met, let’s dive into the integration process:

Step 1: Enabling AWS IAM Identity Center (SSO)

To begin, sign in to the AWS Management Console using your administrator credentials.

• Navigate to IAM Identity Center (formerly AWS Single Sign-On).
• If you're configuring it for the first time, click the “Enable” button to activate the service.
  If IAM Identity Center is already enabled in another account (e.g., a team account), the console will display an advisory message.

Once activated, IAM Identity Center generates a custom sign-in portal, for example: https://your-org.awsapps.com/start.  This URL can be customized later to better align with your organization’s branding.

Note: Before proceeding, ensure that AWS Organizations is configured, as it is required for IAM Identity Center to manage access across multiple AWS accounts. If not, set it up from the AWS Organizations console—it’s quick and essential.

Step 2: Configuring AWS SSO with Active Directory

Now, let’s integrate AWS SSO with your Active Directory to manage access.

• Sign in to the AWS Management Console and navigate to IAM Identity Center.
• In the IAM Identity Center console, go to the Settings section.
• Click "Change Identity Source" to link your Active Directory. Since we are using AWS Managed Microsoft AD, select it from the available identity sources, and ensure the details (domain name and DNS addresses) are correct.

Once done, AWS SSO will be able to access all Active Directory users and groups for SSO management.

Step 3: Assigning Users and Groups for SSO Access

In this step, we will assign specific users and groups from the Active Directory to AWS SSO to control access to AWS resources.

• Sign in to the AWS Management Console and navigate to IAM Identity Center.
• In the Users or Groups section, click "Add users/groups from Active Directory."
• Search for the relevant Active Directory groups that need access, such as 'AWS_Users' for general users and 'IT_Admins' for administrators or power users.

Note: These groups should already be set up in your Active Directory from your on-premises environment. If they aren't, create them before proceeding.

Step 4: Configuring Permission Sets

Now that we’ve assigned users and groups, we'll configure permission sets to define access levels for different roles within AWS.

1. In the AWS Management Console, navigate to IAM Identity Center and go to the AWS Accounts section.

2. Choose the AWS accounts to which the selected users and groups need access.

3. Create Permission Sets: Create permission sets for each group based on the required access. Some common permission sets include:

• ReadOnly: Grants view-only access to AWS resources.
• Admin: Provides full administrative access to manage AWS resources.

Tip: Be mindful of the principle of least privilege when creating permission sets. Assign users only the permissions they need to perform their roles.

4. Assign Permission Sets to Users/Groups: After creating the permission sets, you’ll need to assign them to the relevant users or groups. For example:

• Assign the "Admin" permission set to the "IT_Admins" group.

• Assign the "ReadOnly" permission set to the "AWS_Users" group.

5. Review and Confirm: Double-check the assigned permission sets to ensure that each user and group has the appropriate level of access.

These permission sets are not permanent. You can modify or add new permission sets as your organization's needs evolve.

Conclusion:

With this, you’ve now successfully integrated AWS Single Sign-On (SSO) with AWS Managed Microsoft AD, streamlining access management for both AWS and on-premises resources.

By setting up Managed AD, establishing a secure VPN connection, and enabling single sign-on, you have simplified user authentication and enhanced security across your entire environment.

This setup not only improves operational efficiency but also ensures secure, centralized management of user access as your infrastructure expands.

Read More:

• Optimizing Website Speed & Performance with Amazon CloudFront
• Implementing OpenTelemetry with AWS X-Ray in a Next.js Application
• What is DevOps Automation, and how does DevOps as a Service work?
• Custom Software Development For Startups: Benefits and Strategy
• How to Backup and Restore Kubernetes Clusters with Velero?