{"id":4044,"date":"2018-02-21T21:07:14","date_gmt":"2018-02-21T21:07:14","guid":{"rendered":"https:\/\/geekdecoder.com\/?p=4044"},"modified":"2018-02-21T21:07:14","modified_gmt":"2018-02-21T21:07:14","slug":"enabling-federation-aws-using-windows-active-directory-adfs-saml-2-0","status":"publish","type":"post","link":"https:\/\/www.qbytes.cloud\/index.php\/2018\/02\/21\/enabling-federation-aws-using-windows-active-directory-adfs-saml-2-0\/","title":{"rendered":"Enabling Federation to AWS Using Windows Active Directory, ADFS, and SAML 2.0"},"content":{"rendered":"

Setting up and Enabling Federation to AWS Using Windows Active Directory, ADFS, and SAML 2.0. This KB assumes that you have a windows server with IIS, Active Directory, Active Directory Federation Services and Certificate Services Installed.<\/p>\n

First, perform the following in your domain:<\/p>\n

    \n
  1. Create two AD Groups named AWS-Production and AWS-Dev. AWS Production will have users that have administrative access and the\u00a0AWS-Dev will have S3 , EC2 and RDS servies in AWS.<\/li>\n
  2. Create users that will go into the accounts.<\/li>\n
  3. Give the users email address (e.g., dev@myemail.com).<\/li>\n
  4. Add users to the AWS-Production and AWS-Dev groups.<\/li>\n<\/ol>\n

    <\/p>\n

    Open Server Manager. Go To AD DS on the left and click. Right click on the server in the middle and go to “Active Directory Users and Computers”.<\/p>\n

    Create our Groups. Right Click the server name and go to “New” and click “Group”.<\/p>\n

    \"\"<\/a><\/p>\n

    Name the new group – AWS-Dev. Click OK.<\/p>\n

    \"\"<\/a><\/p>\n

    Repeat the steps to add the AWS-Production Group.<\/p>\n

    Create Users for the AWS-Dev Group.<\/p>\n

    \"\"<\/a><\/p>\n

     <\/p>\n

    Add a new User called Dev. This user will be in our development Group.<\/p>\n

    \"\"<\/a><\/p>\n

    Give a password and click finish. Now right click on the user and go to properties. Add an email to the user. This email will be used to login to the ADFS web page. Click OK.<\/p>\n

    \"\"<\/a><\/p>\n

    Now click the “Member Of” Tab.<\/p>\n

    \"\"<\/a><\/p>\n

    Click Add. Type AWS and click check names. The AWS-Dev should be displayed. Click OK. Click OK again.<\/p>\n

    \"\"<\/a><\/p>\n

    Repeat the steps to add the user to the AWS-Production Group.<\/p>\n

    The Group and User are now added to Active Directory.<\/p>\n

    Now we need to login to the AWS console and create the SAML Provider and the role for the AWS-Dev group we created in AD.<\/p>\n

    If you\u2019ve never done this, I recommend taking a look at the\u00a0IAM user guide<\/a>. Before you create a SAML provider, you need to download the SAML metadata document for your ADFS federation server. By default, you can download it from following address:<\/p>\n

    https:\/\/<yourservername>\/FederationMetadata\/2007-06\/FederationMetadata.xml<\/p>\n

    I named my SAML provider\u00a0ADFS<\/strong>. When you have the SAML metadata document, you can create the SAML provider in AWS.<\/p>\n

    When I finished creating the SAML provider, I created one IAM role.<\/p>\n

    I named the role ADFS-Dev. Do these names look familiar? They should. They are the complement to the AD groups created earlier. During the SAML authentication process in AWS, these IAM roles will be matched by name to the AD group (AWS-Dev) via ADFS claim rules.<\/p>\n

    Note<\/strong>: Remember that if you\u2019re following along with this description, you need to use exactly the same names that we use. Make sure that you name the IAM role ADFS-Dev.<\/p>\n

    Find the ARNs for the SAML provider and for the roles that you created and record them. You\u2019ll need the ARNs later when you configure claims in the IdP.<\/p>\n

    That\u2019s it for the AWS configuration steps.<\/p>\n

    Configuring AWS as a Trusted Relying Party<\/h3>\n

    Go to the server manager on the server and select on the right – “Tools” and click “AD FS Management”.<\/p>\n

    \"\"<\/a><\/p>\n

    Either right click on the AD FS on the left and choose “Add Relying Party Trust” or on the Right Side.<\/p>\n

    \"\"<\/a><\/p>\n

    Select “Clams Aware” and “Start”.<\/p>\n

    \"\"<\/a><\/p>\n

    Check on “Import data about the relying party published online or on a local network”, put in<\/p>\n

    https:\/\/signin.aws.amazon.com\/static\/saml-metadata.xml<\/p>\n

    and then click\u00a0Next. The metadata XML file is a standard SAML metadata document that describes AWS as a relying party.<\/p>\n

    \"\"<\/a><\/p>\n

    Set the display name for the relying party and then click\u00a0<\/strong>Next.<\/p>\n

    \"\"<\/a><\/p>\n

    Choose your authorization rules. For my scenario, I chose\u00a0Permit all users to access this relying party. When you\u2019re done, click\u00a0Next.<\/p>\n

    \"\"<\/a><\/p>\n

    Review your settings and then click\u00a0Next<\/strong>.<\/p>\n

    \"\"<\/a><\/p>\n

    Make sure “Configure claims issuance policy for this application” is check on and click Close.<\/p>\n

    \"\"<\/a><\/p>\n

    Configuring Claim Rules for the AWS Relying Party<\/p>\n

    In these steps we\u2019re going to add the claim rules so that the elements AWS requires and ADFS doesn\u2019t provide by default (NameId, RoleSessionName, and Roles) are added to the SAML authentication response. If you forgot to check the box to launch the claim rule dialog, right-click on the relying party (in this case Amazon Web Service SignOn) and then click\u00a0Edit Claim Issuance Policy.<\/p>\n

    \"\"<\/a><\/p>\n

    In the\u00a0Edit Claim Issuance Policy for AWS Web Service SignOn dialog box, click\u00a0Add Rule.<\/p>\n

    \"\"<\/a><\/p>\n

    Select\u00a0Transform an Incoming Claim<\/strong>\u00a0and then click\u00a0Next<\/strong>.<\/p>\n

    \"\"<\/a><\/p>\n

    Use the following settings:<\/div>\n
    a.\u00a0\u00a0\u00a0Claim rule name<\/strong>: NameId<\/div>\n
    b. \u00a0\u00a0Incoming claim type<\/strong>: Windows Account Name<\/div>\n
    c. \u00a0\u00a0Outgoing claim type<\/strong>: Name ID<\/div>\n
    d.\u00a0\u00a0Outgoing name ID format<\/strong>: Persistent Identifier<\/div>\n
    e.\u00a0\u00a0Pass through all claim values:\u00a0<\/strong>checked<\/div>\n
    <\/div>\n
    \"\"<\/a><\/div>\n
    Click Finish.<\/div>\n
    <\/div>\n
    \n

    Adding a RoleSessionName<\/h4>\n
    1. \u00a0 Click\u00a0\u00a0Add Rule<\/strong><\/div>\n
    2. \u00a0 In the\u00a0\u00a0Claim rule template<\/strong>\u00a0list, select\u00a0\u00a0Send LDAP Attributes as Claims<\/strong>.<\/div>\n
    \"\"<\/a><\/div>\n
    \n
    Use the following settings:<\/div>\n
    a.\u00a0Claim rule name<\/strong>: RoleSessionName<\/div>\n
    b.\u00a0Attribute store<\/strong>: Active Directory<\/div>\n
    c.\u00a0LDAP Attribute<\/strong>: E-Mail-Addresses<\/div>\n
    d.\u00a0Outgoing Claim Type<\/strong>\u00a0: https:\/\/aws.amazon.com\/SAML\/Attributes\/RoleSessionName<\/div>\n
    <\/div>\n<\/div>\n
    \"\"<\/a><\/div>\n
    \n

    Click\u00a0Finish<\/p>\n

    Adding Role Attributes<\/h4>\n

    I\u2019ll pause here to provide a little more context because for these steps it might not be as obvious what\u2019s going on. Unlike the two previous claims, here I used custom rules to send role attributes. This is done by retrieving all the authenticated user\u2019s AD groups and then matching the groups that start with to IAM roles of a similar name. I used the names of these groups to create Amazon Resource Names (ARNs) of IAM roles in my AWS account (i.e., those that start with\u00a0AWS-).<\/p>\n

    Sending role attributes required two custom rules. The first rule retrieves all the authenticated user\u2019s AD group memberships and the second rule performs the transformation to the roles claim. Here\u2019s how I did it.<\/p>\n

    1. \u00a0Click\u00a0\u00a0Add Rule<\/strong>.<\/div>\n
    2. \u00a0In the\u00a0\u00a0Claim rule template<\/strong>\u00a0list, select\u00a0\u00a0Send Claims Using a Custom Rule<\/strong>\u00a0and then click\u00a0\u00a0Next<\/strong>.<\/div>\n<\/div>\n<\/div>\n
    <\/div>\n
    \"\"<\/a><\/div>\n
    For\u00a0Claim Rule Name<\/strong>, select\u00a0Get AD Groups<\/strong>, and then in\u00a0Custom rule<\/strong>, enter the following:<\/div>\n
    <\/div>\n
    c:[Type == "http:\/\/schemas.microsoft.com\/ws\/2008\/06\/identity\/claims\/windowsaccountname", Issuer == "AD AUTHORITY"] =&gt; add(store = "Active Directory", types = ("http:\/\/temp\/variable"), query = ";tokenGroups;{0}", param = c.Value);\n\n<\/pre>\n
    \"\"<\/a><\/p>\n
    This custom rule uses a script in the claim rule language that retrieves all the groups the authenticated user is a member of and places them into a temporary claim named\u00a0http:\/\/temp\/variable. (Think of this as a variable you can access later.) I use this in the next rule to transform the groups into IAM role ARNs.<\/p>\n
    4. \u00a0Click\u00a0\u00a0OK<\/strong>.<\/div>\n
    5. \u00a0Click\u00a0\u00a0Add Rule.<\/strong><\/div>\n
    6. \u00a0Repeat the preceding steps, but this time, type\u00a0\u00a0Roles<\/strong>\u00a0for\u00a0\u00a0Claim rule name<\/strong>\u00a0and use the following script:<\/div>\n
    c:[Type == "http:\/\/temp\/variable", Value =~ "(?i)^AWS-"] =&gt; issue(Type = "https:\/\/aws.amazon.com\/SAML\/Attributes\/Role", Value = RegExReplace(c.Value, "AWS-", "arn:aws:iam::123456789012:saml-provider\/ADFS,arn:aws:iam::123456789012:role\/ADFS-"));\n<\/pre>\n
    \"\"<\/a><\/p>\n
     <\/p>\n
    This rule uses a custom script to get all the groups from the temporary claim () and then uses the name of the group to create the principal\/role pair, which has this format:<\/p>\n
    ARN of SAML provider,ARN of role to assume<\/h4>\n
    In my example, it comes out this way:<\/p>\n
    arn:aws:iam:123456789012:saml-provider\/ADFS,arn:aws:iam:123456789012:role\/ADFS-<\/p>\n
    In the example, I used an account number of 123456789012. Make sure you change this to your own AWS account.<\/p>\n
    7. \u00a0Click\u00a0OK.<\/strong><\/p>\n
    \"\"<\/a><\/p>\n
    Testing steps<\/p>\n
    In your domain, browse to the following address: \u00a0https:\/\/localhost\/adfs\/ls\/IdpInitiatedSignOn.aspx<\/p>\n
    If you\u2019re using a locally signed certificate from IIS, you might get a certificate warning.<\/p>\n
    \"\"<\/a><\/p>\n
    Error. I received and error when I tried the page:<\/h5>\n
    Exception details:
    \nMicrosoft.IdentityServer.Web.IdPInitiatedSignonPageDisabledException: MSIS7012: An error occurred while processing the request. Contact your administrator for details.<\/p>\n
    \"\"<\/a><\/p>\n
    The event viewer gave me a an error which was not really helping at first.<\/p>\n
    \"\"<\/a><\/p>\n
    But when I looked closely I noticed the line Microsoft.IdentityServer.Web.IdPInitiatedSignonPageDisabledException.
    \nWell it turns out that this feature is by\u00a0default disabled in the ADFS properties on Windows Server 2016.<\/p>\n
    You can enable the test page by using the following powershell command:<\/p>\n
    set-AdfsProperties -EnableIdPInitiatedSignonPage $true\n<\/pre>\n
    \"\"<\/a><\/p>\n
    If we try the https:\/\/localhost\/adfs\/ls\/IdpInitiatedSignon.aspx\u00a0again we now receive a known web page with a Sign In button.<\/p>\n
    \"\"<\/a><\/p>\n
    Select\u00a0Sign in to one of the following sites<\/strong>, select\u00a0Amazon Web Service SignOn<\/strong>\u00a0from the list, and then click\u00a0Sign In<\/strong>.<\/p>\n
    If prompted, enter in a username and password (remember to use the Dev Account that you setup earlier – dev@myemail.com). You are redirected to the\u00a0Amazon Web Services Sign-In<\/strong>\u00a0page.<\/p>\n
    \"\"<\/a><\/p>\n
     <\/p>\n
    Select a role and then click\u00a0Sign In<\/strong>. (If you are mapped to only a single IAM role, you skip the role selection step and are automatically signed into the AWS Management Console.).<\/p>\n
    Success!<\/p>\n
    Note: In windows 2016, the users set up in Active directory may have a different sign in domain depending on how you set it up. Check the email vs the User logon name in the Active Directory Users and Computers.<\/p>\n
     <\/p>\n
     <\/p>\n
     <\/p>\n
     <\/p>\n","protected":false},"excerpt":{"rendered":"
    Setting up and Enabling Federation to AWS Using Windows Active Directory, ADFS, and SAML 2.0. This KB assumes that you have a windows server with IIS, Active Directory, Active Directory Federation Services and Certificate Services Installed. First, perform the following in your domain: Create two AD Groups named AWS-Production and AWS-Dev. AWS Production will have … Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[127],"tags":[],"class_list":["post-4044","post","type-post","status-publish","format-standard","hentry","category-winserv"],"_links":{"self":[{"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/posts\/4044","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/comments?post=4044"}],"version-history":[{"count":0,"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/posts\/4044\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/media?parent=4044"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/categories?post=4044"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/tags?post=4044"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}