saml2aws Documentation for Azure Active Directory

September 10, 2019 · View on GitHub

Instructions for setting up single sign on (SSO) with Amazon AWS using Azure AD and saml2aws.

Azure AD Single Sign-On (SSO) with Amazon AWS
- Configure

Azure AD Single Sign-On (SSO) with Amazon AWS

When configuring saml2aws to work with Azure AD, you must first acquire the Azure AD Enterprise App Id.

This can be easily achieved by browsing MyApps at https://myapps.microsoft.com/ and logging in. Click your AWS app, and immediately copy the URL that it loads, before the redirect. It will look something like this:

https://account.activedirectory.windowsazure.com/applications/redirecttofederatedapplication.aspx?Operation=SignIn&applicationId=2784b9b1-53ed-4883-95a8-56bf94ad4f5f&ApplicationConstName=aws&SingleSignOnType=Federated&ApplicationDisplayName=Amazon%20Web%20Services%20%28AWS%29&tenantId=8273303e-1e63-49f2-9812-43c86b5b11ec

From within this URL, grab the applicationId querystring parameter. In the above, it is:

2784b9b1-53ed-4883-95a8-56bf94ad4f5f

This will be your app ID when prompted by saml2aws.

Configure

Configure your application(s) with saml2aws. For example:

saml2aws configure \
  --idp-provider='AzureAD' \
  --mfa='Auto' \
  --profile='saml' \
  --url='https://account.activedirectory.windowsazure.com' \
  --username='road.runner@the-acme-corporation.com' \
  --app-id='2784b9b1-53ed-4883-95a8-56bf94ad4f5f' \
  --skip-prompt

This creates (or modifies) ${HOME}/.saml2aws. You can log in there and make any additional changes as needed.

From here, execution and authentication occurs as per the standard documentation.

Further Information

Currently this provider supports the following MFA scenarios:

PhoneAppOTP
PhoneAppNotification
OneWaySMS