AWS Classroom Series – 03/Aug/2020

How can we setup Single Sign On From Active Directory

Why Single Sign On (SSO)

  • It provides a mechanism in which user authenticates only once & they get authorized for access of other applications.
  • In Enterprises, Users are authenticated from centrlised authentication services like Active Directory Service (ADS) or Open LDAP.

Active Directory Federation Services (ADFS)

  • This service is installed on Windows Server Operating Systems, which can provide users with Single sign-on access to systems & applications located across organizational boundaries.
  • ADFS acts as Identity Provider which authenticates the user and issues a token containing a series of claims about the user.

Security Assertion Markup Language (SAML)

  • This is open Standard for authentication & authorization of data across organizations.
  • SAML will use tokens which are digitally signed and encrypted messages with authentication & authorization attributes like EMail, role etc.
  • SAML specification defines
    • the Principal (user)
    • an Identity Providers (IdP)
    • Service Provider (SP)
  • SAML authentication & authorization process
    • The principal (user) requests a service from service provider.
    • The service provider will requests and obtains authentication assertions from the identity provider.
    • Based on this assertion Service provider makes access control decisions for the principal Preview

How about SSO into AWS

  • Basic workflow Preview
  • Steps:
    1. A user browses ADFS site ( with in his domain
    2. This web page authenticates the user against his email-id and password.
    3. User receives the SAML assertion in the form of authentication response from ADFS
    4. User posts the SAML assertion to AWS sign-in endpoint (
    5. User’s browser receives the sign-in URL & is redirected to AWS management console to get access based on Mapped AWS role.

Lab Setup

  1. Create two Windows Server 2016 and make one Windows Server ADS Domain Controller and other Active Directory Federation Server.
  2. Ensure IIS is setup on the Servers.
  3. Add users in the Domain Controller
  4. Ensure you have ADFS metadata file copied
  5. Setup Identity Provider and Roles in AWS
    • Create a SAML based Identity Provider Preview
    • Upload the copied metadata document and verify connection Preview
  6. Create IAM Roles with SAML 2.0 Federation Preview
  7. Open ADFS management console in on premises and Add Relying party trust

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

About learningthoughtsadmin