How can we setup Single Sign On From Active Directory
Why Single Sign On (SSO)
- It provides a mechanism in which user authenticates only once & they get authorized for access of other applications.
- In Enterprises, Users are authenticated from centrlised authentication services like Active Directory Service (ADS) or Open LDAP.
Active Directory Federation Services (ADFS)
- This service is installed on Windows Server Operating Systems, which can provide users with Single sign-on access to systems & applications located across organizational boundaries.
- ADFS acts as Identity Provider which authenticates the user and issues a token containing a series of claims about the user.
Security Assertion Markup Language (SAML)
- This is open Standard for authentication & authorization of data across organizations.
- SAML will use tokens which are digitally signed and encrypted messages with authentication & authorization attributes like EMail, role etc.
- SAML specification defines
- the Principal (user)
- an Identity Providers (IdP)
- Service Provider (SP)
- SAML authentication & authorization process
- The principal (user) requests a service from service provider.
- The service provider will requests and obtains authentication assertions from the identity provider.
- Based on this assertion Service provider makes access control decisions for the principal
How about SSO into AWS
- Basic workflow
- A user browses ADFS site (https://learningthoughts.in/adfs/ls/IdpIntiatiatedSignon.aspx) with in his domain
- This web page authenticates the user against his email-id and password.
- User receives the SAML assertion in the form of authentication response from ADFS
- User posts the SAML assertion to AWS sign-in endpoint (https://signin.aws.amazon.com/saml)
- User’s browser receives the sign-in URL & is redirected to AWS management console to get access based on Mapped AWS role.
- Create two Windows Server 2016 and make one Windows Server ADS Domain Controller and other Active Directory Federation Server.
- Ensure IIS is setup on the Servers.
- Add users in the Domain Controller
- Ensure you have ADFS metadata file copied
- Setup Identity Provider and Roles in AWS
- Create a SAML based Identity Provider
- Upload the copied metadata document and verify connection
- Create IAM Roles with SAML 2.0 Federation
- Open ADFS management console in on premises and Add Relying party trust