Skip to main content
Sponsor @cloudposse

How to Setup SAML Login to AWS from Office 365

Problem

Office 365 is a common business suite that has an active director to manage users and permissions. We need to utilize this to login to AWS.

Solution

Azure Devops has Enterprise Apps that are used to sign into things from your O365 Account.

AWS SAML

  1. Under https://aad.portal.azure.com/#allservices/category/All go to Enterprise Applications

  2. Click New Application

  3. Choose the right application, for SAML it’s AWS Single-Account Access

  4. Click Create, default options are fine

  5. On the Left Panel Click Single sign-on

  6. Choose SAML as the Select a single sign-on method.

  7. You may be prompted to change or use the defaults, if you have many aws single account logins you will need to modify the defaults.

  8. Ensure the Identifier(Entity ID) is set to something valid (Should be https://signin.aws.amazon.com/saml optionally add a #identifier

  9. Download the XML File by Pressing the Button on Step 5 Setup <App Name>. This should download an XML File, please send this to the CloudPosse Team, this will be placed in your aws-saml component to add your login.

Setting up Login Role

The next steps determine which role you sign into from the app. By default we recommend this be the admin team role that has administrative in almost every account (besides creating roles in identity, nor organization permissions in root). If you want to use a different team role, please ensure you understand the team permissions.

Under the apps Single sign-on configuration (where the last steps left off) Step 2 has an attribute called Role. this is the Role given to the user to attempt to sign into.


The AWS Docs (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_assertions.html#saml_role-attribute) require this to be of the format:

  <AttributeValue>arn:aws:iam::account-number:role/role-name1,arn:aws:iam::account-number:saml-provider/provider-name</AttributeValue>

This means your user.assignedroles in azure should be arn:aws:iam::account-number:role/role-name1,arn:aws:iam::account-number:saml-provider/provider-name

for example: arn:aws:iam::00000000000:role/abc-core-gbl-identity-admin,arn:aws:iam::00000000000:saml-provider/abc-core-gbl-identity-provider-azure-ad, these values are generated from the aws-saml component, and should be given by the CloudPosse Team.

caution

Changing a Users Assigned Roles requires an escalated level of Azure Active Directory. (Hidden behind a paywall)

tip

If you are using the most basic plan you can get around this paywall with a regex expression.

Workaround Regex:

  • Step 2 edit the attributes and claims, edit specifically the Role
  • Set the Source to be a transformation of anything such as RegexReplace (user.primaryauthoritativeemail)
  • Set the Regex pattern to be (.+)$
  • Set the Replacement pattern to be your value arn:aws:iam::account-number:role/role-name1,arn:aws:iam::account-number:saml-provider/provider-name
  • Test the replacement and ensure you get a value like the arn:aws:iam::account-number:role/role-name1,arn:aws:iam::account-number:saml-provider/provider-name.

Add The app to Specific Users

Then give this app to specific users and let them login to the aws-team!