March 17, 2019

SAML 2.0 - AD Integration with WebApplication

For any Enterprise, it is nearly impossible to maintain to set of accounts for all of their employees / users, hence AWS offers easy ways to authenticate users outside of AWS (say non-IAM users) using Identity Federation. There are 3 different ways in which this authentication can happen, viz Web Identities, SAML and Custom Identity Providers.
In this article, we will be focusing SAML.

What is SAML?

Security Assertion Markup Language (SAML) is an XML-based, open-standard data format for exchanging authentication and authorization data between an identity provider and a service provider. SAML addresses the web browser single sign-on (SSO).
The SAML specification defines three roles:
  • User
  • Service provider (SP)
  • Identity provider (IdP)
Security Tokens contains assertions and assertions are passed in JWT format - Json Web Token from IdP to SP. Its URL-safe Base64 encoding - ideally signed for security. 

SAML Basics



Sample Scenario

  1. Let's assume 
    • user : bhuvana@abc.com
    • Service Provider: ABCContentMgr.com hosted in AWS
    • Identity Provider: AD Setup in ABC Enterprise
  2. User browses the web application from the service provider (SP)
  3. Web application redirects for the SSO
  4. SSO page takes the AD credentials, validates at the Identity Provider (IdP)
  5. IdP provides the identity or SAML assertion in JWT format
  6. SP gets the identity assertion from Identity Provider (IdP), this validation is done by a special URL for this application (in case of AWS resources; a special URL takes care of AWS Signin)
  7. Then SP lets the user access to their content management service web application. 

SAML (AD) Configuration

  • Login to AD FS Server and Launch ADFS Management console
    • Edit Federation Service Properties and note down Federation Service Identifier
    • Go to Certificates -> Token Signing -> Details -> Copy the Thumbprint details
      You will these information to configure SAML provider details on the Service Provider / Application configuration side.
  • Create "Relying Party Trust" on your ADFS Server -> Create Amazon Web Services and configure
    • All that you will be mentioning here is how the AD have to trust Amazon Web Service
  • Fillin the Federation Metadata URL - > https://signin.aws.amazon.com/static/saml-metadata.xml 
    • This URL is common across AWS, you can download them and use it
  • Configure Trust Identifier
    • If you are using Cognito User Pool, this should be your Cognito User Pool Identifier. If you are using a different application, this will be a different URL.
  • Add an EndPoint
    • This is the URL which SAML provided calls back with the assertion in the JWT format.
    • In case of Cognito, this is your Cognito Authentication Domain, which is unique per region

Service Provider Configuration

  • Federate with your SAML Provider
    • Create SAML IdP in the "Federation" Section -> Go to AWS Console -> IAM -> Identity Federation -> Create Provider,
      • Choose Provider Type as SAML 
      • Enter the provider name 
      • Provided the XML Metadate file (URL)
  • Enable your IdP / SAML Provider
    • Specify the Callback URL / SignOn which will tell SAML to come after you are authenticated
    • Optionally specify the SighOut URL as well
    • Configure certificate thumbnail if applicable
Posted by at
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)