sja32/aws-entra-id-saml-federation-lab

GitHub: sja32/aws-entra-id-saml-federation-lab

Stars: 0 | Forks: 0

# AWS + Microsoft Entra ID SAML Federation Lab ## Overview The lab implements: - Federated authentication - Role-Based Access Control (RBAC) - AWS IAM role assumption - Microsoft Entra enterprise application integration - Least privilege access separation - Temporary AWS credentials through SAML federation This environment simulates how enterprises centralize authentication using an Identity Provider (IdP) while maintaining granular authorization inside AWS. # Table of Contents - [Overview](#overview) - [Architecture](#architecture) - [Technologies Used](#technologies-used) - [Objectives](#objectives) - [AWS Configuration](#aws-configuration) - [AWS IAM Roles](#aws-iam-roles) - [IAM Policies](#iam-policies) - [Microsoft Entra ID Configuration](#microsoft-entra-id-configuration) - [User Assignments](#user-assignments) - [SAML Claims Configuration](#saml-claims-configuration) - [Troubleshooting](#troubleshooting) - [Validation](#validation) - [Security Concepts Demonstrated](#security-concepts-demonstrated) - [Skills Demonstrated](#skills-demonstrated) - [Future Enhancements](#future-enhancements) - [Lessons Learned](#lessons-learned) - [Author](#author) # Architecture User ↓ Microsoft Entra ID ↓ SAML Assertion AWS IAM Identity Provider ↓ AWS IAM Roles ↓ AWS Console Access # Technologies Used - Microsoft Entra ID - AWS IAM - SAML 2.0 - AWS IAM Roles - AWS Identity Providers - RBAC - Cloud Security Concepts # Objectives The objectives of this lab were to: - Configure SAML federation between Entra ID and AWS - Implement role-based access controls - Create separate AWS roles for: - Administrators - Infrastructure Engineers - Auditors - Assign Entra users to AWS roles - Validate SSO authentication into AWS - Troubleshoot invalid SAML response errors # AWS Configuration ## IAM Identity Provider Configured AWS IAM to trust Microsoft Entra ID as a SAML Identity Provider. ### Identity Provider Provider Name: EntraID Type: SAML # AWS IAM Roles Created the following AWS IAM roles: | Role | Purpose | |---|---| | AWS-Admin-Role | Full administrative access | | AWS-InfraAdmin-Role | Infrastructure administration | | AWS-Auditor-Role | Read-only auditing access | # IAM Policies ## AWS-Admin-Role Attached Policies: - AdministratorAccess ## AWS-InfraAdmin-Role Attached Policies: - PowerUserAccess - CloudWatchFullAccess ## AWS-Auditor-Role Attached Policies: - ReadOnlyAccess - SecurityAudit # Microsoft Entra ID Configuration ## Enterprise Application Created Enterprise Application: AWS Single-Account Access Configured: - SAML-based authentication - AWS sign-on URL - SAML claims - Role assignments # User Assignments | User | Assigned Role | |---|---| | Sharod Admin | AWS-Admin-Role | | Sharod Infra | AWS-InfraAdmin-Role | | Sharod Audit | AWS-Auditor-Role | # SAML Claims Configuration Configured required AWS SAML claims: | Claim | Value | |---|---| | Role | user.assignedroles | | RoleSessionName | user.userprincipalname | | SessionDuration | 900 | # Troubleshooting ## Issue: Invalid SAML Response ### Root Cause The SAML Role claim was incorrectly formatted during initial configuration. ### Resolution Configured the Role claim to properly use: user.assignedroles and mapped Entra application roles correctly to AWS IAM role ARNs. # Validation ## Successful Federated AWS Login ![Successful AWS Federation Login](https://static.pigsec.cn/wp-content/uploads/repos/2026/06/1b71a5aa3c155632.png) ## Microsoft Entra Role Assignments ![Entra Role Assignments](https://static.pigsec.cn/wp-content/uploads/repos/2026/06/a9f1f3ab57155637.png) ## SAML Claims Configuration Screenshot ![SAML Claims Configuration](https://static.pigsec.cn/wp-content/uploads/repos/2026/06/8b12e688c7155643.png) Validated: - SAML authentication - AWS role assumption - RBAC separation - Console access - Federated identity flow # Security Concepts Demonstrated - Federated Identity Management - SAML 2.0 Authentication - Least Privilege Access - RBAC - Temporary Credentials - Identity Federation - Cloud Access Governance # Skills Demonstrated - AWS IAM - Microsoft Entra ID (Azure AD) - SAML 2.0 Federation - Identity and Access Management (IAM) - Role-Based Access Control (RBAC) - Federated Authentication - AWS Identity Providers - Cloud Security Architecture - Enterprise Single Sign-On (SSO) - Troubleshooting SAML Authentication - Security Documentation - Least Privilege Design # Future Enhancements Planned enhancements include: - AWS CloudTrail integration - CloudWatch logging - GuardDuty - AWS Config - MFA Conditional Access Policies - Multi-account federation - Infrastructure as Code (Terraform) # Lessons Learned - Proper SAML claim formatting is critical - Role ARN formatting must match exactly - Enterprise applications require both: - App role definitions - User/group assignments - Federation troubleshooting requires validating both IdP and SP configurations # Author Sharod Allen GitHub: https://github.com/sja32