rahatislamanik-spec/EntraID-AWS-SAML-SSO-Integration

# Microsoft Entra ID → AWS SAML 2.0 SSO Integration ## The Scenario A growing fintech company runs its internal tools and user identities on **Microsoft 365 and Entra ID**, but its engineering and DevOps teams also need access to **Amazon Web Services** for cloud infrastructure work. The problem: managing separate AWS usernames and passwords for every engineer is a security risk. When someone leaves the company, IT has to remember to remove them from AWS separately. If they forget, that is an open door. The solution: **federate AWS access through Entra ID using SAML 2.0 SSO**. Engineers log in once with their Microsoft credentials. AWS trusts Entra ID to vouch for them. No separate AWS passwords. No orphaned accounts. Full audit trail in one place. This is **Zero Trust** in practice — *identity is the perimeter*. ## What Was Built ### Microsoft Entra ID Side (Identity Provider) - Added **AWS Single-Account Access** as an Enterprise Application - Configured SAML 2.0 settings: - **Entity ID:** `urn:amazon:webservices` - **Reply URL (ACS):** `https://signin.aws.amazon.com/saml` - Mapped user attributes sent in the SAML assertion: - UPN as unique user identifier - Given name, surname, email as user profile - **Role ARN** mapping directly to the AWS IAM role the user assumes - Session duration set to 900 seconds (15-minute security control) - Managed **Token Signing Certificate** lifecycle (RS256, expires 2029) - Assigned users to the application for access control - Exported **Federation Metadata XML** for AWS trust configuration ### Amazon Web Services Side (Service Provider) - Registered **EntraID** as a trusted **SAML 2.0 Identity Provider** in AWS IAM - Uploaded Federation Metadata XML to establish cryptographic trust - Created **EntraID-ReadOnly** IAM Role with SAML 2.0 federation trust policy - Mapped the full Role ARN back into Entra ID attribute claims ## How the SSO Flow Works User opens AWS in their browser | v Redirected to Microsoft Entra ID login | v User authenticates (password + MFA if required) | v Entra ID generates a signed SAML assertion (contains user identity + assigned AWS role ARN) | v Assertion posted to AWS ACS URL | v AWS validates signature against EntraID metadata | v User assumes EntraID-ReadOnly IAM Role | v AWS Console opens -- no separate AWS credentials used ## The Result - User authenticated through Entra ID and landed directly in the AWS Console - Role confirmed in AWS: `EntraID-ReadOnly/rahat.it.lab@...` - Zero separate AWS credentials used - Full sign-in audit trail maintained in Entra ID logs ## Tech Stack | Component | Technology | |-----------|-----------| | Identity Provider (IdP) | Microsoft Entra ID (Azure AD) | | Service Provider (SP) | Amazon Web Services IAM | | Federation Protocol | SAML 2.0 | | Role Mapping | IAM Role ARN via SAML attribute claim | | Certificate | RS256 Token Signing Certificate | | Access Policy | AWS ReadOnlyAccess (managed) | ## Key Concepts Demonstrated **SAML 2.0 Federation** - industry standard for enterprise SSO between cloud platforms **Zero Trust Identity** - no implicit trust, every access request verified through the central identity provider **Least Privilege Access** - ReadOnlyAccess policy grants minimum required permissions **Certificate Lifecycle Management** - token signing certificate tracked with expiry monitoring **Attribute-Based Access Control** - AWS role assignment driven by Entra ID attribute claims **Audit Trail** - all authentication events logged in Entra ID sign-in logs ## Screenshots - Full Build Walkthrough ### Entra ID Configuration **Step 2 - SAML Setup Initiated**  **Step 3 - Basic SAML Configuration**  **Step 4 - Entity ID and Reply URL Configured**  **Step 5 - Attribute Claims Mapping**  **Step 6 - Token Signing Certificate**  **Step 7 - SAML Configuration Overview**  **Step 8 - Users and Groups Section**  **Step 9 - User Assigned to Application**  **Step 10 - Assignment Confirmed**  **Step 11 - Final SAML Configuration**  ### AWS IAM Configuration **Step 12 - AWS IAM Dashboard**  **Step 13 - EntraID Identity Provider Created in AWS**  **Step 14 - Create Role with SAML Federation**  **Step 15 - ReadOnlyAccess Policy Selected**  **Step 16 - Role Name and Review**  **Step 17 - EntraID-ReadOnly Role Created**  ### Final Configuration and Proof **Step 18 - Role ARN Mapped Back in Entra ID**  **Step 19 - SSO Success - AWS Console via Entra ID Login**  **Step 20 - Entra ID SSO Test Panel**  ## Security Note The Federation Metadata XML used in this integration is not included in this repository. It contains tenant-specific configuration data including identity provider URLs, certificate information, and directory identifiers that are not suitable for public repositories. Federation Metadata XML is available on request. ## What is Next - Add Conditional Access policy to enforce MFA for AWS access - Expand to multiple AWS roles based on Entra ID group membership - Automate user assignment via PowerShell and Microsoft Graph API - Add AWS CloudTrail evidence of federated sign-in events ## Author **Md Rahat Islam Anik** Cloud Computing & Network Administration - George Brown College - May 2026 [linkedin.com/in/rahatislamanik](https://linkedin.com/in/rahatislamanik) - [github.com/rahatislamanik-spec](https://github.com/rahatislamanik-spec)