Open in app

Sign in

Write

Sign in

AWS Federated Authentication with Active Directory Federation Services (AD FS) with ABAC

vijay reddy
7 min readMar 17, 2021

Guys, Warm up before a race, we quickly go through the useful points before a gun shot.

Key Terms:
1. Active Directory — (Users, Groups, Attributes)
2. ADFS (Active Directory Federation Service) — (Trust Rely, Claims, Assume Role through SAML Assertion)
3. AWS Account — (Roles, Policies, Resource Tags)

Identity Federation:

  • Means: Authentication via an existing directory(ex: ADFS) source to grant access to another system.
  • To use a common directory service to authenticate a user to authorize access to another services. i.e to grant access to single authorization source to multiple solutions. User can use there own organization Identity Provider(IDP) to administrate the user accounts and to control access to your new infrastructure services at AWS(as an extension) from a single federated source.

Single Sign On (SSO):

  • Means: User management and user authentication would happen at a single identity store.
  • Identity Federation enables SSO.
  • Enables standards to Manage user access through AWS Simple AD, Microsoft AD & LDAP.

SAML 2.0(Security Assertion Markup Language):

  • Open Standard data format for exchanging Authentication and authorization data between services.
  • Tool or Layer to extend the active directories to the web, which effects to provide a layer between the AD Server and Internet.

LDAP(Lightweight Directory Access Protocol):

  • open and cross platform protocol used for directory services authentication.
  • LDAP provides the communication language that applications use to communicate with other directory services servers.
  • This would need a trust between the two source in order to enable authentication in one or both directions.

ADFS(Active Directory Federation Service):

  • ADFS is a federation service which provides Single-Sign-On for multiple web applications

Now, On your Mark..

AWS Identity Federation connects External users to AWS via IAM Role, i.e set to permit access. From this Role, user can access what is permitted by that role at AWS.

The external identity provider authenticates the user with the aws account and IAM Roles authorizes the user to perform operations against the AWS account resources or services.

AWS Federated Authentication with Active Directory Federation Services (ADFS)
  1. Corporate user accesses the corporate Active Directory Federation Services portal sign-in page and provides Active Directory authentication credentials.
  2. AD FS authenticates the user against Active Directory.
  3. Active Directory returns the user’s information, including AD group membership information.
  4. AD FS dynamically builds ARNs by using Active Directory group memberships for the IAM roles and user attributes for the AWS account IDs, and sends a signed assertion to the users browser with a redirect to post the assertion to AWS STS.
  5. Temporary credentials are returned using STS AssumeRoleWithSAML.
  6. The user is authenticated and provided access to the AWS management console.

Steps to Finish:

  1. create Self-signed Certificate(From IIS- Optional) used in the installation process of ADFS.
  2. Install and configure AD and add users, group, service account and assign values to AD User attributes for ABAC
  3. Install and configure ADFS
  4. Download Federation Metadata XML file from ADFS.
  5. Configure AWS as Trusted Relying party on ADFS.
    * federation metadata URL:
    https://signin.aws.amazon.com/static/saml-metadata.xml
  6. Configure Claim rules for the AWS Relying party
    * Adding NameID
    * Adding a RoleSessionName
    * Adding Role Attribute (AD Groups & Roles)
    ref: https://www.youtube.com/watch?v=fyF0cPP0xfo
  7. Coming to AWS Part, Create Identity Provider with SAML, import the FerderationMetadata.xml file in AWS
    * Result to capture :- ARN of SAML Provider.
  8. Create IAM Roles in AWS Console with trusted entity as SAML 2.0 Federation and assign policies.
    *Note: Create Role Name with the name given while creating the AD group(ignoring prefixes)
    ex: ADFS-S3Admins(role name), AD-S3Admins(group name)
    * Result to capture :- ARN of Role to Assume.
  9. Assign Tags to the resource in AWS, similar to the attributes in AD to control the access for user using session Tags.

For POC, Installation and configuration of AD on AWS EC2 Instance

Installation & Configuration of AD:

  1. Launch EC2 Instance with windows platform(default settings)
  2. Login to windows machine by using .rdp file from the connect section of instance by using the password given.
  3. Open “server Manger” and install Active directory
    Steps:
    1. Click on Add Roles & Feature
    2. installation type : Role based or Feature-based installation
    3. destination server : default
    4. Select Role : check the “Active Directory Domain Services” and proceed with default setting in next steps until installation completed.(Restart may require)

AD Configuration :After Installation, click on the notification flag at the right of server manager console, and click on post deployment configurations of AD DS.

  1. Deployment configuration: choose “Add a new Forest” and give root domain name as “xyz.com”, provide password in the next step.
  2. Proceed with Default settings in next stall and complete the installation.
  3. Restart is needed once installation is completed.

ADD users and Service Account to AD:

  1. open “Active Directory Users and computers” from windows search.
  2. Create users, service account (with no password expiry) and groups
  3. Add users and service account to the administrator group by selecting and right click (Add to group — Administrator)

Installation & Configuration of ADFS:

  1. ADFS Installation : Similar to Installation of AD (AS above steps) with default configurations
  2. Webserver IIS Installation: (For Self signed Certificate used in ADFS): Similar to Installation of AD (AS above steps), select “Web server(IIS)” and complete the installation.
  3. Open “Web server IIS” settings from windows search and open server certificate section under your DNS, create the self signed certificate
    * choose “Web hosting”-as certificate store after giving name to certificate
    * Export the certificate to a location(By right click)
  4. ADFS Configuration: Now, Proceed with the configuration of ADFS which we left after installation.
    1. Proceed with default settings by importing the self signed certificate created in the above steps.
    2. Select the service account created and provide password for the same.
    3. once after completing the configuration, set the below spn from powershell by using below command.
    setspn -a host/localhost edsf_adfs
  5. Download the federationmetadata.xml file from the link
    https://sts.iwebscrm15.com/federationmetadata/2007-06/federationmetadata.xml
    * if issues with the IE Security
    Check Internet Options — Security — Local Intranet — sites -Add *.<your-domain>

Generate Self signed Certificate using IIS and Installation of ADFS along with federation user implementation.

https://www.youtube.com/watch?v=fyF0cPP0xfo&t=201s

SAML Identity Provider in AWS

  1. Create SAML Identity Provider from AWS IAM by importing the federationmetadata.xml file of ADFS.
  2. Create IAM Roles similar to the groups in the ADFS and assign required permissions to the created roles.

Relying Party Trust in ADFS

  1. Add AWS Party Trust from AD FS Management with relying party federation metadata Url:
    https://signin.aws.amazon.com/static/saml-metadata.xml
  2. Click proceed and complete.

Add Claim Rules as per below:

https://aws.amazon.com/blogs/security/aws-federated-authentication-with-active-directory-federation-services-ad-fs/

Login through browser using the below link with the AD user credentials, which finally redirect to AWS Console.

https://<Domain Name>/adfs/ls/idpinitiatedsignon.aspx

ABAC(Access Based Control Access):

Along with user credentials, your Corporate directory also stores user attributes such as cost center, department, and email address. Now you can configure your IdP to pass in user attributes as tags in federated AWS sessions. These are called session tags. You can then control access to AWS resources based on these session tags.

For example,
developers can federate into AWS using an IAM role, but can only access resources specific to their project. This is because you define permissions that require the project attribute from their IdP to match the project tag on AWS resources.

Session tags are attributes passed in the AWS session. You can use session tags for access control in IAM policies and for monitoring. These tags are not stored in AWS and are valid only for the duration of the session. You define session tags just like tags in AWS — consisting of a customer-defined key and an optional value.

Action — sts:TagSession (Add this to Role’s trust policy)

Use Case — Required to pass attributes as session tags when using AssumeRole, AssumRoleWithSAML, AssumeRoleWithWebIdentity, or GetFederatioToken API

Steps For implementing ABAC:

  1. Choose/Create an Attribute on AD, to pass the value with SAML Assertion Ex: Department
  2. Add the user to respective group in AD (i.e AWS-Admin), to assume the IAM Role(i.e ADFS-Admin) on AWS.
  3. Add a claim Rule on ADFS without changing the previously created claims, use “Send LDAP attribute as Claims” and select “Department” as attribute under LADP Attribute, “https://aws.amazon.com/SAML/Attributes/PrincipalTag:department" as Outgoing Claim Type
  4. The above steps passes the session tags using AssumeRoleWithSAML to AWS with SAML Assertion.
  5. IAM Role with below trust relationship should be created with SAML 2.0 Federation trusted Entity type.

{
“Version”: “2012–10–17”,
“Statement”: [
{
“Effect”: “Allow”,
“Principal”: {
“Federated”: “arn:aws:iam::721541826922:saml-provider/idp1”
},
“Action”: [
“sts:AssumeRoleWithSAML”,
“sts:TagSession” ],
“Condition”: {
“StringEquals”: {
“SAML:aud”: “https://signin.aws.amazon.com/saml
},
“ForAnyValue:StringEquals”: {
“aws:RequestTag/Department”: [
“Admin”,
“Techinical” ] } } } ]
}

6. Add tags to resources which user can be accessed, similar to the attribute values of AD user.
7. IAM Policies are created with conditions as below, to provide access based on the Tags attached to the resources

{
“Version”: “2012–10–17”,
“Statement”: [
{
“Effect”: “Allow”,
“Action”: “ec2:DescribeInstances”,
“Resource”: “*”
},
{
“Effect”: “Allow”,
“Action”: [
“ec2:StartInstances”,
“ec2:StopInstances”
],
“Resource”: “*”,
“Condition”: {
“StringEquals”: {
“ec2:ResourceTag/Department”: “${aws:PrincipalTag/Department}”
} } } ]
}

Abac
Federation
AWS
Adfs
Ad

--

--

vijay reddy

Written by vijay reddy

3 Followers

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams