AWS Single Sign-On: A Step-by-Step Guide to Integration with Azure Active Directory

1. Introduction Single Sign-On2. How does it work? Step-by-Step Guide to Integration of AWS SSO and Azure AD Takeaway5. CloudThat 6. FAQs1. How do you introduce single sign-on?
Single Sign-On (SSO), is an authentication and authorization method that allows users to log in to multiple apps with a single set (username, password) of credentials.
SSO saves time and effort for end-users. SSO eliminates the need for end-users to sign in and log out of multiple applications, both on-premises and cloud. SSO simplifies password management in a company. It increases productivity and security by reducing the risk of losing, weakening, or forgetting passwords.
2. How does it work?
SSO is a way to establish trust between a service provider (or identity provider) and a service provider. This trust relationship is established by exchanging a certificate with the service provider. This certificate can be used to verify the identity information provided by the identity provider to a service provider. It also ensures that the information is authentic. This data is saved by SSO in the form tokens that identify the user’s information such as an email ID or username.
Organizations prefer to have one identity across all their apps and Cloud-based platforms. Azure Active Directory (AD), which Office 365 is widely used in businesses, would be a popular authentication method. It is often connected to other services, so it could serve as an authentication hub.
This blog will integrate AWS SSO with Azure Active Directory to authenticate users. These integrations allow administrators to manage users and groups from one central source.
3. Step-by-Step Guide to Integration of AWS SSO and Azure AD
Let’s put the following architecture to work

Allow AWS SSO:
Log in to AWS Console using your AWS master account. Next, navigate to the AWS Single Sign On console.
To verify that they are in the correct area, check the upper right corner on the AWS Management console.
The welcome screen will appear below if you are accessing Single Sign-On in this region for the first time. Select “Enable AWS SO”

Once your SSO has been enabled, click on “Change Identity Source.” Navigate towards Identity source and choose action. Select “Change identity Source.”

AWS SSO defaults to using the identity source as the source. To integrate with Azure AD, we will change it to “External Identity Provider”. Now download the metadata from step 2.
2. Configuring Azure AD as IdP
Login to Azure and navigate to Azure Active Directory. Select “Enterprise Applications”, then create a new app. The search bar will bring up AWS SSO. Next, select AWS SO as shown below.

After choosing AWS SSO, click on Create. Navigate to the application you just created, and click on “Set up single Sign-On” as shown below.

Select SAML on next page, and upload the metadata data that you downloaded from AWS SSO.

Once the upload is complete, click “Save” to close the Basic SAML Configuration pane. A prompt will appear asking you to test single sign-on using AWS Single Sign On. You can choose to click “No, we’ll test later.” Download the Azure Federation Metadata XML.

After downloading the metadata file, go back to AWS console and upload it as shown below. Click on Next.

Next, acknowledge and modify the identity source as shown.

This is the basic configuration. Let’s now implement the SCIM protocol to automatically provision users and groups from Azure AD. Automatic provisioning creates users in your Active Directory and adds them to the application.
3. Automatic provisioning for Users and Groups
Select “settings” in the left panel of AWS SO. Navigate to