Amazon Web Services Feed
Field Notes: Integrating a Multi-Forest Source Environment with AWS SSO
During re:Invent 2019, AWS announced a new way to integrate external identity sources such as Azure Active Directory with auto provisioning of identities and groups in AWS Single Sign-On (AWS SSO). In March 2020, AWS SSO afforded customers the possibility to connect their Okta Identity Cloud to AWS Single Sign-On (SSO) in order to manage access to AWS centrally in AWS SSO.
AWS Single Sign-On service helps to centralize management access to multiple AWS accounts and some cases tying back to corporate identities. This provides ready access to business applications and services. With this feature, companies can leverage AWS Single Sign-On for allowing federated access to multiple AWS accounts and cloud applications.
In this blog post, I discuss the challenges faced by customers running multi-forest environments or multiple Azure tenant subscriptions with this feature. I also provide a different approach to solving this challenge with a brief overview of each solution presented.
Large Enterprise companies often require their security team to build centralized identity solutions that work across different Active Directory forests environments. This is commonly due to a merger, acquisition or partnership. Challenges include complex networking with different IP routes, DNS forwarding configurations, firewall rules to enable trust relationships between different Active Directory forests to support compliance of a single identity to manage the account lifecycle and password policies. This becomes even more challenging when your organization is working in multiple cloud platforms within a centralized Identity solution, with hybrid networking connectivity.
Customer Example
To illustrate my point, I use the following example of a real life customer scenario, under the fictitious name of ‘Acme Corporation’.
Acme Corporation is a capital wealth management company operating in three countries: USA, Canada, and Brazil. Business is growing and they are exploring cloud services.
Their corporate headquarters is located in NY, USA and they have established offices (branches) in Canada and Brazil. The organization operates in a decentralized model, which consists of different governance over their identity structure. An Active Directory Forest is established per Region with a cross-forest trust relationship. The company is looking to adopt cloud technologies and needed a common identity solution across on-premises and cloud services with Azure Active Directory and AWS.
We’ve outlined the solution in the following diagram:
Options to source identities into AWS Single Sign-On
AWS Single Sign-On offers the following 3 options to establish as an identity source:
- AWS SSO
- Active Directory
- External Identity Provider
The first option; “AWS SSO” is a default native identity store. You can create and delete users and groups.
The second option; “Active Directory” allows administrators to source users and groups from Active Directory running On-Premises Active Directory, or Active Directory in EC2 (using AD Connector as the directory gateway) or AWS Managed Microsoft AD directory hosted in the AWS Cloud.
The third option; “External Identity Provider” enables administrators to provision users and groups from external identity providers (IdPs) through the Security Assertion Markup Language (SAML) 2.0 standard.
Note: AWS Single Sign-On allows only one identity source at any given time. In this post, we focus on two options that help integrate a multi-forest environment with AWS Single Sign-On and Azure Active Directory.
Solution
Option 1. Federating with Active Directory
In the hub-and-spoke model, the AWS Managed Microsoft Active Directory is the hub and the spoke is the Active Directory forests.
- Provision a AWS Managed Microsoft Active Directory.
- If you already have an AWS Managed Microsoft Active Directory for a hub, continue to the next step.
- Setup hybrid network connectivity, and firewall rules allowing trust traffic
- DNS, conditional forwarding allows to resolve the trusting forests. We need an Outbound Endpoint with Forwarding Rules to the different forests so the VPC resolves the names and an inbound endpoint so the forests can resolve the AWS Managed Microsoft AD names.
- Check the name resolution is working for the hybrid environment.
- Establish a Forest trust relationship and validate the trust.
The following snapshot shows how your trust relationship will be displayed on the console.
Note 1: You cannot use the transitive trust relationship of a child domain in a forest or cross forest relationship. In that case, you have to create an explicit trust or a domain trust to the AWS Managed Microsoft AD domain for AWS Single Sign-On. This enables you to see the user and groups required to provision the permission sets and Accounts.
Note 2: AWS Managed Microsoft Active Directory in this example does not require you to host any users or groups, as this domain is only being used for the domain trust relationships. In short, this can be an empty forest.
Configure AWS Single Sign-On to use your AWS Managed Microsoft Active Directory for Active Directory option.
The following snapshot shows how to assign a group to an account in preparation for AWS Singles Sign-On enablement.
The following snapshot shows how to assign a group to an account in preparation for AWS Singles Sign-On enablement and selecting a group.
Option 2a. Federating with Azure Active Directory Single Tenant
If you have multiple-forests and would like to use a single tenant, here are the steps:
- Setup a single Azure AD Connect in any forest, to consolidate users from different forests to a single Azure Tenant.
- Review the requirements under section “Multiple Forests, Single Azure Active Directory Tenant.
- Configure AWS Single Sign-On to use your Single Azure Active Directory Tenant for External Identity Provider option.
The following is a conceptual diagram of Acme corporation, after successful integration.
Option 2b. Federating with Azure Active Directory Multiple Tenants
If option 2a is not feasible and you are using multiple Azure AD Connect sync servers and multiple Azure Active Directory tenants (as per the following diagram) then, you can nominate one of the Azure Active Directory tenants to connect with AWS SSO. Through B2B invitation, selectively invite users from other tenants into the nominated tenant.
Note: This is not a scalable solution, as it requires administrative overhead. This should be ideal for a small set of users requiring access to AWS API or console for administrative work.
- Follow the Microsoft B2B model.
- Tutorial: Bulk invite Azure Active Directory B2B collaboration users
The following is a conceptual diagram of Acme corporation, after successful integration.
Conclusion
In this post, we discussed the options for connecting AWS SSO to your preferred Identity Provider, with a multi-forest infrastructure. Customers running multi-forest environments or multiple Azure tenant subscriptions now have a guide to offer their users a continued way of centralizing management and enforcing least privilege access on cloud resources. To learn more, review our AWS Single Sign-On service content.
Additional Content:
- AWS re:Invent 2019: Managing user permissions at scale with AWS SSO (SEC308)
- AWS Single Sign-On FAQs
- AWS re:Invent 2019: Deep dive on DNS in the hybrid cloud (NET410)