In this lab we will configure the AWS SSO Service to use Active Directory to authenticate users. This scenario simulates a large multinational corporation with an on-prem AD that wants to federate user access into their AWS Control Tower environments.
For this lab, we have created a replica AD environment in a separate account and used Transit Gateway and Resource Access Manager to share the directory resource with your lab account. The network architecture is below:
Download following CloudFormation template. Pick the group based of AD Group listed on your Workshop Credentials printout.
Deploy the CloudFormation template in the Management account of your control tower environmemt in the us-west-2 (Oregon) region.
Name the stack
ADConnector and Accept all default parameters.Specify the location of the file that you downloaded in Step 1. On sucessful launch of the template, following resources are created:
Once the CloudFormation stack has been created, you can create the AD Connector directory. To do this go to the Directory Service console and choose Set up Directory
Select AD Connector as the directory type:
Choose Small for the Directory size and name the directory “octank.local”:
Choose the ADConnector VPC and VPC subnets that were created by the CloudFormation stack:
Fill out the Active Directory information exactly as show below. The password for the adconnector user is
Review the information shown on the next screen and then click on Create Directory.
The status will be Creating for 5-10 minutes. When completed the status will show Active. Wait for the directory creation to complete before proceeding.
The Directory has now been created and the next step is to configure SSO to use the AD Directory as the identity source.
Go to the AWS Single Sign-On console and click on Settings:
Next to Identity Source click on the blue Change link
Change the Identity Source from AWS SSO to Active Directory and select the
octank.local directory that was created in the previous step:
CONFIRM on the confirmation page and click on Change identity source
After a few seconds SSO for your Control Tower environment should be changed over to using Active Directory as the identity source:
You should now be able to assign users and groups from Active Directory to AWS accounts via SSO.
In AWS SSO select the AWS Accounts tab and select all of the acounts in the organization and click on the Assign Users button.
Click on Users type in
john.doe and click on Search Connected Direcotory. Select the john.doe user and Click on Permission sets.
Select the AWSAdministratorAccess and click on Finish
You should then be able to login via your SSO portal address with the username
john.doe and password
Before exiting the lab, please change the Identity Source back to AWS SSO and reset the permission for the default AWS Control Tower account with Administrator permissions using steps 5-10 above.