AD - SSO Integration


In this lab we will configure the AWS SSO Service to use Active Directory to authenticate users. This scenario simulates a large multinational corporation with an on-prem AD that wants to federate user access into their AWS Control Tower environments.

For this lab, we have created a replica AD environment in a separate account and used Transit Gateway and Resource Access Manager to share the directory resource with your lab account. The network architecture is below: AD

Step 1: Create the AD Connector Active Directory

  1. Download following CloudFormation template. Pick the group based of AD Group listed on your Workshop Credentials printout.

  2. Deploy the CloudFormation template in the master account of your control tower environmemt in the us-west-2 (Oregon) region.

  3. Name the stack ADConnector and Accept all default parameters.Specify the location of the file that you downloaded in Step 1. On sucessful launch of the template, following resources are created:

    • A VPC with 2 private subnets and
    • Attaches a shared transit gateway that establishes connectivity to the shared Active Directory VPC.
  4. Once the CloudFormation stack has been created, you can create the AD Connector directory. To do this go to the Directory Service console and choose Set up Directory AD

  5. Select AD Connector as the directory type: AD

  6. Choose Small for the Directory size and name the directory “octank.local”: AD

  7. Choose the ADConnector VPC and VPC subnets that were created by the CloudFormation stack: AD

  8. Fill out the Active Directory information exactly as show below. The password for the adconnector user is just4aws!. AD

  9. Review the information shown on the next screen and then click on Create Directory.

  10. The status will be Creating for 5-10 minutes. When completed the status will show Active. Wait for the directory creation to complete before proceeding.

The Directory has now been created and the next step is to configure SSO to use the AD Directory as the identity source.

Step 2: Changing the Identity Source for SSO:

  1. Go to the AWS Single Sign-On console and click on Settings: AD

  2. Next to Identity Source click on the blue Change link

  3. Change the Identity Source from AWS SSO to Active Directory and select the octank.local directory that was created in the previous step: AD

  4. Type CONFIRM on the confirmation page and click on Change identity source

  5. After a few seconds SSO for your Control Tower environment should be changed over to using Active Directory as the identity source: AD

  6. You should now be able to assign users and groups from Active Directory to AWS accounts via SSO.

  7. In AWS SSO select the AWS Accounts tab and select all of the acounts in the organization and click on the Assign Users button. AD

  8. Click on Users type in john.doe and click on Search Connected Direcotory. Select the john.doe user and Click on Permission sets. AD

  9. Select the AWSAdministratorAccess and click on Finish


    You should then be able to login via your SSO portal address with the username john.doe and password just4aws!.

  10. Before exiting the lab, please change the Identity Source back to AWS SSO and reset the permission for the default AWS Control Tower account with Administrator permissions using steps 5-10 above.