We can also use SAML identity provider configurations in AWS IAM to establish trust between AWS and SAML-compatible identity providers, such as Shibboleth or Microsoft Active Directory Federation Service (ADFS). Steps to set up federated sign-in with ADFS in IAM can be summarized as follows:
- Download the FederationMetadata.xml file from our ADFS server.
- Go to the IAM dashboard.
- Create an identity provider as follows:
- Click on Identity providers from the left sidebar.
- Click on Create Provider.
- For Provider Type, select SAML.
- For Provider Name, give a meaningful name.
- For Metadata Document, click Choose File and upload the FederationMetadata.xml file we downloaded in step 1.
- Click Next Step.
- Review and click Create to complete creation of the authentication provider.
- Create a role in IAM that federated users can assume via SAML 2.0 as follows:
- Click on Roles from the left sidebar of the IAM dashboard.
- Click on Create role.
- For Select type of trusted entity, select SAML 2.0 federation.
- For SAML provider, select the identity provider we created in step 3.
- Select Allow programmatic and AWS Management Console access. The values for the Attribute and Value fields will be populated automatically. Click Next: Permissions.
- Choose one or more permission policies for our new role. Click Next: Review.
- For Role name and Role description, provide a meaningful name and description for our role.
- Create further roles as per steps 1 to 8, as required.
Users (as defined in the identity provider) should assume an AWS role during the sign-in process. You need to follow the documentation for Active Directory (AD) and ADFS to complete the preceding steps for setting up a federated sign-in through AD and ADFS.