Use these templates for AWS Control Tower Customers leveraging the Customizations for AWS Control Tower solution to enable SAML 2.0 federation from Azure AD to AWS. The solution uses automation to accelerate the onboarding of new member accounts by allowing AD admins the ability to securely configure user provisioning directly.
A diagram of the workflow is included below.
- AWS Control Tower
- Customizations for AWS Control Tower
Deploy the following templates using the Customizations for AWS Control Tower. See the sample manifest.yaml file for deployment snippets.
azuread-fed-management-account.yaml - Must be deployed to the management account
azuread-fed-member-account.yaml - Must be deployed to all member accounts requiring Azure AD federation
- Log in to the management account and navigate to the AWS Secrets Manager Console.
- Navigate to
AzureADFederation/CFNUserSecretAccessKey
secret and retrieve the stored secrets. - In the Azure AD EA for the management account:
- Enable user provisioning using the secret values AccessKey and SecretKey.
- Map the synced
AzureAdFederationAdminRole
to the appropriate group in AD.
- Federate into the management account using the AzureAdFederationAdminRole.
- For each member account, follow these steps:
- Switch role to the member account using the account Id and the
AzureAdFederationAssumeRole
. - Access the AWS Secrets Manager console.
- Choose the
AzureADFederation/CFNUserSecretAccessKey
secret and retrieve the stored secrets. - In the Azure AD EA for the management account, enable user provisioning using the secret values AccessKey and SecretKey.
- Switch role to the member account using the account Id and the
See CONTRIBUTING for more information.
This library is licensed under the MIT-0 License. See the LICENSE file.