Implementing Active Directory Federation Services in the AWS Cloud, Version 1.0 Page 1 of 24

Implementing Active Directory Federation Services in the AWS Cloud

October 2014

Implementing Active Directory Federation Services in the AWS Cloud, Version 1.0 Page 2 of 24

Table of Contents

Abstract .......................................................................................................................................................................... 3

Before You Get Started ........................................................................................................................................... 3

About Nested Stacks ................................................................................................................................................ 5

Automated Deployment.......................................................................................................................................... 8

Template Customization .......................................................................................................................................11

Testing Your Deployment.....................................................................................................................................15

Federated Single Sign-On ...............................................................................................................................15

Post-Configuration Tasks ......................................................................................................................................20

Further Reading ........................................................................................................................................................21

Appendix A: Amazon EC2 Security Group Configuration ......................................................................22

Subsystem Port Mappings ...............................................................................................................................22

Appendix B: Residual Resources........................................................................................................................23

Implementing Active Directory Federation Services in the AWS Cloud, Version 1.0 Page 3 of 24

Abstract

This guide extends Scenario #1 described in the Implementing Active Directory Domain

Services in the AWS Cloud white paper by adding Windows Active Directory Federation

Services (ADFS), and automating the configuration of SAML 2.0 federation for web single

sign-on (Web SSO) access to the Amazon Web Services Management Console.

We'll provide links to automated AWS CloudFormation templates that you can leverage for

your implementation or launch directly into your AWS account.

Amazon Web Services (AWS) provides a comprehensive set of services and tools for

deploying Microsoft Windows Server 2008 R2 and above workloads on its reliable and

secure cloud infrastructure. Active Directory Domain Services (AD DS), Domain Name

Server (DNS), and Active Directory Federation Services (ADFS) are core Windows services

that provide the foundation for many enterprise class Microsoft-based solutions; including

Microsoft SharePoint, Microsoft Exchange, and .NET applications.

This guide is aimed at organizations running workloads in the AWS cloud that wish to

access AWS with their Active Directory credentials to:

Provide Single Sign-On (SSO) to the AWS Management Console

Centralize user account management

Use a single set of credentials across multiple AWS accounts

Leverage existing investments in identity management integrations such as

multifactor authentication, key cards, event logging, password policies, self-service,

etc.

Before You Get Started

Implementing ADFS in the AWS cloud is an advanced topic. If you are new to AWS, see the

Getting Started section of the AWS documentation. In addition, familiarity with the

following technologies is recommended:

Implementing Active Directory Federation Services in the AWS Cloud, Version 1.0 Page 4 of 24

Amazon Elastic Compute Cloud (“Amazon EC2”)

Amazon Virtual Private Cloud (“Amazon VPC”)

Elastic Load Balancing

Windows Server 2012 R2, 2012 or 2008 R2

Windows Server Active Directory and DNS

Windows Active Directory Federation Services

This guide focuses on infrastructure configuration topics that require careful consideration

when you are planning and deploying AD DS, Domain Controller instances, ADFS, and DNS

services in the AWS cloud. We don’t cover general Windows Server installation and

software configuration tasks. For more resources about deploying, scaling, and managing

Microsoft products on AWS, see http://aws.amazon.com/microsoft.

We provide links to AWS CloudFormation templates that you can leverage for your

implementation or launch directly into your AWS account. For more information about

using AWS CloudFormation templates, see the AWS CloudFormation User Guide.

This guide details one example of how to deploy identity federation with AWS Identity and

Access Management (“IAM”). You may also use SAML federation for access to AWS APIs.

Further, you have many choices when designing your identity management

implementation:

SAML federation can be used simultaneously with "normal" IAM User credentials to

access the AWS Management Console.

Multiple identity providers may be configured for a single AWS account.

API access may also be federated.

A variety of SAML Solution Providers can be used for federation with AWS.

Implementing Active Directory Federation Services in the AWS Cloud, Version 1.0 Page 5 of 24

About Nested Stacks

AWS CloudFormation allows nesting a stack as a resource inside a template. This allows

you to split up a large infrastructure into smaller modular components that can be

managed discretely, which eases long-term administration. Additionally, nesting allows you

to overcome some AWS CloudFormation limits set, which is useful in situations such as

when you need to deploy over 200 resources.

Nested stack updates can be triggered by running the UpdateStack command on a top-

level stack, or by selecting the top-level stack and clicking "Update Stack" in the

CloudFormation Management Console.

To deploy a nested stack, you need only to deploy the top-level template. The master

stack will then download and deploy any subsequent, or "nested" stacks. To simplify

deployment, we have chosen to define all of the parameters at the master template level,

which will be passed on to the nested templates. This means you only need to define your

parameter values once for the top-level template, and these values will be automatically

copied to the nested stacks as needed.

For this architecture, we provide these templates:

Part0_AD-ADFS_Stack.template, the top-level stack

Part1_VPC.template, the underlying network infrastructure

Part2_AD_2012R2.template, the nested stack for AD DS

Part3_ADFS_2012R2.template, the nested stack for ADFS

Part4_RDGW_2012R2.template, the nested stack for RDGW

The hierarchy of these stacks is represented below. The stacks shown in green are in scope

of this document, whereas the stacks shown in grey are originally from Implementing

Active Directory Domain Services in the AWS Cloud.

Implementing Active Directory Federation Services in the AWS Cloud, Version 1.0 Page 6 of 24

Figure 1: Nested CloudFormation Template Hierarchy

Once deployed, the templates will have constructed an environment resembling the

diagram below.

Part0_AD-ADFS_Stack Part1_VPC

Part2_AD_2012R2

Part3_ADFS_2012R2

Part4_RDGW_2012R2

Implementing Active Directory Federation Services in the AWS Cloud, Version 1.0 Page 7 of 24

Figure 2: Reference Architecture for Highly Available AD/ADFS in the AWS Cloud

Implementing Active Directory Federation Services in the AWS Cloud, Version 1.0 Page 8 of 24

Automated Deployment

We've created a nested stack of AWS CloudFormation templates that deploy ADFS. These

templates perform the following tasks:

Create an AWS IAM Role for EC2 Instances, which is used during deployment and

configuration.

Use the Windows Server 2012 R2 Amazon Machine Image (AMI) to launch ADFS

instances and join them to the existing Microsoft Active Directory.

Create self-signed SSL certificates for ADFS and Remote Desktop Gateway (RDGW)

instances.

Launch and configure internal Elastic Load Balancing (ELB) and register the ADFS

instances with ELB.

Configure VPC Security Groups and rules for traffic for Elastic Load Balancing and

Amazon EC2 instances.

Configure SAML-based identity federation for single sign-on to the AWS

Management Console.

Create two sample Active Directory Groups and corresponding AWS IAM Roles for

Development and Production access to the AWS Management Console, as

demonstrated here.

Configure a DNS CNAME for the SSO portal within your DNS domain.

To launch the AWS CloudFormation into the US West (Oregon) Region, click the Launch

Stack below.

Implementing Active Directory Federation Services in the AWS Cloud, Version 1.0 Page 9 of 24

Once you authenticate to your AWS account, the link above will automatically prepare your

AWS CloudFormation console with the template needed to launch the stack, as shown

below. Click "Next".

Figure 3: Deploying the AD-ADFS Stack

The following page will present you with many parameters that are required to launch the

stack. Most parameters have default values which have been automatically filled in.

However, you must specify values for the EC2 Key Pair and the RDPSourceCIDR*

parameters. Finally, you must acknowledge that this stack creates IAM resources, as shown

below.

Implementing Active Directory Federation Services in the AWS Cloud, Version 1.0 Page 10 of 24

Figure 4: Acknowledging the creation of IAM resources

* NOTE: It is important that RDP never be opened up to the entire Internet—not even

for testing purposes or temporarily. For more information, see the related Amazon Security

Bulletin. Always restrict ports and source traffic to the minimum necessary to support the

functionality of the application. For a further discussion about securing Remote Desktop

Gateway, see the Securing the Microsoft Platform on Amazon Web Services whitepaper.

Implementing Active Directory Federation Services in the AWS Cloud, Version 1.0 Page 11 of 24

Figure 5: Partial List of Template Parameters

Template Customization

The templates allow for rich customization of 33 defined parameters at template launch.

You can modify those parameters passed to the master template, change the default

values, or, if you choose to edit the code of the template itself, create an entirely new set

of parameters based on your specific deployment scenario.

The template parameters include the following default values:

Parameter Default Description

KeyPairName <User

Provided>

Public/private key pairs allow you to

connect securely to your instance after

it launches.

Implementing Active Directory Federation Services in the AWS Cloud, Version 1.0 Page 12 of 24

RDPSourceCIDR <User

Provided>

Source CIDR Block to allow incoming

RDP connections to the RDGW servers.

ADFSInstanceType m3.xlarge Amazon EC2 instance type for the

Active Directory Federation Services

instances.

ADFSServerNetBIOSName1 ADFS1 NetBIOS name of the first Active

Directory Federation Services server (up

to 15 characters).

ADFSServerNetBIOSName2 ADFS2 NetBIOS name of the second Active

Directory Federation Services server (up

to 15 characters).

SAMLUser samltest Test user for SAML federation for the

AWS Management Console.

SAMLUserPassword Password123 Password for the SAML test user

account. Must be at least 8 characters

containing letters and numbers.

SSLPassword Password123 Password for the self-signed SSL

certificate. Must be at least 8 characters

containing letters and numbers.

ADFSPassword Password123 Password for the ADFSSVC service

account. Must be at least 8 characters

containing letters and numbers.

AD1InstanceType m3.xlarge Amazon EC2 instance type for the first

Active Directory instance.

AD2InstanceType m3.xlarge Amazon EC2 instance type for the

second Active Directory instance.

Implementing Active Directory Federation Services in the AWS Cloud, Version 1.0 Page 13 of 24

ADServer1NetBIOSName DC1 NetBIOS name of the first Active

Directory server (up to 15 characters).

ADServer2NetBIOSName DC2 NetBIOS name of the second Active

Directory server (up to 15 characters).

ADServer1PrivateIp 10.0.2.10 Fixed private IP for the first Active

Directory server located in AZ1.

ADServer2PrivateIp 10.0.3.10 Fixed private IP for the second Active

Directory server located in AZ2.

NATInstanceType m1.small Amazon EC2 instance type for the NAT

instances.

RDGWInstanceType m3.xlarge Amazon EC2 instance type for the

Remote Desktop Gateway instances.

DomainDNSName example.com Fully qualified domain name (FQDN) of

the forest root domain; e.g.,

example.com.

DomainNetBIOSName example NetBIOS name of the domain (up to 15

characters) for users of earlier versions

of Windows; e.g., EXAMPLE.

RestoreModePassword Password123 Password for a separate administrator

account when the domain controller is

in restore mode. Must be at least 8

characters containing letters, numbers,

and symbols.

DomainAdminUser StackAdmin User name for the account that is

added as domain administrator. This is

separate from the default

"administrator" account.

Implementing Active Directory Federation Services in the AWS Cloud, Version 1.0 Page 14 of 24

DomainAdminPassword Password123 Password for the domain admin user.

Must be at least 8 characters containing

letters and numbers.

DMZ1CIDR 10.0.0.0/24 CIDR block for the Public Subnet

located in AZ1.

DMZ2CIDR 10.0.1.0/24 CIDR block for the Public Subnet

located in AZ2.

PrivSub1CIDR 10.0.2.0/24 CIDR block for the Private Subnet 1

located in AZ1.

PrivSub2CIDR 10.0.3.0/24 CIDR block for the Private Subnet 2

located in AZ1.

PrivSub3CIDR 10.0.4.0/24 CIDR block for the Private Subnet 3

located in AZ1.

PrivSub4CIDR 10.0.5.0/24 CIDR block for the Private Subnet 4

located in AZ1.

PrivSub5CIDR 10.0.6.0/24 CIDR block for the Private Subnet 5

located in AZ1.

PrivSub6CIDR 10.0.7.0/24 CIDR block for the Private Subnet 6

located in AZ1.

PrivSub7CIDR 10.0.8.0/24 CIDR block for the Private Subnet 7

located in AZ1.

PrivSub8CIDR 10.0.9.0/24 CIDR block for the Private Subnet 8

located in AZ1.

VPCCIDR 10.0.0.0/16 CIDR block for the VPC.

UserCount 25 Total number of test user accounts to

create in Active Directory.

Implementing Active Directory Federation Services in the AWS Cloud, Version 1.0 Page 15 of 24

Testing Your Deployment

The SAMLUser user has been added to the "Domain Admins" group to permit login

privileges to the Remote Desktop Gateway servers deployed by the AD template.

Additionally, some modifications to the RDGW servers have been automated via AWS

CloudFormation in order to provide a true single sign-on experience:

Internet Explorer Enhanced Security Configuration (IE ESC) has been disabled

The SSO portal address (default = "https://sso.example.com") has been added to the

Local intranet zone in Internet Explorer to allow single sign-on, and has been

configured as the home page

IE Protected Mode has been disabled for the Local intranet zone to allow single

sign-on, and the associated warning banner has been disabled

The self-signed certificate for the ADFS servers has been trusted

Internet Explorer has been configured to start upon login for all users

Federated Single Sign-On

Determine the Elastic IP address of the RDGW instances by looking at the AWS

CloudFormation template output in the AWS Management Console as shown below.

Implementing Active Directory Federation Services in the AWS Cloud, Version 1.0 Page 16 of 24

Figure 6: Examining CloudFormation Outputs

Using a Remote Desktop client, log in to either of the RDGW instances using the SAML

test user credentials (defaults: example\samltest, Password123). The screenshot below

shows an example configuration for the Microsoft Remote Desktop app for Mac.

Figure 7: Connecting to RDGW Server

Implementing Active Directory Federation Services in the AWS Cloud, Version 1.0 Page 17 of 24

Some clients may present you with a warning about the self-signed certificate used by the

RDGW servers. This is one reason you need to replace these certificates with permanent

certificates issued by an authorized certificate authority.

Figure 8: SSL Certificate Warning

A few moments after you log in, IE will be launched automatically for you. If you are

logging in for the first time with this user, you'll be presented with a warning page similar

to the one shown below. Click the Home button on the browser to see the SSO login

portal page.

Figure 9: First-Launch IE Browser Warning

After clicking the home button you will see the ADFS login portal. Choose to sign in to

Amazon Web Services.

Implementing Active Directory Federation Services in the AWS Cloud, Version 1.0 Page 18 of 24

Figure 10: SSO Portal for ADFS

The SAML test user has been added to two AD Groups / IAM Roles for purposes of

demonstration. The ADFS-Production Role has read-only privileges to Amazon EC2, and

the ADFS-Dev Role has full access to Amazon EC2. These example permissions were

derived from the policy templates provided in the IAM console. Select the ADFS-Dev role.

Note that this selection only appears if a user is assigned to more than one AD Group/IAM

Role.

Implementing Active Directory Federation Services in the AWS Cloud, Version 1.0 Page 19 of 24

Figure 11: Selecting an IAM Role

You are then redirected to the AWS Management Console. Note that your federated

credential information is displayed in the top right corner.

Implementing Active Directory Federation Services in the AWS Cloud, Version 1.0 Page 20 of 24

Figure 12: Federated AWS Management Console

Post-Configuration Tasks

After the nested stacks have been created successfully, you'll need to perform the

following tasks manually:

1. Create a certificate request and replace the temporary self-signed certificates with a

certificate signed by a valid certificate authority.

2. Change passwords for the Administrator account, ADFSSVC user and the

DomainAdminUser.

3. Update password for the ADFS service.

4. After confirming successful SAML federation with AWS, disable or delete the SAML

test user account.

5. Perform and configure system and application hardening and patching consistent

with your organization's procedures.

Implementing Active Directory Federation Services in the AWS Cloud, Version 1.0 Page 21 of 24

Replace the sample AD Groups, IAM Roles and access policies for SAML-based

identify federation with policies designed to meet your organization's access

requirements for the AWS Management Console. If you are new to IAM policies, see

Managing IAM Policies. You can build and test your permissions using the AWS

Policy Generator and the IAM Policy Simulator.

©2014, Amazon Web Services, Inc. or its affiliates. All rights reserved.

6.

Further Reading

Microsoft on AWS:

o http://aws.amazon.com/microsoft/

Amazon EC2 Windows Guide:

o http://docs.amazonwebservices.com/AWSEC2/latest/WindowsGuide/Welcome.h

tml?r=7870

Secure Microsoft Applications on AWS:

o http://media.amazonwebservices.com/AWS_Microsoft_Platform_Security.pdf

Creating a Role for SAML-Based Federation (AWS Management Console):

o http://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml.html

Enabling Federation to AWS using Windows Active Directory, ADFS, and SAML 2.0

o http://blogs.aws.amazon.com/security/post/Tx71TWXXJ3UI14/Enabling-

Federation-to-AWS-using-Windows-Active-Directory-ADFS-and-SAML-2-0

Implementing Active Directory Federation Services in the AWS Cloud, Version 1.0 Page 22 of 24

Appendix A: Amazon EC2 Security Group Configuration

AWS provides a set of building blocks, including Amazon EC2 and Amazon VPC that you

can use to provision infrastructure for your applications. In this model, some security

capabilities such as physical security are the responsibility of AWS and are highlighted in

the AWS security whitepaper. Other capabilities, such as controlling access to applications,

are the responsibility of the application developer and the tools provided in the Microsoft

platform.

If you have followed the automate deployment options in this guide, the necessary security

groups are configured for you by the provided AWS CloudFormation Templates. For port

mappings associated with the VPC, AD, and RDGW templates, refer to the Implementing

Active Directory Domain Services in the AWS Cloud white paper. The port mappings for

the ADFS template and are listed here for your reference:

Subsystem Port Mappings

Subsystem Associated With Inbound

Interface

Port(s)

ASFSServerSG ADFS1, ADFS2 ELBSecurityGroup TCP443

ADFSServerSG ADFS1, ADFS2 ADFS1, ADFS2 TCP80

ELBSecurityGroup InternalELB 0.0.0.0/0 TCP443

Implementing Active Directory Federation Services in the AWS Cloud, Version 1.0 Page 23 of 24

Appendix B: Residual Resources

Should you wish to delete the ADFS CloudFormation stack, the following items will require

manual removal:

Item Location Notes

Self-signed SSL

Certificate

S3 bucket S3 buckets created by a

CloudFormation stack must be

emptied before the stack can be

successfully deleted.

ADFS Identity Provider AWS IAM "ADFS" is the name of this IdP

resource.

ADFS-Dev Role AWS IAM Provided for demonstration

purposes only.

ADFS-Production Role AWS IAM Provided for demonstration

purposes only.

ADFSSVC User Active Directory System account required for ADFS

to function.

SAMLUser Active Directory "samltest" is the default value for

the name of this test account.

AWS-Dev Group Active Directory Provided for demonstration

purposes only.

AWS-Production Group Active Directory Provided for demonstration

purposes only.

ADFS1 Machine Account Active Directory "ADFS1" is the default value for

this instance's NetBIOS name.

ADFS2 Machine Account Active Directory "ADFS2" is the default value for

Implementing Active Directory Federation Services in the AWS Cloud, Version 1.0 Page 24 of 24

this instance's NetBIOS name.

ELB DNS CNAME Record AD DNS "sso.example.com" is the default

value for this record, which may

be customized for your domain.

ADFS1 DNS A Record AD DNS "ADFS1" is the default value for

this instance's NetBIOS name.

ADFS2 DNS A Record AD DNS "ADFS2" is the default value for

this instance's NetBIOS name.

©2014, Amazon Web Services, Inc. or its affiliates. All rights reserved.