🔐 How to Access AWS Console Using Azure AD SSO (SAML Federation)

Author: Solai Rajan
Tags: AWS, Azure, SSO, IAM, Federated Access, DevOps, Security

📖 Introduction

In many enterprise environments, organizations manage user identities centrally using Azure AD (now Microsoft Entra ID), but their infrastructure runs on AWS. The best practice is to federate user identity — authenticate via Azure and authorize access to AWS via IAM roles.

In this tutorial, we’ll walk through setting up Single Sign-On (SSO) from Azure AD to AWS Console using SAML-based federated login.

🧱 High-Level Architecture

1. Azure AD handles authentication.
2. AWS IAM Role with SAML trust handles authorization.
3. User signs in via https://myapps.microsoft.com and is redirected to AWS Console.

⚙️ Step-by-Step Guide

Step 1: Create IAM SAML Identity Provider in AWS

1. Go to IAM → Identity Providers in AWS Console.
2. Click “Add Provider”
3. Select SAML as Provider Type.
4. Name it AzureAD.
5. Upload the Federation Metadata XML from Azure (we’ll get it in the next step).

Step 2: Register AWS as an Enterprise App in Azure

1. Go to Azure Portal → Enterprise Applications.
2. Click + New Application
3. Search for and select AWS Single Sign-On.

Step 3: Configure Azure SSO for the App

1. Go to the AWS app > Single Sign-On
2. Choose SAML
3. Download the Federation Metadata XML → Use this in Step 1 (AWS IAM).

Step 4: Create IAM Role for Azure in AWS

1. Go to IAM → Roles → Create Role
2. Choose SAML 2.0 Federation
3. Select the SAML provider you created (AzureAD)
4. Choose Allow programmatic and AWS Management Console access
5. Inside Sign-in endpoints Choose Non-Regional endpoint and Without unique identifiers
6. Attach permissions to this role (eg: AdminAccess)
7. Name it: AzureSAMLRole

or you can create role using Trust relationships json

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::<account-id>:saml-provider/AzureAD"
      },
      "Action": "sts:AssumeRoleWithSAML",
      "Condition": {
        "StringEquals": {
          "SAML:aud": "https://signin.aws.amazon.com/saml"
        }
      }
    }
  ]
}

Step 6: Configure Azure Claims

1. Go to: Enterprise Applications > AWS App > Single Sign-On > Attributes & Claims
2. Edit the https://aws.amazon.com/SAML/Attributes/Role claim.

arn:aws:iam::<account-id>:role/AzureSAMLRole,arn:aws:iam::<account-id>:saml-provider/AzureAD

Step 7: Assign Users or Groups

1. In Azure, go to AWS App → Users and Groups
2. Click Add user/group
3. Select your Azure AD users or groups.

Step 8: Test the SSO Login

1. Go to: https://myapps.microsoft.com
2. Login with your Azure user.
3. Click on the AWS SSO tile.

🎉 You’ll be redirected into the AWS Console with the permissions defined in your IAM role!

🔍 What’s Happening Behind the Scenes?

Authentication: Azure AD checks user identity
Authorization: AWS IAM Role defines access permissions
🛡️ SAML: AssertionSent from Azure to AWS for secure federation

✍️ Final Thoughts

This setup is highly recommended for enterprises using Azure AD for identity management. It improves security, simplifies administration, and enables real SSO into AWS.

If you found this helpful, don’t forget to share, clap, and follow! 🙌
You can also reach me at solairajan.online🌐