implementing active directory federation services in the ... · bulletin. always restrict ports and...
TRANSCRIPT
Implementing Active Directory Federation Services in the AWS Cloud, Version 1.0 Page 1 of 24
Implementing Active Directory Federation Services in the AWS Cloud
October 2014
Implementing Active Directory Federation Services in the AWS Cloud, Version 1.0 Page 2 of 24
Table of Contents
Abstract .......................................................................................................................................................................... 3
Before You Get Started ........................................................................................................................................... 3
About Nested Stacks ................................................................................................................................................ 5
Automated Deployment.......................................................................................................................................... 8
Template Customization .......................................................................................................................................11
Testing Your Deployment.....................................................................................................................................15
Federated Single Sign-On ...............................................................................................................................15
Post-Configuration Tasks ......................................................................................................................................20
Further Reading ........................................................................................................................................................21
Appendix A: Amazon EC2 Security Group Configuration ......................................................................22
Subsystem Port Mappings ...............................................................................................................................22
Appendix B: Residual Resources........................................................................................................................23
Implementing Active Directory Federation Services in the AWS Cloud, Version 1.0 Page 3 of 24
Abstract
This guide extends Scenario #1 described in the Implementing Active Directory Domain
Services in the AWS Cloud white paper by adding Windows Active Directory Federation
Services (ADFS), and automating the configuration of SAML 2.0 federation for web single
sign-on (Web SSO) access to the Amazon Web Services Management Console.
We'll provide links to automated AWS CloudFormation templates that you can leverage for
your implementation or launch directly into your AWS account.
Amazon Web Services (AWS) provides a comprehensive set of services and tools for
deploying Microsoft Windows Server 2008 R2 and above workloads on its reliable and
secure cloud infrastructure. Active Directory Domain Services (AD DS), Domain Name
Server (DNS), and Active Directory Federation Services (ADFS) are core Windows services
that provide the foundation for many enterprise class Microsoft-based solutions; including
Microsoft SharePoint, Microsoft Exchange, and .NET applications.
This guide is aimed at organizations running workloads in the AWS cloud that wish to
access AWS with their Active Directory credentials to:
Provide Single Sign-On (SSO) to the AWS Management Console
Centralize user account management
Use a single set of credentials across multiple AWS accounts
Leverage existing investments in identity management integrations such as
multifactor authentication, key cards, event logging, password policies, self-service,
etc.
Before You Get Started
Implementing ADFS in the AWS cloud is an advanced topic. If you are new to AWS, see the
Getting Started section of the AWS documentation. In addition, familiarity with the
following technologies is recommended:
Implementing Active Directory Federation Services in the AWS Cloud, Version 1.0 Page 4 of 24
Amazon Elastic Compute Cloud (“Amazon EC2”)
Amazon Virtual Private Cloud (“Amazon VPC”)
Elastic Load Balancing
Windows Server 2012 R2, 2012 or 2008 R2
Windows Server Active Directory and DNS
Windows Active Directory Federation Services
This guide focuses on infrastructure configuration topics that require careful consideration
when you are planning and deploying AD DS, Domain Controller instances, ADFS, and DNS
services in the AWS cloud. We don’t cover general Windows Server installation and
software configuration tasks. For more resources about deploying, scaling, and managing
Microsoft products on AWS, see http://aws.amazon.com/microsoft.
We provide links to AWS CloudFormation templates that you can leverage for your
implementation or launch directly into your AWS account. For more information about
using AWS CloudFormation templates, see the AWS CloudFormation User Guide.
This guide details one example of how to deploy identity federation with AWS Identity and
Access Management (“IAM”). You may also use SAML federation for access to AWS APIs.
Further, you have many choices when designing your identity management
implementation:
SAML federation can be used simultaneously with "normal" IAM User credentials to
access the AWS Management Console.
Multiple identity providers may be configured for a single AWS account.
API access may also be federated.
A variety of SAML Solution Providers can be used for federation with AWS.
Implementing Active Directory Federation Services in the AWS Cloud, Version 1.0 Page 5 of 24
About Nested Stacks
AWS CloudFormation allows nesting a stack as a resource inside a template. This allows
you to split up a large infrastructure into smaller modular components that can be
managed discretely, which eases long-term administration. Additionally, nesting allows you
to overcome some AWS CloudFormation limits set, which is useful in situations such as
when you need to deploy over 200 resources.
Nested stack updates can be triggered by running the UpdateStack command on a top-
level stack, or by selecting the top-level stack and clicking "Update Stack" in the
CloudFormation Management Console.
To deploy a nested stack, you need only to deploy the top-level template. The master
stack will then download and deploy any subsequent, or "nested" stacks. To simplify
deployment, we have chosen to define all of the parameters at the master template level,
which will be passed on to the nested templates. This means you only need to define your
parameter values once for the top-level template, and these values will be automatically
copied to the nested stacks as needed.
For this architecture, we provide these templates:
Part0_AD-ADFS_Stack.template, the top-level stack
Part1_VPC.template, the underlying network infrastructure
Part2_AD_2012R2.template, the nested stack for AD DS
Part3_ADFS_2012R2.template, the nested stack for ADFS
Part4_RDGW_2012R2.template, the nested stack for RDGW
The hierarchy of these stacks is represented below. The stacks shown in green are in scope
of this document, whereas the stacks shown in grey are originally from Implementing
Active Directory Domain Services in the AWS Cloud.
Implementing Active Directory Federation Services in the AWS Cloud, Version 1.0 Page 6 of 24
Figure 1: Nested CloudFormation Template Hierarchy
Once deployed, the templates will have constructed an environment resembling the
diagram below.
Part0_AD-ADFS_Stack Part1_VPC
Part2_AD_2012R2
Part3_ADFS_2012R2
Part4_RDGW_2012R2
Implementing Active Directory Federation Services in the AWS Cloud, Version 1.0 Page 7 of 24
Figure 2: Reference Architecture for Highly Available AD/ADFS in the AWS Cloud
Implementing Active Directory Federation Services in the AWS Cloud, Version 1.0 Page 8 of 24
Automated Deployment
We've created a nested stack of AWS CloudFormation templates that deploy ADFS. These
templates perform the following tasks:
Create an AWS IAM Role for EC2 Instances, which is used during deployment and
configuration.
Use the Windows Server 2012 R2 Amazon Machine Image (AMI) to launch ADFS
instances and join them to the existing Microsoft Active Directory.
Create self-signed SSL certificates for ADFS and Remote Desktop Gateway (RDGW)
instances.
Launch and configure internal Elastic Load Balancing (ELB) and register the ADFS
instances with ELB.
Configure VPC Security Groups and rules for traffic for Elastic Load Balancing and
Amazon EC2 instances.
Configure SAML-based identity federation for single sign-on to the AWS
Management Console.
Create two sample Active Directory Groups and corresponding AWS IAM Roles for
Development and Production access to the AWS Management Console, as
demonstrated here.
Configure a DNS CNAME for the SSO portal within your DNS domain.
To launch the AWS CloudFormation into the US West (Oregon) Region, click the Launch
Stack below.
Implementing Active Directory Federation Services in the AWS Cloud, Version 1.0 Page 9 of 24
Once you authenticate to your AWS account, the link above will automatically prepare your
AWS CloudFormation console with the template needed to launch the stack, as shown
below. Click "Next".
Figure 3: Deploying the AD-ADFS Stack
The following page will present you with many parameters that are required to launch the
stack. Most parameters have default values which have been automatically filled in.
However, you must specify values for the EC2 Key Pair and the RDPSourceCIDR*
parameters. Finally, you must acknowledge that this stack creates IAM resources, as shown
below.
Implementing Active Directory Federation Services in the AWS Cloud, Version 1.0 Page 10 of 24
Figure 4: Acknowledging the creation of IAM resources
* NOTE: It is important that RDP never be opened up to the entire Internet—not even
for testing purposes or temporarily. For more information, see the related Amazon Security
Bulletin. Always restrict ports and source traffic to the minimum necessary to support the
functionality of the application. For a further discussion about securing Remote Desktop
Gateway, see the Securing the Microsoft Platform on Amazon Web Services whitepaper.
Implementing Active Directory Federation Services in the AWS Cloud, Version 1.0 Page 11 of 24
Figure 5: Partial List of Template Parameters
Template Customization
The templates allow for rich customization of 33 defined parameters at template launch.
You can modify those parameters passed to the master template, change the default
values, or, if you choose to edit the code of the template itself, create an entirely new set
of parameters based on your specific deployment scenario.
The template parameters include the following default values:
Parameter Default Description
KeyPairName <User
Provided>
Public/private key pairs allow you to
connect securely to your instance after
it launches.
Implementing Active Directory Federation Services in the AWS Cloud, Version 1.0 Page 12 of 24
RDPSourceCIDR <User
Provided>
Source CIDR Block to allow incoming
RDP connections to the RDGW servers.
ADFSInstanceType m3.xlarge Amazon EC2 instance type for the
Active Directory Federation Services
instances.
ADFSServerNetBIOSName1 ADFS1 NetBIOS name of the first Active
Directory Federation Services server (up
to 15 characters).
ADFSServerNetBIOSName2 ADFS2 NetBIOS name of the second Active
Directory Federation Services server (up
to 15 characters).
SAMLUser samltest Test user for SAML federation for the
AWS Management Console.
SAMLUserPassword Password123 Password for the SAML test user
account. Must be at least 8 characters
containing letters and numbers.
SSLPassword Password123 Password for the self-signed SSL
certificate. Must be at least 8 characters
containing letters and numbers.
ADFSPassword Password123 Password for the ADFSSVC service
account. Must be at least 8 characters
containing letters and numbers.
AD1InstanceType m3.xlarge Amazon EC2 instance type for the first
Active Directory instance.
AD2InstanceType m3.xlarge Amazon EC2 instance type for the
second Active Directory instance.
Implementing Active Directory Federation Services in the AWS Cloud, Version 1.0 Page 13 of 24
ADServer1NetBIOSName DC1 NetBIOS name of the first Active
Directory server (up to 15 characters).
ADServer2NetBIOSName DC2 NetBIOS name of the second Active
Directory server (up to 15 characters).
ADServer1PrivateIp 10.0.2.10 Fixed private IP for the first Active
Directory server located in AZ1.
ADServer2PrivateIp 10.0.3.10 Fixed private IP for the second Active
Directory server located in AZ2.
NATInstanceType m1.small Amazon EC2 instance type for the NAT
instances.
RDGWInstanceType m3.xlarge Amazon EC2 instance type for the
Remote Desktop Gateway instances.
DomainDNSName example.com Fully qualified domain name (FQDN) of
the forest root domain; e.g.,
example.com.
DomainNetBIOSName example NetBIOS name of the domain (up to 15
characters) for users of earlier versions
of Windows; e.g., EXAMPLE.
RestoreModePassword Password123 Password for a separate administrator
account when the domain controller is
in restore mode. Must be at least 8
characters containing letters, numbers,
and symbols.
DomainAdminUser StackAdmin User name for the account that is
added as domain administrator. This is
separate from the default
"administrator" account.
Implementing Active Directory Federation Services in the AWS Cloud, Version 1.0 Page 14 of 24
DomainAdminPassword Password123 Password for the domain admin user.
Must be at least 8 characters containing
letters and numbers.
DMZ1CIDR 10.0.0.0/24 CIDR block for the Public Subnet
located in AZ1.
DMZ2CIDR 10.0.1.0/24 CIDR block for the Public Subnet
located in AZ2.
PrivSub1CIDR 10.0.2.0/24 CIDR block for the Private Subnet 1
located in AZ1.
PrivSub2CIDR 10.0.3.0/24 CIDR block for the Private Subnet 2
located in AZ1.
PrivSub3CIDR 10.0.4.0/24 CIDR block for the Private Subnet 3
located in AZ1.
PrivSub4CIDR 10.0.5.0/24 CIDR block for the Private Subnet 4
located in AZ1.
PrivSub5CIDR 10.0.6.0/24 CIDR block for the Private Subnet 5
located in AZ1.
PrivSub6CIDR 10.0.7.0/24 CIDR block for the Private Subnet 6
located in AZ1.
PrivSub7CIDR 10.0.8.0/24 CIDR block for the Private Subnet 7
located in AZ1.
PrivSub8CIDR 10.0.9.0/24 CIDR block for the Private Subnet 8
located in AZ1.
VPCCIDR 10.0.0.0/16 CIDR block for the VPC.
UserCount 25 Total number of test user accounts to
create in Active Directory.
Implementing Active Directory Federation Services in the AWS Cloud, Version 1.0 Page 15 of 24
Testing Your Deployment
The SAMLUser user has been added to the "Domain Admins" group to permit login
privileges to the Remote Desktop Gateway servers deployed by the AD template.
Additionally, some modifications to the RDGW servers have been automated via AWS
CloudFormation in order to provide a true single sign-on experience:
Internet Explorer Enhanced Security Configuration (IE ESC) has been disabled
The SSO portal address (default = "https://sso.example.com") has been added to the
Local intranet zone in Internet Explorer to allow single sign-on, and has been
configured as the home page
IE Protected Mode has been disabled for the Local intranet zone to allow single
sign-on, and the associated warning banner has been disabled
The self-signed certificate for the ADFS servers has been trusted
Internet Explorer has been configured to start upon login for all users
Federated Single Sign-On
Determine the Elastic IP address of the RDGW instances by looking at the AWS
CloudFormation template output in the AWS Management Console as shown below.
Implementing Active Directory Federation Services in the AWS Cloud, Version 1.0 Page 16 of 24
Figure 6: Examining CloudFormation Outputs
Using a Remote Desktop client, log in to either of the RDGW instances using the SAML
test user credentials (defaults: example\samltest, Password123). The screenshot below
shows an example configuration for the Microsoft Remote Desktop app for Mac.
Figure 7: Connecting to RDGW Server
Implementing Active Directory Federation Services in the AWS Cloud, Version 1.0 Page 17 of 24
Some clients may present you with a warning about the self-signed certificate used by the
RDGW servers. This is one reason you need to replace these certificates with permanent
certificates issued by an authorized certificate authority.
Figure 8: SSL Certificate Warning
A few moments after you log in, IE will be launched automatically for you. If you are
logging in for the first time with this user, you'll be presented with a warning page similar
to the one shown below. Click the Home button on the browser to see the SSO login
portal page.
Figure 9: First-Launch IE Browser Warning
After clicking the home button you will see the ADFS login portal. Choose to sign in to
Amazon Web Services.
Implementing Active Directory Federation Services in the AWS Cloud, Version 1.0 Page 18 of 24
Figure 10: SSO Portal for ADFS
The SAML test user has been added to two AD Groups / IAM Roles for purposes of
demonstration. The ADFS-Production Role has read-only privileges to Amazon EC2, and
the ADFS-Dev Role has full access to Amazon EC2. These example permissions were
derived from the policy templates provided in the IAM console. Select the ADFS-Dev role.
Note that this selection only appears if a user is assigned to more than one AD Group/IAM
Role.
Implementing Active Directory Federation Services in the AWS Cloud, Version 1.0 Page 19 of 24
Figure 11: Selecting an IAM Role
You are then redirected to the AWS Management Console. Note that your federated
credential information is displayed in the top right corner.
Implementing Active Directory Federation Services in the AWS Cloud, Version 1.0 Page 20 of 24
Figure 12: Federated AWS Management Console
Post-Configuration Tasks
After the nested stacks have been created successfully, you'll need to perform the
following tasks manually:
1. Create a certificate request and replace the temporary self-signed certificates with a
certificate signed by a valid certificate authority.
2. Change passwords for the Administrator account, ADFSSVC user and the
DomainAdminUser.
3. Update password for the ADFS service.
4. After confirming successful SAML federation with AWS, disable or delete the SAML
test user account.
5. Perform and configure system and application hardening and patching consistent
with your organization's procedures.
Implementing Active Directory Federation Services in the AWS Cloud, Version 1.0 Page 21 of 24
Replace the sample AD Groups, IAM Roles and access policies for SAML-based
identify federation with policies designed to meet your organization's access
requirements for the AWS Management Console. If you are new to IAM policies, see
Managing IAM Policies. You can build and test your permissions using the AWS
Policy Generator and the IAM Policy Simulator.
©2014, Amazon Web Services, Inc. or its affiliates. All rights reserved.
6.
Further Reading
Microsoft on AWS:
o http://aws.amazon.com/microsoft/
Amazon EC2 Windows Guide:
o http://docs.amazonwebservices.com/AWSEC2/latest/WindowsGuide/Welcome.h
tml?r=7870
Secure Microsoft Applications on AWS:
o http://media.amazonwebservices.com/AWS_Microsoft_Platform_Security.pdf
Creating a Role for SAML-Based Federation (AWS Management Console):
o http://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml.html
Enabling Federation to AWS using Windows Active Directory, ADFS, and SAML 2.0
o http://blogs.aws.amazon.com/security/post/Tx71TWXXJ3UI14/Enabling-
Federation-to-AWS-using-Windows-Active-Directory-ADFS-and-SAML-2-0
Implementing Active Directory Federation Services in the AWS Cloud, Version 1.0 Page 22 of 24
Appendix A: Amazon EC2 Security Group Configuration
AWS provides a set of building blocks, including Amazon EC2 and Amazon VPC that you
can use to provision infrastructure for your applications. In this model, some security
capabilities such as physical security are the responsibility of AWS and are highlighted in
the AWS security whitepaper. Other capabilities, such as controlling access to applications,
are the responsibility of the application developer and the tools provided in the Microsoft
platform.
If you have followed the automate deployment options in this guide, the necessary security
groups are configured for you by the provided AWS CloudFormation Templates. For port
mappings associated with the VPC, AD, and RDGW templates, refer to the Implementing
Active Directory Domain Services in the AWS Cloud white paper. The port mappings for
the ADFS template and are listed here for your reference:
Subsystem Port Mappings
Subsystem Associated With Inbound
Interface
Port(s)
ASFSServerSG ADFS1, ADFS2 ELBSecurityGroup TCP443
ADFSServerSG ADFS1, ADFS2 ADFS1, ADFS2 TCP80
ELBSecurityGroup InternalELB 0.0.0.0/0 TCP443
Implementing Active Directory Federation Services in the AWS Cloud, Version 1.0 Page 23 of 24
Appendix B: Residual Resources
Should you wish to delete the ADFS CloudFormation stack, the following items will require
manual removal:
Item Location Notes
Self-signed SSL
Certificate
S3 bucket S3 buckets created by a
CloudFormation stack must be
emptied before the stack can be
successfully deleted.
ADFS Identity Provider AWS IAM "ADFS" is the name of this IdP
resource.
ADFS-Dev Role AWS IAM Provided for demonstration
purposes only.
ADFS-Production Role AWS IAM Provided for demonstration
purposes only.
ADFSSVC User Active Directory System account required for ADFS
to function.
SAMLUser Active Directory "samltest" is the default value for
the name of this test account.
AWS-Dev Group Active Directory Provided for demonstration
purposes only.
AWS-Production Group Active Directory Provided for demonstration
purposes only.
ADFS1 Machine Account Active Directory "ADFS1" is the default value for
this instance's NetBIOS name.
ADFS2 Machine Account Active Directory "ADFS2" is the default value for
Implementing Active Directory Federation Services in the AWS Cloud, Version 1.0 Page 24 of 24
this instance's NetBIOS name.
ELB DNS CNAME Record AD DNS "sso.example.com" is the default
value for this record, which may
be customized for your domain.
ADFS1 DNS A Record AD DNS "ADFS1" is the default value for
this instance's NetBIOS name.
ADFS2 DNS A Record AD DNS "ADFS2" is the default value for
this instance's NetBIOS name.
©2014, Amazon Web Services, Inc. or its affiliates. All rights reserved.