Document 360764

 Implementing Active Directory Federation Services in the AWS Cloud October 2014
Implementing Active Directory Federation Services in the AWS Cloud, Version 0.4
Page 1 of 19
Table of Contents Abstract ....................................................................................................................................... 3 Before You Get Started ............................................................................................................... 3 About Nested Stacks .................................................................................................................. 4 Automated Deployment .............................................................................................................. 7 Template Customization ............................................................................................................. 9 Testing Your Deployment.......................................................................................................... 12 Federated Single Sign-On ..................................................................................................... 12 Post-Configuration Tasks ......................................................................................................... 16 Further Reading ........................................................................................................................ 17 Appendix A: Amazon EC2 Security Group Configuration ......................................................... 18 Subsystem Port Mappings .................................................................................................... 18 Appendix B: Residual Resources.............................................................................................. 19 Implementing Active Directory Federation Services in the AWS Cloud, Version 0.4
Page 2 of 19
Abstract
This guide extends Scenario #1 described in the Implementing Active Directory Domain Services in
the AWS Cloud white paper by adding Windows Active Directory Federation Services (ADFS), and
automating the configuration of SAML 2.0 federation for web single sign-on (Web SSO) access to
the Amazon Web Services Management Console.
We'll provide links to automated AWS CloudFormation templates that you can leverage for your
implementation or launch directly into your AWS account.
Amazon Web Services (AWS) provides a comprehensive set of services and tools for deploying
Microsoft Windows Server 2008 R2 and above workloads on its reliable and secure cloud
infrastructure. Active Directory Domain Services (AD DS), Domain Name Server (DNS), and Active
Directory Federation Services (ADFS) are core Windows services that provide the foundation for
many enterprise class Microsoft-based solutions; including Microsoft SharePoint, Microsoft
Exchange, and .NET applications.
This guide is aimed at organizations running workloads in the AWS cloud that wish to access AWS
with their Active Directory credentials to:
•
Provide Single Sign-On (SSO) to the AWS Management Console
•
Centralize user account management
•
Use a single set of credentials across multiple AWS accounts
•
Leverage existing investments in identity management integrations such as multifactor
authentication, key cards, event logging, password policies, self-service, etc.
Before You Get Started
Implementing ADFS in the AWS cloud is an advanced topic. If you are new to AWS, see the Getting
Started section of the AWS documentation. In addition, familiarity with the following technologies is
recommended:
•
Amazon Elastic Compute Cloud (“Amazon EC2”)
•
Amazon Virtual Private Cloud (“Amazon VPC”)
•
Elastic Load Balancing
•
Windows Server 2012 R2, 2012 or 2008 R2
•
Windows Server Active Directory and DNS
•
Windows Active Directory Federation Services
This guide focuses on infrastructure configuration topics that require careful consideration when you
are planning and deploying AD DS, Domain Controller instances, ADFS, and DNS services in the
AWS cloud. We don’t cover general Windows Server installation and software configuration tasks.
Implementing Active Directory Federation Services in the AWS Cloud, Version 0.4
Page 3 of 19
For more resources about deploying, scaling, and managing Microsoft products on AWS, see
http://aws.amazon.com/microsoft.
We provide links to AWS CloudFormation templates that you can leverage for your implementation
or launch directly into your AWS account. For more information about using AWS CloudFormation
templates, see the AWS CloudFormation User Guide.
This guide details one example of how to deploy identity federation with AWS Identity and Access
Management (“IAM”). You may also use SAML federation for access to AWS APIs. Further, you
have many choices when designing your identity management implementation:
•
SAML federation can be used simultaneously with "normal" IAM User credentials to access
the AWS Management Console.
•
Multiple identity providers may be configured for a single AWS account.
•
API access may also be federated.
•
A variety of SAML Solution Providers can be used for federation with AWS.
About Nested Stacks
AWS CloudFormation allows nesting a stack as a resource inside a template. This allows you to
split up a large infrastructure into smaller modular components that can be managed discretely,
which eases long-term administration. Additionally, nesting allows you to overcome some AWS
CloudFormation limits set, which is useful in situations such as when you need to deploy over 200
resources.
Nested stack updates can be triggered by running the UpdateStack command on a top-level stack,
or by selecting the top-level stack and clicking "Update Stack" in the CloudFormation Management
Console.
To deploy a nested stack, you need only to deploy the top-level template. The master stack will
then download and deploy any subsequent, or "nested" stacks. To simplify deployment, we have
chosen to define all of the parameters at the master template level, which will be passed on to the
nested templates. This means you only need to define your parameter values once for the top-level
template, and these values will be automatically copied to the nested stacks as needed.
For this architecture, we provide these templates:
•
Part0_AD-ADFS_Stack.template, the top-level stack
•
Part1_VPC.template, the underlying network infrastructure
•
Part2_AD_2012R2.template, the nested stack for AD DS
•
Part3_ADFS_2012R2.template, the nested stack for ADFS
•
Part4_RDGW_2012R2.template, the nested stack for RDGW
Implementing Active Directory Federation Services in the AWS Cloud, Version 0.4
Page 4 of 19
The hierarchy of these stacks is represented below. The stacks shown in green are in scope of this
document, whereas the stacks shown in grey are originally from Implementing Active Directory
Domain Services in the AWS Cloud.
Part3_ADFS_2012R2
Part2_AD_2012R2
Part0_AD-ADFS_Stack
Part1_VPC
Part4_RDGW_2012R2
Figure 1: Nested CloudFormation Template Hierarchy
Implementing Active Directory Federation Services in the AWS Cloud, Version 0.4
Page 5 of 19
Once deployed, the templates will have constructed an environment resembling the diagram below.
Figure 2: Reference Architecture for Highly Available AD/ADFS in the AWS Cloud
Implementing Active Directory Federation Services in the AWS Cloud, Version 0.4
Page 6 of 19
Automated Deployment
We've created a nested stack of AWS CloudFormation templates that deploy ADFS. These
templates perform the following tasks:
•
Create an AWS IAM Role for EC2 Instances, which is used during deployment and
configuration.
•
Use the Windows Server 2012 R2 Amazon Machine Image (AMI) to launch ADFS instances
and join them to the existing Microsoft Active Directory.
•
Create self-signed SSL certificates for ADFS and Remote Desktop Gateway (RDGW)
instances.
•
Launch and configure internal Elastic Load Balancing (ELB) and register the ADFS instances
with ELB.
•
Configure VPC Security Groups and rules for traffic for Elastic Load Balancing and Amazon
EC2 instances.
•
Configure SAML-based identity federation for single sign-on to the AWS Management
Console.
•
Create two sample Active Directory Groups and corresponding AWS IAM Roles for
Development and Production access to the AWS Management Console, as demonstrated
here.
•
Configure a DNS CNAME for the SSO portal within your DNS domain.
To launch the AWS CloudFormation into the US West (Oregon) Region, click the Launch Stack
button below.
Implementing Active Directory Federation Services in the AWS Cloud, Version 0.4
Page 7 of 19
Once you authenticate to your AWS account, the link above will automatically prepare your AWS
CloudFormation console with the template needed to launch the stack, as shown below. Click
"Next".
Figure 3: Deploying the AD-ADFS Stack
The following page will present you with many parameters that are required to launch the stack.
Most parameters have default values which have been automatically filled in. However, you must
specify values for the EC2 Key Pair and the RDPSourceCIDR* parameters.
* NOTE: It is important that RDP never be opened up to the entire Internet—not even for testing
purposes or temporarily. For more information, see the related Amazon Security Bulletin. Always
restrict ports and source traffic to the minimum necessary to support the functionality of the
application. For a further discussion about securing Remote Desktop Gateway, see the Securing the
Microsoft Platform on Amazon Web Services whitepaper.
Implementing Active Directory Federation Services in the AWS Cloud, Version 0.4
Page 8 of 19
Figure 4: Partial List of Template Parameters
Template Customization
The templates allow for rich customization of 33 defined parameters at template launch. You can
modify those parameters passed to the master template, change the default values, or, if you
choose to edit the code of the template itself, create an entirely new set of parameters based on
your specific deployment scenario.
The template parameters include the following default values:
Parameter
Default
Description
KeyPairName
<User
Provided>
Public/private key pairs allow you to
connect securely to your instance after it
launches.
RDPSourceCIDR
<User
Provided>
Source CIDR Block to allow incoming
RDP connections to the RDGW servers.
ADFSInstanceType
m3.xlarge
Amazon EC2 instance type for the Active
Directory Federation Services instances.
Implementing Active Directory Federation Services in the AWS Cloud, Version 0.4
Page 9 of 19
ADFSServerNetBIOSName1
ADFS1
NetBIOS name of the first Active
Directory Federation Services server (up
to 15 characters).
ADFSServerNetBIOSName2
ADFS2
NetBIOS name of the second Active
Directory Federation Services server (up
to 15 characters).
SAMLUser
samltest
Test user for SAML federation for the
AWS Management Console.
SAMLUserPassword
Password123
Password for the SAML test user
account. Must be at least 8 characters
containing letters and numbers.
SSLPassword
Password123
Password for the self-signed SSL
certificate. Must be at least 8 characters
containing letters and numbers.
ADFSPassword
Password123
Password for the ADFSSVC service
account. Must be at least 8 characters
containing letters and numbers.
AD1InstanceType
m3.xlarge
Amazon EC2 instance type for the first
Active Directory instance.
AD2InstanceType
m3.xlarge
Amazon EC2 instance type for the
second Active Directory instance.
ADServer1NetBIOSName
DC1
NetBIOS name of the first Active
Directory server (up to 15 characters).
ADServer2NetBIOSName
DC2
NetBIOS name of the second Active
Directory server (up to 15 characters).
ADServer1PrivateIp
10.0.2.10
Fixed private IP for the first Active
Directory server located in AZ1.
ADServer2PrivateIp
10.0.3.10
Fixed private IP for the second Active
Directory server located in AZ2.
NATInstanceType
m1.small
Amazon EC2 instance type for the NAT
instances.
RDGWInstanceType
m3.xlarge
Amazon EC2 instance type for the
Remote Desktop Gateway instances.
DomainDNSName
example.com
Fully qualified domain name (FQDN) of
the forest root domain; e.g.,
example.com.
Implementing Active Directory Federation Services in the AWS Cloud, Version 0.4
Page 10 of 19
DomainNetBIOSName
example
NetBIOS name of the domain (up to 15
characters) for users of earlier versions of
Windows; e.g., EXAMPLE.
RestoreModePassword
Password123
Password for a separate administrator
account when the domain controller is in
restore mode. Must be at least 8
characters containing letters, numbers,
and symbols.
DomainAdminUser
StackAdmin
User name for the account that is added
as domain administrator. This is separate
from the default "administrator" account.
DomainAdminPassword
Password123
Password for the domain admin user.
Must be at least 8 characters containing
letters and numbers.
DMZ1CIDR
10.0.0.0/24
CIDR block for the Public Subnet located
in AZ1.
DMZ2CIDR
10.0.1.0/24
CIDR block for the Public Subnet located
in AZ2.
PrivSub1CIDR
10.0.2.0/24
CIDR block for the Private Subnet 1
located in AZ1.
PrivSub2CIDR
10.0.3.0/24
CIDR block for the Private Subnet 2
located in AZ1.
PrivSub3CIDR
10.0.4.0/24
CIDR block for the Private Subnet 3
located in AZ1.
PrivSub4CIDR
10.0.5.0/24
CIDR block for the Private Subnet 4
located in AZ1.
PrivSub5CIDR
10.0.6.0/24
CIDR block for the Private Subnet 5
located in AZ1.
PrivSub6CIDR
10.0.7.0/24
CIDR block for the Private Subnet 6
located in AZ1.
PrivSub7CIDR
10.0.8.0/24
CIDR block for the Private Subnet 7
located in AZ1.
PrivSub8CIDR
10.0.9.0/24
CIDR block for the Private Subnet 8
located in AZ1.
VPCCIDR
10.0.0.0/16
CIDR block for the VPC.
UserCount
25
Total number of test user accounts to
create in Active Directory.
Implementing Active Directory Federation Services in the AWS Cloud, Version 0.4
Page 11 of 19
Testing Your Deployment
The SAMLUser user has been added to the "Domain Admins" group to permit login privileges to the
Remote Desktop Gateway servers deployed by the AD template. Additionally, some modifications
to the RDGW servers have been automated via AWS CloudFormation in order to provide a true
single sign-on experience:
•
•
•
•
•
Internet Explorer Enhanced Security Configuration (IE ESC) has been disabled
The SSO portal address (default = "https://sso.example.com") has been added to the Local
intranet zone in Internet Explorer to allow single sign-on, and has been configured as the
home page
IE Protected Mode has been disabled for the Local intranet zone to allow single sign-on, and
the associated warning banner has been disabled
The self-signed certificate for the ADFS servers has been trusted
Internet Explorer has been configured to start upon login for all users
Federated Single Sign-On
Determine the Elastic IP address of the RDGW instances by looking at the AWS CloudFormation
template output in the AWS Management Console as shown below.
Figure 5: Examining CloudFormation Outputs
Implementing Active Directory Federation Services in the AWS Cloud, Version 0.4
Page 12 of 19
Using a Remote Desktop client, log in to either of the RDGW instances using the SAML test user
credentials (defaults: example\samltest, Password123). The screenshot below shows an example
configuration for the Microsoft Remote Desktop app for Mac.
Figure 6: Connecting to RDGW Server
Some clients may present you with a warning about the self-signed certificate used by the RDGW
servers. This is one reason you need to replace these certificates with permanent certificates issued
by an authorized certificate authority.
Figure 7: SSL Certificate Warning
Implementing Active Directory Federation Services in the AWS Cloud, Version 0.4
Page 13 of 19
A few moments after you log in, IE will be launched automatically for you. If you are logging in for the
first time with this user, you'll be presented with a warning page similar to the one shown below.
Click the Home button on the browser to see the SSO login portal page.
Figure 8: First-Launch IE Browser Warning
After clicking the home button you will see the ADFS login portal. Choose to sign in to Amazon Web
Services.
Figure 9: SSO Portal for ADFS
Implementing Active Directory Federation Services in the AWS Cloud, Version 0.4
Page 14 of 19
The SAML test user has been added to two AD Groups / IAM Roles for purposes of demonstration.
The ADFS-Production Role has read-only privileges to Amazon EC2, and the ADFS-Dev Role has full
access to Amazon EC2. These example permissions were derived from the policy templates
provided in the IAM console. Select the ADFS-Dev role. Note that this selection only appears if a
user is assigned to more than one AD Group/IAM Role.
Figure 10: Selecting an IAM Role
You are then redirected to the AWS Management Console. Note that your federated credential
information is displayed in the top right corner.
Implementing Active Directory Federation Services in the AWS Cloud, Version 0.4
Page 15 of 19
Figure 11: Federated AWS Management Console
Post-Configuration Tasks
After the nested stacks have been created successfully, you'll need to perform the following tasks
manually:
1. Create a certificate request and replace the temporary self-signed certificates with a
certificate signed by a valid certificate authority.
2. Change passwords for the Administrator account, ADFSSVC user and the DomainAdminUser.
3. Update password for the ADFS service.
4. After confirming successful SAML federation with AWS, disable or delete the SAML test user
account.
5. Perform and configure system and application hardening and patching consistent with your
organization's procedures.
Replace the sample AD Groups, IAM Roles and access policies for SAML-based identify
federation with policies designed to meet your organization's access requirements for the
AWS Management Console. If you are new to IAM policies, see Managing IAM Policies. You
can build and test your permissions using the AWS Policy Generator and the IAM Policy
Simulator.
Implementing Active Directory Federation Services in the AWS Cloud, Version 0.4
Page 16 of 19
Further Reading
•
Microsoft on AWS:
o http://aws.amazon.com/microsoft/
•
Amazon EC2 Windows Guide:
o http://docs.amazonwebservices.com/AWSEC2/latest/WindowsGuide/Welcome.html?r
=7870
•
Secure Microsoft Applications on AWS:
o http://media.amazonwebservices.com/AWS_Microsoft_Platform_Security.pdf
•
Creating a Role for SAML-Based Federation (AWS Management Console):
o http://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml.html
•
Enabling Federation to AWS using Windows Active Directory, ADFS, and SAML 2.0
o http://blogs.aws.amazon.com/security/post/Tx71TWXXJ3UI14/Enabling-Federation-toAWS-using-Windows-Active-Directory-ADFS-and-SAML-2-0
©2014, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Implementing Active Directory Federation Services in the AWS Cloud, Version 0.4
Page 17 of 19
Appendix A: Amazon EC2 Security Group Configuration
AWS provides a set of building blocks, including Amazon EC2 and Amazon VPC that you can use to
provision infrastructure for your applications. In this model, some security capabilities such as
physical security are the responsibility of AWS and are highlighted in the AWS security whitepaper.
Other capabilities, such as controlling access to applications, are the responsibility of the application
developer and the tools provided in the Microsoft platform.
If you have followed the automate deployment options in this guide, the necessary security groups
are configured for you by the provided AWS CloudFormation Templates. For port mappings
associated with the VPC, AD, and RDGW templates, refer to the Implementing Active Directory
Domain Services in the AWS Cloud white paper. The port mappings for the ADFS template and are
listed here for your reference:
Subsystem Port Mappings
Subsystem
Associated With
Inbound
Interface
ASFSServerSG
ADFS1, ADFS2
ELBSecurityGroup TCP443
ADFSServerSG
ADFS1, ADFS2
ADFS1, ADFS2
TCP80
0.0.0.0/0
TCP443
ELBSecurityGroup InternalELB
Port(s)
Implementing Active Directory Federation Services in the AWS Cloud, Version 0.4
Page 18 of 19
Appendix B: Residual Resources
Should you wish to delete the ADFS CloudFormation stack, the following items will require manual
removal:
Item
Location
Notes
Self-signed SSL
Certificate
S3 bucket
S3 buckets created by a
CloudFormation stack must be
emptied before the stack can be
successfully deleted.
ADFS Identity Provider
AWS IAM
"ADFS" is the name of this IdP
resource.
ADFS-Dev Role
AWS IAM
Provided for demonstration
purposes only.
ADFS-Production Role
AWS IAM
Provided for demonstration
purposes only.
ADFSSVC User
Active Directory
System account required for ADFS
to function.
SAMLUser
Active Directory
"samltest" is the default value for
the name of this test account.
AWS-Dev Group
Active Directory
Provided for demonstration
purposes only.
AWS-Production Group
Active Directory
Provided for demonstration
purposes only.
ADFS1 Machine Account
Active Directory
"ADFS1" is the default value for
this instance's NetBIOS name.
ADFS2 Machine Account
Active Directory
"ADFS2" is the default value for
this instance's NetBIOS name.
ELB DNS CNAME Record
AD DNS
"sso.example.com" is the default
value for this record, which may be
customized for your domain.
ADFS1 DNS A Record
AD DNS
"ADFS1" is the default value for
this instance's NetBIOS name.
ADFS2 DNS A Record
AD DNS
"ADFS2" is the default value for
this instance's NetBIOS name.
©2014, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Implementing Active Directory Federation Services in the AWS Cloud, Version 0.4
Page 19 of 19