Implementing Active Directory Federation Services in the AWS Cloud October 2014 Implementing Active Directory Federation Services in the AWS Cloud, Version 0.4 Page 1 of 19 Table of Contents Abstract ....................................................................................................................................... 3 Before You Get Started ............................................................................................................... 3 About Nested Stacks .................................................................................................................. 4 Automated Deployment .............................................................................................................. 7 Template Customization ............................................................................................................. 9 Testing Your Deployment.......................................................................................................... 12 Federated Single Sign-On ..................................................................................................... 12 Post-Configuration Tasks ......................................................................................................... 16 Further Reading ........................................................................................................................ 17 Appendix A: Amazon EC2 Security Group Configuration ......................................................... 18 Subsystem Port Mappings .................................................................................................... 18 Appendix B: Residual Resources.............................................................................................. 19 Implementing Active Directory Federation Services in the AWS Cloud, Version 0.4 Page 2 of 19 Abstract This guide extends Scenario #1 described in the Implementing Active Directory Domain Services in the AWS Cloud white paper by adding Windows Active Directory Federation Services (ADFS), and automating the configuration of SAML 2.0 federation for web single sign-on (Web SSO) access to the Amazon Web Services Management Console. We'll provide links to automated AWS CloudFormation templates that you can leverage for your implementation or launch directly into your AWS account. Amazon Web Services (AWS) provides a comprehensive set of services and tools for deploying Microsoft Windows Server 2008 R2 and above workloads on its reliable and secure cloud infrastructure. Active Directory Domain Services (AD DS), Domain Name Server (DNS), and Active Directory Federation Services (ADFS) are core Windows services that provide the foundation for many enterprise class Microsoft-based solutions; including Microsoft SharePoint, Microsoft Exchange, and .NET applications. This guide is aimed at organizations running workloads in the AWS cloud that wish to access AWS with their Active Directory credentials to: • Provide Single Sign-On (SSO) to the AWS Management Console • Centralize user account management • Use a single set of credentials across multiple AWS accounts • Leverage existing investments in identity management integrations such as multifactor authentication, key cards, event logging, password policies, self-service, etc. Before You Get Started Implementing ADFS in the AWS cloud is an advanced topic. If you are new to AWS, see the Getting Started section of the AWS documentation. In addition, familiarity with the following technologies is recommended: • Amazon Elastic Compute Cloud (“Amazon EC2”) • Amazon Virtual Private Cloud (“Amazon VPC”) • Elastic Load Balancing • Windows Server 2012 R2, 2012 or 2008 R2 • Windows Server Active Directory and DNS • Windows Active Directory Federation Services This guide focuses on infrastructure configuration topics that require careful consideration when you are planning and deploying AD DS, Domain Controller instances, ADFS, and DNS services in the AWS cloud. We don’t cover general Windows Server installation and software configuration tasks. Implementing Active Directory Federation Services in the AWS Cloud, Version 0.4 Page 3 of 19 For more resources about deploying, scaling, and managing Microsoft products on AWS, see http://aws.amazon.com/microsoft. We provide links to AWS CloudFormation templates that you can leverage for your implementation or launch directly into your AWS account. For more information about using AWS CloudFormation templates, see the AWS CloudFormation User Guide. This guide details one example of how to deploy identity federation with AWS Identity and Access Management (“IAM”). You may also use SAML federation for access to AWS APIs. Further, you have many choices when designing your identity management implementation: • SAML federation can be used simultaneously with "normal" IAM User credentials to access the AWS Management Console. • Multiple identity providers may be configured for a single AWS account. • API access may also be federated. • A variety of SAML Solution Providers can be used for federation with AWS. About Nested Stacks AWS CloudFormation allows nesting a stack as a resource inside a template. This allows you to split up a large infrastructure into smaller modular components that can be managed discretely, which eases long-term administration. Additionally, nesting allows you to overcome some AWS CloudFormation limits set, which is useful in situations such as when you need to deploy over 200 resources. Nested stack updates can be triggered by running the UpdateStack command on a top-level stack, or by selecting the top-level stack and clicking "Update Stack" in the CloudFormation Management Console. To deploy a nested stack, you need only to deploy the top-level template. The master stack will then download and deploy any subsequent, or "nested" stacks. To simplify deployment, we have chosen to define all of the parameters at the master template level, which will be passed on to the nested templates. This means you only need to define your parameter values once for the top-level template, and these values will be automatically copied to the nested stacks as needed. For this architecture, we provide these templates: • Part0_AD-ADFS_Stack.template, the top-level stack • Part1_VPC.template, the underlying network infrastructure • Part2_AD_2012R2.template, the nested stack for AD DS • Part3_ADFS_2012R2.template, the nested stack for ADFS • Part4_RDGW_2012R2.template, the nested stack for RDGW Implementing Active Directory Federation Services in the AWS Cloud, Version 0.4 Page 4 of 19 The hierarchy of these stacks is represented below. The stacks shown in green are in scope of this document, whereas the stacks shown in grey are originally from Implementing Active Directory Domain Services in the AWS Cloud. Part3_ADFS_2012R2 Part2_AD_2012R2 Part0_AD-ADFS_Stack Part1_VPC Part4_RDGW_2012R2 Figure 1: Nested CloudFormation Template Hierarchy Implementing Active Directory Federation Services in the AWS Cloud, Version 0.4 Page 5 of 19 Once deployed, the templates will have constructed an environment resembling the diagram below. Figure 2: Reference Architecture for Highly Available AD/ADFS in the AWS Cloud Implementing Active Directory Federation Services in the AWS Cloud, Version 0.4 Page 6 of 19 Automated Deployment We've created a nested stack of AWS CloudFormation templates that deploy ADFS. These templates perform the following tasks: • Create an AWS IAM Role for EC2 Instances, which is used during deployment and configuration. • Use the Windows Server 2012 R2 Amazon Machine Image (AMI) to launch ADFS instances and join them to the existing Microsoft Active Directory. • Create self-signed SSL certificates for ADFS and Remote Desktop Gateway (RDGW) instances. • Launch and configure internal Elastic Load Balancing (ELB) and register the ADFS instances with ELB. • Configure VPC Security Groups and rules for traffic for Elastic Load Balancing and Amazon EC2 instances. • Configure SAML-based identity federation for single sign-on to the AWS Management Console. • Create two sample Active Directory Groups and corresponding AWS IAM Roles for Development and Production access to the AWS Management Console, as demonstrated here. • Configure a DNS CNAME for the SSO portal within your DNS domain. To launch the AWS CloudFormation into the US West (Oregon) Region, click the Launch Stack button below. Implementing Active Directory Federation Services in the AWS Cloud, Version 0.4 Page 7 of 19 Once you authenticate to your AWS account, the link above will automatically prepare your AWS CloudFormation console with the template needed to launch the stack, as shown below. Click "Next". Figure 3: Deploying the AD-ADFS Stack The following page will present you with many parameters that are required to launch the stack. Most parameters have default values which have been automatically filled in. However, you must specify values for the EC2 Key Pair and the RDPSourceCIDR* parameters. * NOTE: It is important that RDP never be opened up to the entire Internet—not even for testing purposes or temporarily. For more information, see the related Amazon Security Bulletin. Always restrict ports and source traffic to the minimum necessary to support the functionality of the application. For a further discussion about securing Remote Desktop Gateway, see the Securing the Microsoft Platform on Amazon Web Services whitepaper. Implementing Active Directory Federation Services in the AWS Cloud, Version 0.4 Page 8 of 19 Figure 4: Partial List of Template Parameters Template Customization The templates allow for rich customization of 33 defined parameters at template launch. You can modify those parameters passed to the master template, change the default values, or, if you choose to edit the code of the template itself, create an entirely new set of parameters based on your specific deployment scenario. The template parameters include the following default values: Parameter Default Description KeyPairName <User Provided> Public/private key pairs allow you to connect securely to your instance after it launches. RDPSourceCIDR <User Provided> Source CIDR Block to allow incoming RDP connections to the RDGW servers. ADFSInstanceType m3.xlarge Amazon EC2 instance type for the Active Directory Federation Services instances. Implementing Active Directory Federation Services in the AWS Cloud, Version 0.4 Page 9 of 19 ADFSServerNetBIOSName1 ADFS1 NetBIOS name of the first Active Directory Federation Services server (up to 15 characters). ADFSServerNetBIOSName2 ADFS2 NetBIOS name of the second Active Directory Federation Services server (up to 15 characters). SAMLUser samltest Test user for SAML federation for the AWS Management Console. SAMLUserPassword Password123 Password for the SAML test user account. Must be at least 8 characters containing letters and numbers. SSLPassword Password123 Password for the self-signed SSL certificate. Must be at least 8 characters containing letters and numbers. ADFSPassword Password123 Password for the ADFSSVC service account. Must be at least 8 characters containing letters and numbers. AD1InstanceType m3.xlarge Amazon EC2 instance type for the first Active Directory instance. AD2InstanceType m3.xlarge Amazon EC2 instance type for the second Active Directory instance. ADServer1NetBIOSName DC1 NetBIOS name of the first Active Directory server (up to 15 characters). ADServer2NetBIOSName DC2 NetBIOS name of the second Active Directory server (up to 15 characters). ADServer1PrivateIp 10.0.2.10 Fixed private IP for the first Active Directory server located in AZ1. ADServer2PrivateIp 10.0.3.10 Fixed private IP for the second Active Directory server located in AZ2. NATInstanceType m1.small Amazon EC2 instance type for the NAT instances. RDGWInstanceType m3.xlarge Amazon EC2 instance type for the Remote Desktop Gateway instances. DomainDNSName example.com Fully qualified domain name (FQDN) of the forest root domain; e.g., example.com. Implementing Active Directory Federation Services in the AWS Cloud, Version 0.4 Page 10 of 19 DomainNetBIOSName example NetBIOS name of the domain (up to 15 characters) for users of earlier versions of Windows; e.g., EXAMPLE. RestoreModePassword Password123 Password for a separate administrator account when the domain controller is in restore mode. Must be at least 8 characters containing letters, numbers, and symbols. DomainAdminUser StackAdmin User name for the account that is added as domain administrator. This is separate from the default "administrator" account. DomainAdminPassword Password123 Password for the domain admin user. Must be at least 8 characters containing letters and numbers. DMZ1CIDR 10.0.0.0/24 CIDR block for the Public Subnet located in AZ1. DMZ2CIDR 10.0.1.0/24 CIDR block for the Public Subnet located in AZ2. PrivSub1CIDR 10.0.2.0/24 CIDR block for the Private Subnet 1 located in AZ1. PrivSub2CIDR 10.0.3.0/24 CIDR block for the Private Subnet 2 located in AZ1. PrivSub3CIDR 10.0.4.0/24 CIDR block for the Private Subnet 3 located in AZ1. PrivSub4CIDR 10.0.5.0/24 CIDR block for the Private Subnet 4 located in AZ1. PrivSub5CIDR 10.0.6.0/24 CIDR block for the Private Subnet 5 located in AZ1. PrivSub6CIDR 10.0.7.0/24 CIDR block for the Private Subnet 6 located in AZ1. PrivSub7CIDR 10.0.8.0/24 CIDR block for the Private Subnet 7 located in AZ1. PrivSub8CIDR 10.0.9.0/24 CIDR block for the Private Subnet 8 located in AZ1. VPCCIDR 10.0.0.0/16 CIDR block for the VPC. UserCount 25 Total number of test user accounts to create in Active Directory. Implementing Active Directory Federation Services in the AWS Cloud, Version 0.4 Page 11 of 19 Testing Your Deployment The SAMLUser user has been added to the "Domain Admins" group to permit login privileges to the Remote Desktop Gateway servers deployed by the AD template. Additionally, some modifications to the RDGW servers have been automated via AWS CloudFormation in order to provide a true single sign-on experience: • • • • • Internet Explorer Enhanced Security Configuration (IE ESC) has been disabled The SSO portal address (default = "https://sso.example.com") has been added to the Local intranet zone in Internet Explorer to allow single sign-on, and has been configured as the home page IE Protected Mode has been disabled for the Local intranet zone to allow single sign-on, and the associated warning banner has been disabled The self-signed certificate for the ADFS servers has been trusted Internet Explorer has been configured to start upon login for all users Federated Single Sign-On Determine the Elastic IP address of the RDGW instances by looking at the AWS CloudFormation template output in the AWS Management Console as shown below. Figure 5: Examining CloudFormation Outputs Implementing Active Directory Federation Services in the AWS Cloud, Version 0.4 Page 12 of 19 Using a Remote Desktop client, log in to either of the RDGW instances using the SAML test user credentials (defaults: example\samltest, Password123). The screenshot below shows an example configuration for the Microsoft Remote Desktop app for Mac. Figure 6: Connecting to RDGW Server Some clients may present you with a warning about the self-signed certificate used by the RDGW servers. This is one reason you need to replace these certificates with permanent certificates issued by an authorized certificate authority. Figure 7: SSL Certificate Warning Implementing Active Directory Federation Services in the AWS Cloud, Version 0.4 Page 13 of 19 A few moments after you log in, IE will be launched automatically for you. If you are logging in for the first time with this user, you'll be presented with a warning page similar to the one shown below. Click the Home button on the browser to see the SSO login portal page. Figure 8: First-Launch IE Browser Warning After clicking the home button you will see the ADFS login portal. Choose to sign in to Amazon Web Services. Figure 9: SSO Portal for ADFS Implementing Active Directory Federation Services in the AWS Cloud, Version 0.4 Page 14 of 19 The SAML test user has been added to two AD Groups / IAM Roles for purposes of demonstration. The ADFS-Production Role has read-only privileges to Amazon EC2, and the ADFS-Dev Role has full access to Amazon EC2. These example permissions were derived from the policy templates provided in the IAM console. Select the ADFS-Dev role. Note that this selection only appears if a user is assigned to more than one AD Group/IAM Role. Figure 10: Selecting an IAM Role You are then redirected to the AWS Management Console. Note that your federated credential information is displayed in the top right corner. Implementing Active Directory Federation Services in the AWS Cloud, Version 0.4 Page 15 of 19 Figure 11: Federated AWS Management Console Post-Configuration Tasks After the nested stacks have been created successfully, you'll need to perform the following tasks manually: 1. Create a certificate request and replace the temporary self-signed certificates with a certificate signed by a valid certificate authority. 2. Change passwords for the Administrator account, ADFSSVC user and the DomainAdminUser. 3. Update password for the ADFS service. 4. After confirming successful SAML federation with AWS, disable or delete the SAML test user account. 5. Perform and configure system and application hardening and patching consistent with your organization's procedures. Replace the sample AD Groups, IAM Roles and access policies for SAML-based identify federation with policies designed to meet your organization's access requirements for the AWS Management Console. If you are new to IAM policies, see Managing IAM Policies. You can build and test your permissions using the AWS Policy Generator and the IAM Policy Simulator. Implementing Active Directory Federation Services in the AWS Cloud, Version 0.4 Page 16 of 19 Further Reading • Microsoft on AWS: o http://aws.amazon.com/microsoft/ • Amazon EC2 Windows Guide: o http://docs.amazonwebservices.com/AWSEC2/latest/WindowsGuide/Welcome.html?r =7870 • Secure Microsoft Applications on AWS: o http://media.amazonwebservices.com/AWS_Microsoft_Platform_Security.pdf • Creating a Role for SAML-Based Federation (AWS Management Console): o http://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml.html • Enabling Federation to AWS using Windows Active Directory, ADFS, and SAML 2.0 o http://blogs.aws.amazon.com/security/post/Tx71TWXXJ3UI14/Enabling-Federation-toAWS-using-Windows-Active-Directory-ADFS-and-SAML-2-0 ©2014, Amazon Web Services, Inc. or its affiliates. All rights reserved. Implementing Active Directory Federation Services in the AWS Cloud, Version 0.4 Page 17 of 19 Appendix A: Amazon EC2 Security Group Configuration AWS provides a set of building blocks, including Amazon EC2 and Amazon VPC that you can use to provision infrastructure for your applications. In this model, some security capabilities such as physical security are the responsibility of AWS and are highlighted in the AWS security whitepaper. Other capabilities, such as controlling access to applications, are the responsibility of the application developer and the tools provided in the Microsoft platform. If you have followed the automate deployment options in this guide, the necessary security groups are configured for you by the provided AWS CloudFormation Templates. For port mappings associated with the VPC, AD, and RDGW templates, refer to the Implementing Active Directory Domain Services in the AWS Cloud white paper. The port mappings for the ADFS template and are listed here for your reference: Subsystem Port Mappings Subsystem Associated With Inbound Interface ASFSServerSG ADFS1, ADFS2 ELBSecurityGroup TCP443 ADFSServerSG ADFS1, ADFS2 ADFS1, ADFS2 TCP80 0.0.0.0/0 TCP443 ELBSecurityGroup InternalELB Port(s) Implementing Active Directory Federation Services in the AWS Cloud, Version 0.4 Page 18 of 19 Appendix B: Residual Resources Should you wish to delete the ADFS CloudFormation stack, the following items will require manual removal: Item Location Notes Self-signed SSL Certificate S3 bucket S3 buckets created by a CloudFormation stack must be emptied before the stack can be successfully deleted. ADFS Identity Provider AWS IAM "ADFS" is the name of this IdP resource. ADFS-Dev Role AWS IAM Provided for demonstration purposes only. ADFS-Production Role AWS IAM Provided for demonstration purposes only. ADFSSVC User Active Directory System account required for ADFS to function. SAMLUser Active Directory "samltest" is the default value for the name of this test account. AWS-Dev Group Active Directory Provided for demonstration purposes only. AWS-Production Group Active Directory Provided for demonstration purposes only. ADFS1 Machine Account Active Directory "ADFS1" is the default value for this instance's NetBIOS name. ADFS2 Machine Account Active Directory "ADFS2" is the default value for this instance's NetBIOS name. ELB DNS CNAME Record AD DNS "sso.example.com" is the default value for this record, which may be customized for your domain. ADFS1 DNS A Record AD DNS "ADFS1" is the default value for this instance's NetBIOS name. ADFS2 DNS A Record AD DNS "ADFS2" is the default value for this instance's NetBIOS name. ©2014, Amazon Web Services, Inc. or its affiliates. All rights reserved. Implementing Active Directory Federation Services in the AWS Cloud, Version 0.4 Page 19 of 19
© Copyright 2024