Transcription
Implementing Active Directory Federation Services inthe AWS CloudOctober 2014Implementing Active Directory Federation Services in the AWS Cloud, Version 1.0Page 1 of 24
Table of ContentsAbstract . 3Before You Get Started . 3About Nested Stacks . 5Automated Deployment. 8Template Customization .11Testing Your Deployment.15Federated Single Sign-On .15Post-Configuration Tasks .20Further Reading .21Appendix A: Amazon EC2 Security Group Configuration .22Subsystem Port Mappings.22Appendix B: Residual Resources.23Implementing Active Directory Federation Services in the AWS Cloud, Version 1.0Page 2 of 24
AbstractThis guide extends Scenario #1 described in the Implementing Active Directory DomainServices in the AWS Cloud white paper by adding Windows Active Directory FederationServices (ADFS), and automating the configuration of SAML 2.0 federation for web singlesign-on (Web SSO) access to the Amazon Web Services Management Console.We'll provide links to automated AWS CloudFormation templates that you can leverage foryour implementation or launch directly into your AWS account.Amazon Web Services (AWS) provides a comprehensive set of services and tools fordeploying Microsoft Windows Server 2008 R2 and above workloads on its reliable andsecure cloud infrastructure. Active Directory Domain Services (AD DS), Domain NameServer (DNS), and Active Directory Federation Services (ADFS) are core Windows servicesthat provide the foundation for many enterprise class Microsoft-based solutions; includingMicrosoft SharePoint, Microsoft Exchange, and .NET applications.This guide is aimed at organizations running workloads in the AWS cloud that wish toaccess AWS with their Active Directory credentials to: Provide Single Sign-On (SSO) to the AWS Management Console Centralize user account management Use a single set of credentials across multiple AWS accounts Leverage existing investments in identity management integrations such asmultifactor authentication, key cards, event logging, password policies, self-service,etc.Before You Get StartedImplementing ADFS in the AWS cloud is an advanced topic. If you are new to AWS, see theGetting Started section of the AWS documentation. In addition, familiarity with thefollowing technologies is recommended:Implementing Active Directory Federation Services in the AWS Cloud, Version 1.0Page 3 of 24
Amazon Elastic Compute Cloud (“Amazon EC2”) Amazon Virtual Private Cloud (“Amazon VPC”) Elastic Load Balancing Windows Server 2012 R2, 2012 or 2008 R2 Windows Server Active Directory and DNS Windows Active Directory Federation ServicesThis guide focuses on infrastructure configuration topics that require careful considerationwhen you are planning and deploying AD DS, Domain Controller instances, ADFS, and DNSservices in the AWS cloud. We don’t cover general Windows Server installation andsoftware configuration tasks. For more resources about deploying, scaling, and managingMicrosoft products on AWS, see http://aws.amazon.com/microsoft.We provide links to AWS CloudFormation templates that you can leverage for yourimplementation or launch directly into your AWS account. For more information aboutusing AWS CloudFormation templates, see the AWS CloudFormation User Guide.This guide details one example of how to deploy identity federation with AWS Identity andAccess Management (“IAM”). You may also use SAML federation for access to AWS APIs.Further, you have many choices when designing your identity managementimplementation: SAML federation can be used simultaneously with "normal" IAM User credentials toaccess the AWS Management Console. Multiple identity providers may be configured for a single AWS account. API access may also be federated. A variety of SAML Solution Providers can be used for federation with AWS.Implementing Active Directory Federation Services in the AWS Cloud, Version 1.0Page 4 of 24
About Nested StacksAWS CloudFormation allows nesting a stack as a resource inside a template. This allowsyou to split up a large infrastructure into smaller modular components that can bemanaged discretely, which eases long-term administration. Additionally, nesting allows youto overcome some AWS CloudFormation limits set, which is useful in situations such aswhen you need to deploy over 200 resources.Nested stack updates can be triggered by running the UpdateStack command on a toplevel stack, or by selecting the top-level stack and clicking "Update Stack" in theCloudFormation Management Console.To deploy a nested stack, you need only to deploy the top-level template. The masterstack will then download and deploy any subsequent, or "nested" stacks. To simplifydeployment, we have chosen to define all of the parameters at the master template level,which will be passed on to the nested templates. This means you only need to define yourparameter values once for the top-level template, and these values will be automaticallycopied to the nested stacks as needed.For this architecture, we provide these templates: Part0 AD-ADFS Stack.template, the top-level stack Part1 VPC.template, the underlying network infrastructure Part2 AD 2012R2.template, the nested stack for AD DS Part3 ADFS 2012R2.template, the nested stack for ADFS Part4 RDGW 2012R2.template, the nested stack for RDGWThe hierarchy of these stacks is represented below. The stacks shown in green are in scopeof this document, whereas the stacks shown in grey are originally from ImplementingActive Directory Domain Services in the AWS Cloud.Implementing Active Directory Federation Services in the AWS Cloud, Version 1.0Page 5 of 24
Part3 ADFS 2012R2Part2 AD 2012R2Part0 AD-ADFS StackPart1 VPCPart4 RDGW 2012R2Figure 1: Nested CloudFormation Template HierarchyOnce deployed, the templates will have constructed an environment resembling thediagram below.Implementing Active Directory Federation Services in the AWS Cloud, Version 1.0Page 6 of 24
Figure 2: Reference Architecture for Highly Available AD/ADFS in the AWS CloudImplementing Active Directory Federation Services in the AWS Cloud, Version 1.0Page 7 of 24
Automated DeploymentWe've created a nested stack of AWS CloudFormation templates that deploy ADFS. Thesetemplates perform the following tasks: Create an AWS IAM Role for EC2 Instances, which is used during deployment andconfiguration. Use the Windows Server 2012 R2 Amazon Machine Image (AMI) to launch ADFSinstances and join them to the existing Microsoft Active Directory. Create self-signed SSL certificates for ADFS and Remote Desktop Gateway (RDGW)instances. Launch and configure internal Elastic Load Balancing (ELB) and register the ADFSinstances with ELB. Configure VPC Security Groups and rules for traffic for Elastic Load Balancing andAmazon EC2 instances. Configure SAML-based identity federation for single sign-on to the AWSManagement Console. Create two sample Active Directory Groups and corresponding AWS IAM Roles forDevelopment and Production access to the AWS Management Console, asdemonstrated here. Configure a DNS CNAME for the SSO portal within your DNS domain.To launch the AWS CloudFormation into the US West (Oregon) Region, click the LaunchStack below.Implementing Active Directory Federation Services in the AWS Cloud, Version 1.0Page 8 of 24
Once you authenticate to your AWS account, the link above will automatically prepare yourAWS CloudFormation console with the template needed to launch the stack, as shownbelow. Click "Next".Figure 3: Deploying the AD-ADFS StackThe following page will present you with many parameters that are required to launch thestack. Most parameters have default values which have been automatically filled in.However, you must specify values for the EC2 Key Pair and the RDPSourceCIDR*parameters. Finally, you must acknowledge that this stack creates IAM resources, as shownbelow.Implementing Active Directory Federation Services in the AWS Cloud, Version 1.0Page 9 of 24
Figure 4: Acknowledging the creation of IAM resources* NOTE: It is important that RDP never be opened up to the entire Internet—not evenfor testing purposes or temporarily. For more information, see the related Amazon SecurityBulletin. Always restrict ports and source traffic to the minimum necessary to support thefunctionality of the application. For a further discussion about securing Remote DesktopGateway, see the Securing the Microsoft Platform on Amazon Web Services whitepaper.Implementing Active Directory Federation Services in the AWS Cloud, Version 1.0Page 10 of 24
Figure 5: Partial List of Template ParametersTemplate CustomizationThe templates allow for rich customization of 33 defined parameters at template launch.You can modify those parameters passed to the master template, change the defaultvalues, or, if you choose to edit the code of the template itself, create an entirely new setof parameters based on your specific deployment scenario.The template parameters include the following default values:ParameterDefaultDescriptionKeyPairName UserPublic/private key pairs allow you toProvided connect securely to your instance afterit launches.Implementing Active Directory Federation Services in the AWS Cloud, Version 1.0Page 11 of 24
RDPSourceCIDRADFSInstanceType UserSource CIDR Block to allow incomingProvided RDP connections to the RDGW servers.m3.xlargeAmazon EC2 instance type for theActive Directory Federation OS name of the first ActiveDirectory Federation Services server (upto 15 characters).ADFSServerNetBIOSName2ADFS2NetBIOS name of the second ActiveDirectory Federation Services server (upto 15 characters).SAMLUsersamltestTest user for SAML federation for theAWS Management Console.SAMLUserPasswordPassword123Password for the SAML test useraccount. Must be at least 8 characterscontaining letters and numbers.SSLPasswordPassword123Password for the self-signed SSLcertificate. Must be at least 8 characterscontaining letters and numbers.ADFSPasswordPassword123Password for the ADFSSVC serviceaccount. Must be at least 8 characterscontaining letters and numbers.AD1InstanceTypem3.xlargeAmazon EC2 instance type for the firstActive Directory instance.AD2InstanceTypem3.xlargeAmazon EC2 instance type for thesecond Active Directory instance.Implementing Active Directory Federation Services in the AWS Cloud, Version 1.0Page 12 of 24
ADServer1NetBIOSNameDC1NetBIOS name of the first ActiveDirectory server (up to 15 characters).ADServer2NetBIOSNameDC2NetBIOS name of the second ActiveDirectory server (up to 15 characters).ADServer1PrivateIp10.0.2.10Fixed private IP for the first ActiveDirectory server located in AZ1.ADServer2PrivateIp10.0.3.10Fixed private IP for the second ActiveDirectory server located in AZ2.NATInstanceTypem1.smallAmazon EC2 instance type for the NATinstances.RDGWInstanceTypem3.xlargeAmazon EC2 instance type for theRemote Desktop Gateway instances.DomainDNSNameexample.comFully qualified domain name (FQDN) ofthe forest root domain; e.g.,example.com.DomainNetBIOSNameexampleNetBIOS name of the domain (up to 15characters) for users of earlier versionsof Windows; e.g., EXAMPLE.RestoreModePasswordPassword123Password for a separate administratoraccount when the domain controller isin restore mode. Must be at least 8characters containing letters, numbers,and symbols.DomainAdminUserStackAdminUser name for the account that isadded as domain administrator. This isseparate from the default"administrator" account.Implementing Active Directory Federation Services in the AWS Cloud, Version 1.0Page 13 of 24
DomainAdminPasswordPassword123Password for the domain admin user.Must be at least 8 characters containingletters and numbers.DMZ1CIDR10.0.0.0/24CIDR block for the Public Subnetlocated in AZ1.DMZ2CIDR10.0.1.0/24CIDR block for the Public Subnetlocated in AZ2.PrivSub1CIDR10.0.2.0/24CIDR block for the Private Subnet 1located in AZ1.PrivSub2CIDR10.0.3.0/24CIDR block for the Private Subnet 2located in AZ1.PrivSub3CIDR10.0.4.0/24CIDR block for the Private Subnet 3located in AZ1.PrivSub4CIDR10.0.5.0/24CIDR block for the Private Subnet 4located in AZ1.PrivSub5CIDR10.0.6.0/24CIDR block for the Private Subnet 5located in AZ1.PrivSub6CIDR10.0.7.0/24CIDR block for the Private Subnet 6located in AZ1.PrivSub7CIDR10.0.8.0/24CIDR block for the Private Subnet 7located in AZ1.PrivSub8CIDR10.0.9.0/24CIDR block for the Private Subnet 8located in AZ1.VPCCIDR10.0.0.0/16CIDR block for the VPC.UserCount25Total number of test user accounts tocreate in Active Directory.Implementing Active Directory Federation Services in the AWS Cloud, Version 1.0Page 14 of 24
Testing Your DeploymentThe SAMLUser user has been added to the "Domain Admins" group to permit loginprivileges to the Remote Desktop Gateway servers deployed by the AD template.Additionally, some modifications to the RDGW servers have been automated via AWSCloudFormation in order to provide a true single sign-on experience: Internet Explorer Enhanced Security Configuration (IE ESC) has been disabled The SSO portal address (default "https://sso.example.com") has been added to theLocal intranet zone in Internet Explorer to allow single sign-on, and has beenconfigured as the home page IE Protected Mode has been disabled for the Local intranet zone to allow singlesign-on, and the associated warning banner has been disabled The self-signed certificate for the ADFS servers has been trusted Internet Explorer has been configured to start upon login for all usersFederated Single Sign-OnDetermine the Elastic IP address of the RDGW instances by looking at the AWSCloudFormation template output in the AWS Management Console as shown below.Implementing Active Directory Federation Services in the AWS Cloud, Version 1.0Page 15 of 24
Figure 6: Examining CloudFormation OutputsUsing a Remote Desktop client, log in to either of the RDGW instances using the SAMLtest user credentials (defaults: example\samltest, Password123). The screenshot belowshows an example configuration for the Microsoft Remote Desktop app for Mac.Figure 7: Connecting to RDGW ServerImplementing Active Directory Federation Services in the AWS Cloud, Version 1.0Page 16 of 24
Some clients may present you with a warning about the self-signed certificate used by theRDGW servers. This is one reason you need to replace these certificates with permanentcertificates issued by an authorized certificate authority.Figure 8: SSL Certificate WarningA few moments after you log in, IE will be launched automatically for you. If you arelogging in for the first time with this user, you'll be presented with a warning page similarto the one shown below. Click the Home button on the browser to see the SSO loginportal page.Figure 9: First-Launch IE Browser WarningAfter clicking the home button you will see the ADFS login portal. Choose to sign in toAmazon Web Services.Implementing Active Directory Federation Services in the AWS Cloud, Version 1.0Page 17 of 24
Figure 10: SSO Portal for ADFSThe SAML test user has been added to two AD Groups / IAM Roles for purposes ofdemonstration. The ADFS-Production Role has read-only privileges to Amazon EC2, andthe ADFS-Dev Role has full access to Amazon EC2. These example permissions werederived from the policy templates provided in the IAM console. Select the ADFS-Dev role.Note that this selection only appears if a user is assigned to more than one AD Group/IAMRole.Implementing Active Directory Federation Services in the AWS Cloud, Version 1.0Page 18 of 24
Figure 11: Selecting an IAM RoleYou are then redirected to the AWS Management Console. Note that your federatedcredential information is displayed in the top right corner.Implementing Active Directory Federation Services in the AWS Cloud, Version 1.0Page 19 of 24
Figure 12: Federated AWS Management ConsolePost-Configuration TasksAfter the nested stacks have been created successfully, you'll need to perform thefollowing tasks manually:1. Create a certificate request and replace the temporary self-signed certificates with acertificate signed by a valid certificate authority.2. Change passwords for the Administrator account, ADFSSVC user and theDomainAdminUser.3. Update password for the ADFS service.4. After confirming successful SAML federation with AWS, disable or delete the SAMLtest user account.5. Perform and configure system and application hardening and patching consistentwith your organization's procedures.Implementing Active Directory Federation Services in the AWS Cloud, Version 1.0Page 20 of 24
Replace the sample AD Groups, IAM Roles and access policies for SAML-basedidentify federation with policies designed to meet your organization's accessrequirements for the AWS Management Console. If you are new to IAM policies, seeManaging IAM Policies. You can build and test your permissions using the AWSPolicy Generator and the IAM Policy Simulator. 2014, Amazon Web Services, Inc. or its affiliates. All rights reserved.6.Further Reading Microsoft on AWS:o http://aws.amazon.com/microsoft/ Amazon EC2 Windows Guide:o ndowsGuide/Welcome.html?r 7870 Secure Microsoft Applications on AWS:o http://media.amazonwebservices.com/AWS Microsoft Platform Security.pdf Creating a Role for SAML-Based Federation (AWS Management Console):o eate-role-saml.html Enabling Federation to AWS using Windows Active Directory, ADFS, and SAML 2.0o ive-Directory-ADFS-and-SAML-2-0Implementing Active Directory Federation Services in the AWS Cloud, Version 1.0Page 21 of 24
Appendix A: Amazon EC2 Security Group ConfigurationAWS provides a set of building blocks, including Amazon EC2 and Amazon VPC that youcan use to provision infrastructure for your applications. In this model, some securitycapabilities such as physical security are the responsibility of AWS and are highlighted inthe AWS security whitepaper. Other capabilities, such as controlling access to applications,are the responsibility of the application developer and the tools provided in the Microsoftplatform.If you have followed the automate deployment options in this guide, the necessary securitygroups are configured for you by the provided AWS CloudFormation Templates. For portmappings associated with the VP
Launch and configure internal Elastic Load Balancing (ELB) and register the ADFS instances with ELB. Configure VPC Security Groups and rules for traffic for Elastic Load Balancing and Amazon EC2 instances. Configure SAML-based identity federation for single sign-on to the AWS
![[MS-ADFSOD]: Active Directory Federation Services (AD FS .](/img/1/5bms-adfsod-5d.jpg)
