github.com/versent/saml2aws@v2.17.0+incompatible/doc/provider/aad/README.md

github.com/versent/saml2aws@v2.17.0+incompatible/doc/provider/aad/README.md (about)

     1  # saml2aws Documentation for Azure Active Directory
     2  
     3  Instructions for setting up single sign on (SSO) with Amazon AWS using
     4  [Azure AD][1] and [saml2aws][2].
     5  
     6  ---
     7  
     8  [](TOC)
     9  
    10  - [Azure AD Single Sign-On (SSO) with Amazon AWS](#azure-ad-single-sign-on-sso-with-amazon-aws)
    11      - [Configure ](#configure)
    12  
    13  [](TOC)
    14  
    15  ---
    16  
    17  ## Azure AD Single Sign-On (SSO) with Amazon AWS
    18  
    19  When configuring saml2aws to work with Azure AD, you must first acquire the Azure AD Enterprise App Id.
    20  
    21  This can be easily achieved by browsing MyApps at [https://myapps.microsoft.com/](https://myapps.microsoft.com/)
    22  and logging in. Click your AWS app, and immediately copy the URL that it loads, before the redirect. It will look
    23  something like this:
    24  
    25  `https://account.activedirectory.windowsazure.com/applications/redirecttofederatedapplication.aspx?Operation=SignIn&applicationId=2784b9b1-53ed-4883-95a8-56bf94ad4f5f&ApplicationConstName=aws&SingleSignOnType=Federated&ApplicationDisplayName=Amazon%20Web%20Services%20%28AWS%29&tenantId=8273303e-1e63-49f2-9812-43c86b5b11ec`
    26  
    27  From within this URL, grab the `applicationId` querystring parameter. In the above, it is:
    28  
    29  `2784b9b1-53ed-4883-95a8-56bf94ad4f5f`
    30  
    31  This will be your app ID when prompted by saml2aws.
    32  
    33  ### Configure
    34  
    35  Configure your application(s) with `saml2aws`. For example:
    36  
    37  ```bash
    38  saml2aws configure \
    39    --idp-provider='AzureAD' \
    40    --mfa='Auto' \
    41    --profile='saml' \
    42    --url='https://account.activedirectory.windowsazure.com' \
    43    --username='road.runner@the-acme-corporation.com' \
    44    --app-id='2784b9b1-53ed-4883-95a8-56bf94ad4f5f' \
    45    --skip-prompt
    46  ```
    47  
    48  This creates (or modifies) `${HOME}/.saml2aws`. You can log in there and make
    49  any additional changes as needed.
    50  
    51  From here, execution and authentication occurs as per the standard documentation.
    52  
    53  ## Further Information
    54  
    55  Currently this provider supports the following MFA scenarios:
    56  
    57  * PhoneAppOTP
    58  * PhoneAppNotification
    59  * OneWaySMS
    60  
    61  [1]: https://azure.microsoft.com/en-au/services/active-directory/
    62  [2]: https://github.com/Versent/saml2aws