Integrating aws IAM Identity Center (IC) with Micrsoft Active Directory (AD) | Deep Dive.

twtech Overview of how to integrate AWS IAM Identity Center (successor to AWS SSO) with Microsoft Active Directory (AD).

Scope:

•        Overview,
•        Architecture Components,
•        Step-by-Step Setup,
•        Security Considerations
•        Hybrid Example: On-Prem AD + AWS Managed AD + IAM Identity Center,
•        Best Practices.

 Overview

AWS IAM Identity Center (IC) integrates with Microsoft Active Directory (AD) to allow users to sign in using their AD credentials, then gain access to AWS accounts and applications via Single Sign-On (SSO).

There are two main integration models:

Model	Description	Use Case
AWS Managed Microsoft AD (Direct Integration)	IAM Identity Center connects directly to a managed AD instance in AWS Directory Service.	For enterprises that host or extend AD to AWS.
AD Connector (Proxy Integration)	IAM Identity Center connects to on-premises AD through an AD Connector (acts as a proxy, no replication).	For organizations that want to use on-prem AD credentials without storing them in AWS.

 Architecture Components

1.     IAM Identity Center (SSO Service)

o   Central identity service for AWS accounts and apps.

o   Manages permission sets, assignments, and federation.

2.     AWS Directory Service

o   Provides AD integration options:

§  AWS Managed Microsoft AD – fully managed AD.

§  AD Connector – proxy to on-prem AD.

§  Simple AD – lightweight directory (less common now).

3.     Microsoft Active Directory

o   User accounts, groups, and OU structure.

o   On-prem or hosted in AWS.

o   Handles Kerberos / LDAP authentication.

4.     AWS IAM / STS

o   IAM Identity Center maps permission sets → IAM roles in accounts.

o   STS issues temporary credentials after SSO login.

5.     Optional Integrations

o   Azure AD, Okta, or others as external IdPs (federated with AD).

o   AWS IAM Identity Center applications for SaaS and custom apps.

Step-by-Step Setup

Scenario 1: Using AWS Managed Microsoft AD

Step 1: Deploy AWS Managed Microsoft AD

1.     Go to AWS Directory Service → Set up directory.

2.     Choose AWS Managed Microsoft AD.

3.     Select:

o   Directory size (Standard/Enterprise)

o   VPC + Subnets (2 AZs minimum)

4.     AWS provisions domain controllers.

Example domain: twtechapp.com

Step 2: Configure Trusts (if hybrid with on-prem AD)

If  using on-prem AD:

•         Establish a two-way forest trust between on-prem AD and AWS Managed AD.
•         Configure DNS forwarding so both forests resolve each other’s domains.

Step 3: Enable IAM Identity Center

1.     Go to IAM Identity Center → Settings → Identity Source.

2.     Choose Active Directory.

3.     Select your AWS Managed Microsoft AD directory.

IAM Identity Center automatically detects and connects to the directory.

Step 4: Assign Users and Groups

1.     Go to IAM Identity Center → Users and Groups.

2.     Choose Groups from AD (e.g., AWS-Admins, Developers).

3.     Assign Permission Sets to groups for each AWS account.

NB:

 Behind the scenes:
Each permission set maps to an IAM Role in the target account via AWS CloudFormation StackSets.

Step 5: Test Login

1.     Go to the AWS access portal URL provided by IAM Identity Center.

2.     Log in using your AD credentials (Kerberos / LDAP).

3.     Choose an AWS account → temporary credentials are issued via STS.

Scenario 2: Using On-Prem AD with AD Connector

Step 1: Deploy AD Connector

1.     Go to AWS Directory Service → Set up directory → AD Connector.

2.     Enter:

o   On-prem AD DNS names

o   Service account credentials (with read permissions)

o   VPC/Subnet info (must have network path to on-prem AD)

NB:

 AD Connector doesn’t replicate data — it acts as a proxy for authentication.

Step 2: Verify Network Connectivity

Ensure:

•         VPC can reach on-prem AD via VPN or Direct Connect.
•         Required ports are open:
•         TCP/UDP 389 (LDAP)
•         TCP/UDP 88 (Kerberos)
•         TCP 445 (SMB)
•         TCP 3268–3269 (Global Catalog)

Step 3: Configure IAM Identity Center to Use AD Connector

Same steps as before:

•         In IAM Identity Center → Identity Source → Select AD.
•         Choose your AD Connector directory.

IAM Identity Center will read users/groups via the connector.

Step 4: Assign Access

•         Assign AD groups or users to AWS accounts and apps using permission sets.

Step 5: User Login Flow Authentication Flow (AD Connector):

 # User-Login-Flow.jpg

 Security Considerations:

Layer	Mechanism	Notes
Authentication	Kerberos / LDAP	Managed by AD or AD Connector
Authorization	Permission Sets → IAM Roles	Managed by IAM Identity Center
Federation	SAML 2.0 internally	Between Identity Center & AWS Accounts
Credentials	Temporary via STS	Short-lived, least privilege
Encryption	TLS for network, KMS for secrets	Default for all AWS Directory comms

 Hybrid Example: On-Prem AD + AWS Managed AD + IAM Identity Center

1.     On-prem AD (users, groups)

2.     AWS Managed AD (trusted domain)

3.     IAM Identity Center connected to AWS Managed AD

4.     Trust allows users from on-prem to SSO into AWS

Flow:

User (On-Prem) → Kerberos → On-Prem DC ↔ Trust ↔ AWS Managed AD

   ↓

IAM Identity Center (Federation)

   ↓

STS → Temporary IAM Role → AWS Account Access

 Best Practices

•         Use forest trusts instead of one-way if hybrid AD is used.
•         Keep AD DNS and time sync healthy (Kerberos depends on it).
•         Use AD groups for AWS permission assignments — not individuals.
•         Enforce MFA via Conditional Access or AD policies.
•         Monitor via AWS CloudTrail and Directory Service Logs.