AWS SSO from an On-Premises Active Directory

Users on your on-premises Active Directory need  SSO access to

a) AWS accounts and

b) cloud applications in the AWS SSO user portal

AWS Directory Service has the following two options available:

• Create a two-way trust relationship – Two-way trust relationships created between AWS Managed Microsoft AD and an on-premises Active Directory enable on-premises users to sign in with their corporate credentials to various AWS services and business applications. One-way trusts will not work with AWS SSO. For more information about setting up a two-way trust, see When to Create a Trust Relationship in the AWS Directory Service Administration Guide.
• Create an AD Connector – AD Connector is a directory gateway that can redirect directory requests to your on-premises Active Directory without caching any information in the cloud. For more information, see Connect to a Directory in the AWS Directory Service Administration Guide.Note

AD Connector

Use Case 1 – To enable federated console access to the AWS Console

Use Case 2 – To assign users to AWS roles

Use Case 3 – To seamlessly join an EC2 instance to an Active Directory domain.

No Complicated SAML-based federation or directory synchronization

AD Connector is designed to give you an easy way to establish a trusted relationship between your Active Directory and AWS. When AD Connector is configured, the trust allows you to:

• Sign in to AWS applications such as Amazon WorkSpaces, Amazon WorkDocs, and Amazon WorkMail by using your Active Directory credentials.
• Seamlessly join Windows instances to your Active Directory domain either through the Amazon EC2 launch wizard or programmatically through the EC2 Simple System Manager (SSM) API.
• Provide federated sign-in to the AWS Management Console by mapping Active Directory identities to AWS Identity and Access Management (IAM) roles.

AD Connector cannot be used with your custom applications, as it is only used for secure AWS integration for the three use-cases mentioned above. Custom applications relying on your on-premises Active Directory should communicate with your domain controllers directly.

With AD Connector, you can streamline identity management by sourcing and managing all your user identities from Active Directory. It also enables you to reuse your existing Active Directory security policies such as password expiration, password history, and account lockout policies. Also, your users will no longer need to remember yet another user name and password combination.

And because AD Connector doesn’t rely on complex directory synchronization technologies or Active Directory Federation Services (AD FS), you can forego the added cost and complexity of hosting a SAML-based federation infrastructure. In sum, AD Connector helps to foster a hybrid environment by allowing you to leverage your existing on-premises investments to control different facets of AWS.