Federating user access to AWS Console/CLI

Question

My company has a Active Directory on Premise and we want to federate employees into AWS console/CLI by authenticating against it. There are multiple ways of doing this over VPN or direct connect and I have came across two of them 1) using ADFS and 2) using AWS AD connector.. Which one should be used for which use case and when. pros and cons of each?

Answer 1

This is a complex subject and my answer just touches upon highlights of integrating Active Directory into your Amazon Cloud environment. The best answer depends on your particular networking needs.

For simple Active Directory integration, AD Connector is a good fit. For complex needs which include SAML or custom applications, ADFS is required.

AD Connector is used to extend Active Directory from your data center into your Amazon Cloud so that Amazon services can use Active Directory. AD Connector supports sign in to Amazon applications such as WorkSpaces, WorkDocs and WorkMail. AD Connector allows your Amazon EC2 Windows instances to join your Active Directory Domain. Joining Linux instances to Active Directory is also supported (Amazon Linux, Red Hat Enterprise, Ubuntu Server, CentOS). AD Connector can also provide federated sign-in to the AWS Management Console by mapping Active Directory identities to AWS Identity and Access Managment (IAM) roles.

ADFS is a Microsoft service added to Active Directory to provide SAML based federation. With SAML you can use single sign-on (SSO) to sign in to all of your SAML enabled applications by using a single set of credentials.

If you want to your Active Directory users to be able to get temporary credentials (Cognito) then you need ADFS. AD Connector does not support this.

AD Connector cannot be used with custom applications and can only be used for secure AWS integration for 1) sign in to AWS applications; 2) Join Windows (and Linux) instances to Active Directory; 3) provide federated sign-in to the AWS Management Console.

ADFS is far more complicated to setup but offers more features for identity management and federation with both Amazon services and custom applications. Once setup correctly, your Active Directory Domain and the Amazon Console are tightly integrated.

I recommend watching one of the Amazon Deep Dive videos on Integrating Active Directory.