Sunday, March 28, 2021

AWS Single Sign-on and Azure AD Application Certification rotation

In this quick post would discuss the process and steps involved in rotating the expiring Azure AD application certification configured for AWS SSO login. 

This is applicable where you have your AWS account SSO configured with Azure Active Directory and the associated application password is about to expire or maybe already expired.

Before you start, make sure to have the appropriate AWS IAM and Azure AD permission or involve the teams having the required access to create an application certificate (in Azure) and rotate the same in AWS.

Now, login to AWS and take the backup of currently used metadata.

  1. Login to AWS => Go to IAM => Click on Dashboard or from the IAM menu, click on Identity Provider
  2. Click on Azure AD => From Metadata Document section, Download the current metadata file for backup purpose
Now Login to Azure,

  1. Go to Azure Active Directory => Select Enterprise applications from left menu options
  2. From the Enterprise applications section, Select the correct AWS Application used for SSO 
  3. No on the AWS Application screen, go to Single Sign-on option => SAML Signing Certificate and click Edit
  4. On SAML Signing Certificate Page, Create a new Certificate, Save and mark it as Active, close the window
  5. Now on SAML Signing Certificate Page, verify the certificate Expiry date and Download the Federation Metadata XML


  6. Go to AWS account IAM Identity Provider Section, Steps are mentioned above
  7. Within the Metadata Document section, this time Click on Replace Metadata, on pop-up window Type replace and Click on Replace tab. Just in case if you didn't download the current metadata file earlier, do that so just in case of any issue you could revert
  8. Now browse and select the Federation Metadata XML file downloaded after Azure AD application certificate rotation and click open
  9. It would take the next few seconds and you are done.
  10. Test your AWS Single Sign-on URL, you can also perform the testing from within the Azure Application SAML bases Single sign-on page.
Note: If you are using an AD account to replace the AWS Identity provider Metadata then make sure to log in prior to marking the newly created Azure application certificate active. Also, don't refresh the AWS login page until you replace the metadata.
To avoid this, simply use your AWS root account ;)

Related Demo: 

That's it, thanks :)