Weiter zum Inhalt

Automate SAML 2.0 Federation for AWS Organizations Using Azure Active Directory

Discover how large companies automate their cloud resource ordering processes, including cloud accounts, Kubernetes clusters, and virtual machines. Explore a use case of creating an automated ordering process using AWS Control Tower Account Factory and integrating it with Azure Active Directory.

What is this Expert View about?

As the demand for cloud resources continues to surge, large companies are increasingly adopting automated processes for ordering and managing these resources. Cloud accounts, Kubernetes clusters, virtual machines, and other resources are bundled together, each offering various configurations such as node size, virtual machine type, and account policies. Typically, resource ordering is initiated through an ordering and billing platform like ServiceNow or a custom web application. Each order is treated as a transaction, linked to a specific cost center, owners, and operators.

In this article, we delve into a practical use case that demonstrates the creation of an automated ordering process using AWS Control Tower Account Factory, which we fondly refer to as an „account vending machine.“ By leveraging an API endpoint and providing a payload with relevant account information, end users gain the ability to create one or more accounts seamlessly. The resources are provisioned using Terraform, along with the assistance of an open-source tool called AWS Control Tower Account Factory for Terraform (AFT), graciously provided by AWS.

Beyond the creation of new accounts, the pipeline triggers a series of processes and functions through AWS State Machine. These processes focus on the integration of the account with Azure Active Directory, a crucial aspect that we will explore in-depth in this whitepaper. By seamlessly integrating AWS Control Tower with Azure AD, organizations can establish a unified identity management solution that enhances security and simplifies user access across the cloud environment.

Case Study

In this post, we also summarize our learnings from a migration for a German client who was looking for a unified identity provider solution for its multi-cloud strategy.

The customer’s main IdP is Azure Active Directory and the requirement was to keep the management of users in Azure AD for AWS accounts.

We examined two different solutions, and both are based on SAML 2.0 protocol. Although both solutions are similar in many other respects, the slight difference in the user management makes a big difference in terms of security, maintenance, and usage for large enterprises.

We have also explained how enterprises benefit when separating single sign-on integration on the account level, and how Devoteam automated this process for its customer in the context of AWS Control Tower.

Contact us

At Devoteam A Cloud, we specialize in cloud consulting services and possess extensive expertise as an AWS Premier Tier Services Partner. With our deep understanding of AWS technologies, including AWS Control Tower and Azure AD integration, we are well-equipped to guide enterprises in streamlining their cloud resource ordering processes, optimizing efficiency, and maximizing the benefits of their cloud investments.

Contact us today to learn more about our cloud consulting services and how we can help your organization leverage AWS Control Tower and Azure AD integration to unlock the full potential of cloud automation and identity management.

You can also learn more about Devoteam A Cloud in AWS Marketplace.