Windows Server 2016 ADFS - Integration with AWS Directory Service

Question

We would like to use WebSSO(single sign on with a single set of credentials) for a number of small in-house web applications using Windows Server 2016 - ADFS (active directory federation service) and AWS Directory Service. We had created a domain using Directory Service in our AWS Account. I tried installing and configuring ADFS using Server Manager Tool on a Windows Server 2016 EC2 Instance after performing a successful domain join to the AWS Directory Service. One of the screens in ADFS Configuration Wizard is asking for a Domain Administrator password. The admin user created by AWS Directory Service does not appear to be a domain administrator. So I could not configure ADFS on the Windows EC2 Instance.

https://www.virtuallyboring.com/how-to-setup-microsoft-active-directory-federation-services-adfs/

I was wondering if it is possible at all to create a Domain Administrator in AWS Directory Service and secondly is it possible to implement ADFS with AWS Directory Service using SAML?

From the below AWS link, I think the default "admin" user is not the same as a domain administrator.

https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_getting_started_admin_account.html

Any inputs on ADFS integration with AWS Directory Service for web applications will be gratefully received.

Note: I found links on the net to install/configure Windows ADFS with Windows Active directory but not with AWS Directory Service. I found the below link for integrating ADFS with Active directory for IAM users, but did not help us much.

https://aws.amazon.com/blogs/security/enabling-federation-to-aws-using-windows-active-directory-adfs-and-saml-2-0/

We are interested to integrate our web applications with ADFS/AWS Directory Service for WebSSO.

Answer 1

I obtained the answer. AWS Directory Service does not provide a domain administrator account for security reasons. Windows ADFS Server 2016 can be configured against AWS Directory Service. We should use the Powershell commands instead of the Wizard to configure ADFS Server as the Wizard asks for a domain administrator account.

These are the steps:

• The GUID and certificate ThumbprintID parameters to be replaced with your values in the enclosed code
• The default AWS managed Microsoft AD administrator account "NetBIOSname\Admin" is recommended to be used to run all the below PowerShell commands
• You can create a domain user as ADFS service account and use it for $svcCred credential variable
• You can use AWS managed Microsoft AD Admin user for the $localAdminCred credential variable

The code below is to be run in a Powershell window(Run as administrator) :

Assuming that the active directory domain = corp.example.com

(New-Guid).Guid

New-ADObject -Name "ADFS" -Type Container -Path "OU=corp,DC=corp,DC=example,DC=com"

New-ADObject -Name "GUID" -Type Container -Path "CN=ADFS,OU=corp,DC=corp,DC=example,DC=com"

$adminConfig = @{"DKMContainerDn"="CN=GUID,CN=ADFS,OU=corp,DC=corp,DC=example,DC=com"}

$svcCred = (get-credential)

$localAdminCred = (get-credential)

Install-WindowsFeature ADFS-Federation

Install-ADFSFarm -CertificateThumbprint ‎<Thumbprint ID> -FederationServiceName
     "YourFederationServiceName" -ServiceAccountCredential $svcCred -Credential
     $localAdminCred -OverwriteConfiguration -AdminConfiguration $adminConfig 
     -SigningCertificateThumbprint ‎<Thumbprint ID> 
     -DecryptionCertificateThumbprint ‎<Thumbprint ID>

Set-ADFSProperties -EnableIdpInitiatedSignonPage $true

The following url is also useful for setting up Windows ADFS Server with AWS Directory Service:

https://aws.amazon.com/blogs/security/how-to-enable-your-users-to-access-office-365-with-aws-microsoft-active-directory-credentials/