Skip to content

Lab 3 SAML Federating an ASP.NET Web App to AWS SSO

Duration: 90 minutes

Overview

This walkthough configures an ASP.NET web app hosted on AWS to federate (SAML) to AWS SSO.

Topics covered

In this walk-through, you'll build the following:

  • Deploy AWS Managed Active Directory (Managed AD)
  • Deploy AWS SSO and connect AWS SSO to Managed AD
  • Configure and deploy an ASP.NET Core Web App that will federate to AWS SSO via SAML

Lab Pre-requisites

To successfully complete this lab you will need Visual Studio and an AWS account


Note: if you do not have Visual Studio installed on your laptop please see the Need Visual Studio? section for instructions on how to install Visual Studio.


Task 1. Deploy AWS Managed Active Directory

In this task, you will deploy AWS Managed AD using the AWS Quick start for Active Directory

a

Step 1. Open the AWS Management Console, select N. Virginia for the region, and open a new browser tab/window and browse to Step 2. Launch the Quick Start and from that page click on Launch Quick Start for scenario 3

Note: we will be launching scenario #3 to deploy Managed AD, for more informayion on this scenario go to AWS Quick start for AD Scenario 3: Deploy AD DS with AWS Directory Service on the AWS Cloud

a

Step 2. Once the CloudFormation console opens you may need to change the region back to N. Virginia and then click Next

a

Step 3. I will be creating a new VPC when deploying the Quick Start, make sure the VPC IPv4 CIDR blocks listed below work for you account, if not please adjust the values

Enter the following parameters and click through the CloudFormation UI and then click Create:


Stack name: ManagedAD-AWSSSO-Demo

AvailabilityZones: us-east-1a, us-east-1b
VPC CIDR: 172.16.0.0/16
Private Subnet 1 CIDR: 172.16.128.0/18
Private Subnet 2 CIDR: 172.16.192.0/18
Public Subnet 1 CIDR: 172.16.0.0/18
Public Subnet 2 CIDR: 172.16.64.0/18
RDGW CIDR: 0.0.0.0/0

Key Pair Name: ---------
RDGW Instance Type: t2.large

Domain DNS Name: corp.testsaml.com
Domain NetBIOS Name: corp
Domain Admin Password: ---------

Number Of RDGW Hosts: 2

QS S3 Bucket Name: aws-quickstart
QS S3 KeyPrefix: quickstart-microsoft-activedirectory


Task 2. Setup the Sample ASP.NET Core Web App

While we wait for Managed AD to deploy let's go ahead and download and configure our sample ASP.NET Core web app.

a

Step 4. Grab the source code from S3, browse to https://s3.amazonaws.com/exampleserviceproviderapp/ExampleServiceProvider.zip and extract the zip file contents to your laptop

a

Step 5. Open Visual Studio and select "Open Project / Solution" and browse to the location where you extracted the zip file, open the ExampleServiceProvider.sln solution file and from the Build menu select > Rebuild solution

a

Step 6. To run/debug the project locally click on the IIS Express green button in the ribbon

Note: the project is configured for SSL so you will receive a warning about trusting the localhost certificate, you can either choose to trust the certificate (what I do) or you can decline to trust the certificate (in which case you will have to click past the warnings in the browser to get to the site)

Note: we are using a free trial of the ComponentSpace SAML service provider for ASP.NET in our app, ComponentSpace's provider makes it very easy to add SAML Servicve Provider/SSO functionality to your ASP.NET web application with just a few lines of code

a

Step 7. Stop the debugger by clicking on the red square in Visual Studio

a

Task 3. Setup AWS SSO

In this task we will setup AWS SSO

a

Step 8. Open the AWS console, navigate to AWS Single Sign-OnSSO and if you have not deployed SSO before we first need to create an AWS Organization with All features enabled

Note: AWS SSO has a few prerequisites that you will want to pay close attention to before executing the next few steps, read the AWS SSO Prerequisites if you have any questions


A short version of the prereq's are:

- You must be using the master account from AWS Organizations (to deploy Managed AD, etc.)
- You must be logged into the console with the AWS Organizations master account credentials
- You must deploy Managed AD to the master account from AWS Organizations

a

Step 9. Navigate to the AWS organizations console by clicking on your AWS Account in the top navbar and selecting My organization, once in the AWS Organizations console you can create/enable an Organization and after you enable Organizations click on the Settings link make sure that all features are enabled

Step 10. Hopefully our Managed AD Quick Start has finished, navigate to the CloudFormation console and check, if the stack is not finished please go grab a cup of coffee or tea or whatever for ten more minutes ;-)

a

Step 11. Now that Managed AD has been deployed to our VPC let' create a Windows server, join it to the domain, install the Active Directory Users and Computers (ADUC) tool and create a test user

Navigate to the EC2 console, from the left Navbar select Security Groups, the Managed AD Quick start created a number of security groups, one of those was for the RDP servers located in the public subnet, find that security group and for testing purposes create a inbound rule to allow all RDP (3389) traffic from the Internet (0.0.0.0/0)

a

Step 12. Now let's launch a Windows Server 2016 instance in the same public subnet and attached to the security group modified in the previous step, once the instance is available grab the public IP and the windows admin password and RDP into the server

Note: the Managed AD Quick Start should have created a DHCP Options Set and associated that with the VPC for Managed AD, this will allow servers provisioned to that VPC to be assigned DNS IP addresses that point to the Managed AD Domain Controllers, if you experience issues with domain joining the server in the next few steps you may want to verify that the DCHP Options set was created (VPC console) and/or the server has the correct DNS IP addresses

a

Step 13. Once you have an RDP session with the server open the Windows menu and click Server Manager

a

Step 14. From the Sever Manager UI select Local Server from the left navbar and then click Workgroup

a

Step 15. On the System Properties dialog box click Change

a

Step 16. On the Computer Name/Domain Changes dialog box select domain and then enter the domain name you created in step 3

a

Step 17. Enter the admin username and password and then click OK, once the server is successfully joined to the domain you will need to restart the server

a

Step 18. Now let's RDP back into the server this time let's use the domain admin credentials, once you are back in the server click the Windows menu and then click on the Server Manager (see step 13) and in the top right corner click on the Manage menu and then Add Roles and Features

a

Step 19. Once the Add Roles and Features Wizard opens, click Next through the screens until you reach the "Features" screen, then expand "Remote Server Administration Tools" -> "Remote Administration Tools" -> and select "AD DS and AD LDS Ttools" and then click Next through the remainder of the wizard screens and then Install.

a

Step 20. Once the feature has finished installing open the Windows menu expand the Windows Administrative Tools folder and then click on the Active Directory Users and Computers item

a

Step 21. Once the Active Directory Users and Computers tool opens, expand the "corp.testsaml.com" directory and then expand the "corp" folder and select "Users", from the top ribbon bar click on the icon for creating a new user and fill in values for a first name, last name (full name will auto generate) and user logon name and then click Next

a

Step 22. Now enter a password, clear the "User must change password at next logon" checkbox and select the "Password never expires" checkbox and click Next and then Finish and you can now logout of the server

a

Step 23. Now that Managed AD has been deployed to our VPC and an AWS Organization is created let's enable AWS SSO, navigate back to the AWS SSO console and click Enable AWS SSO

Note: if you do not see the Enable AWS SSO button go back through the steps above and read the AWS SSO and Organizations documentation to make sure you have configured everything correctly and please don't hesitate to ask anyone in the room for help.

a

Step 24. With AWS SSO now enabled let's click on Connect your directory

a

Step 25. Select the Managed AD directory that we created earlier, enter a User portal URL and click Connect directory

a

Step 26. From the left navbar select Applications and then click Add a new application

a

Step 27. Select Custom SAML 2.0 application and then click Add

a

Step 28. Let's complete the Configure Custom SAML 2.0 application page

Note: Later in the walkthrough we will deploy the test ASP.NET Core web app to AWS with Elastic Beanstalk, let's go ahead and make the assumption that in us-east-1 the Elastic Beanstalk generated URL from visual studio will be unqiue and avaialbe if I prefix my name at the beggining of the URL:

Our site is configured to run on port 44361 so enter the following URL:

https://localhost:44361/

a

  1. Details:
    Enter a Display name:

    Display name: ASP.NET Core SAML App
    
  2. AWS SSO metadata:
    Copy the SSO URLs for use later in the walkthrough and download the following two AWS SSO files:

    AWS SSO SAML metadata file
    AWS SSO certificate
    
  3. Application metadata:
    Upload the ExampleServiceProvider-Metadata.xml file located in the source code directory and enter the Application start URL:

    Application start URL: https://localhost:44361/
    

a

Step 29. After the new SSO app is created verify the Application metadata URLs are correct and then click on the Attribute mappings tab

Note: You can ignore the Application SAML audience URL value

a

Step 30. Let's add some attributes that will become part of the SAML assertion that is sent to our application, by default the Subject attribute is already added, complete the following entries and then click Save changes

Markdown Less Pretty
Subject ${user:email} unspecified
UserId ${user:email} basic
Givenname ${user:givenName} basic
Surname ${user:familyName} basic

Your attribute mappings should look like:

a

Step 31. Now click on the Assigned users tab, click on the Assigned users button, in the dialog box select the Users tab and then eneter test in the search textbox and then click the Search connected directory button, select the test user that we created earlier and click Assign users

a


Task 4. Finsh Configuring and Deploy Sample ASP.NET Core Web App

In this task, you will finish configuring the sample ASP.NET Core web app and deploy the app to AWS with Elastic Beanstalk

a

Step 32. Let's add our AWS SSO certificate file (from step 28) into the project in Visual Studio, right-click the Certificates folder and select -> Add -> Existing item, browse to where you downloaded the AWS_SSO_for_Custom SAML 2.0 application_certificate.pem file and click Add

a

Step 33. Let's open the Startup.cs file and replace the following values with the URLs that copied from step 28


In the new PartnerIdentityProviderConfiguration() section starting on line 110:

Name = AWS SSO sign-in URL
SingleSignOnServiceUrl = AWS SSO sign-in URL
SingleLogoutServiceUrl = AWS SSO sign-out URL 

You Startup.cs file should look like:

a

Step 34. Now let's open the appsettings.json file and replace the following values with the URLs that copied from step 28


In the new PartnerIdentityProviderConfiguration() section starting on line 28:

Name = AWS SSO sign-in URL
SingleSignOnServiceUrl = AWS SSO sign-in URL
SingleLogoutServiceUrl = AWS SSO sign-out URL 

And at the very end of the file update:

PartnerName = AWS SSO sign-in URL

You appsettings.json file should look like:

a

Step 37. Now let's run the project locally, once the site is up click the AWS SSO button

a

Step 38. You should have been redirected to the AWS SSO login screen, enter the test user from step 21 and click Sign In

a

Step 39. And finally you should have been redirected back to the sample app

a

Step 39. Congratulations you have configured a sample ASP.NET web App for SAML federation to AWS SSO!

a

If you found the walkthrough interesting and would like to help our team improve and build new .NET identity walkthroughs please let us know. Thanks for coming to the workshop today and have a great Reinvent.

a