Microsoft Security | Microsoft Entra | Microsoft Entra ID
A cloud-based identity and access management service for securing user authentication and resource access
How do I pass Authentication Method Reference from Azure/Entra ID to AWS Identity Center
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 4%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVC%3C/text%3E%3C/svg%3E)
V C
0
Reputation points
I am using Azure/Entra ID as the IDP for my AWS account and federating via AWS Identity Center. I would like to pass the ‘Authentication Method Reference’ from Azure to Identity Center as a Session tag to be able to use MFA status to protect resources in AWS.
Azure allows passing Claim tokens in the SAML token but I don’t see these in the session. Also, there doesn’t seem to be any mechanism for passing the authnmethodsreferences attribute as a session tag / claim in the SAML token.
Any suggestions ?
Microsoft Security | Microsoft Entra | Microsoft Entra ID
-
Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,546 Reputation points Moderator2023-11-21T22:51:03.85+00:00 Hell @V C , what session do you mean? Also, the amr claim is included in Entra ID SAML response claims:
<AuthnContextClassRef>http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod/password</AuthnContextClassRef> -
V C 0 Reputation points
2023-11-27T20:54:07.8966667+00:00 I can see the claim in the SAML token. I don't see it getting mapped anywhere on the AWS side. I am trying to figure out how that mapping should work.
<Attribute Name="http://schemas.microsoft.com/claims/authnmethodsreferences"> <AttributeValue>http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password</AttributeValue> <AttributeValue>http://schemas.microsoft.com/claims/multipleauthn</AttributeValue> </Attribute> -
Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,546 Reputation points Moderator
2023-11-28T02:14:07.8766667+00:00 Hello @V C I've set up a lab for this. Can you provide instructions or documentation on how validate AWS mappings?
-
V C 0 Reputation points
2023-11-28T14:20:13.2233333+00:00 AWS Identity Center does not by default place the multi-valued authnmethodsreference claim into any Session/Context Key for any 3rd party IdPs.
The alternative is to pass an attribute / SAML claim from EntraID indicating whether the session was authenticated using MFA.
An example of how to do this with Okta is here : https://www.okta.com/blog/2022/11/using-okta-for-conditional-access-to-aws-assets/
In EntraID - I believe it's in the 'Add a Claim' section in the SAML setup in EntraID. I'm not familiar enough with this. I only see Directory attributes that can be passed. I don't see how any authn context values can be passed. I tried passing some directory attributes by adding the Claims but I don't see anything coming through in the SAML auth token (recovered from the browser POST request)
Receiving this in AWS IdC is a setup item. Details here :
https://docs.aws.amazon.com/singlesignon/latest/userguide/abac.html
Essentially the goal is to pass 'mfa' status from EntraID to AWS Identity Center so it can be used for Attribute based access control.
P.S. I am an AWS employee and testing this with a free Azure account that limits some of the features in EntraID. I can upgrade to a paid account if that is needed for access to any features required for this solution.
Thanks
-
Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,546 Reputation points Moderator
2023-12-04T23:48:53.3433333+00:00 Thanks @V C , I will come back soon with my findings.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 27%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMN%3C/text%3E%3C/svg%3E)
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(102.4, 51%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMS%3C/text%3E%3C/svg%3E)
Mandeep Singh Seehra 0 Reputation points2025-02-04T10:03:14.0566667+00:00 Hi, were we able to find any answer to this? I am trying to setup the same but between Okta and EntraID with EntraID as IDP. I see Entra generates authenticationmethodsreferences in SAML assertion but /claims/multipleauthn is not a standard AMR value which Okta accepts. It doesnt matter if I use Microsoft Authenticator or FIDO2, I only get /claims/multipleauthn
Sign in to comment
Sign in to answer