25,224 questions
Multiple Azure AD SAML providers with one AWS account
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(9.6, 82%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJL%3C/text%3E%3C/svg%3E)
John Lister
1
Reputation point
Hi, I've successfully setup SAML authentication to AWS using the various guides online without issue. As part of those guides the roles are created in IAM with a trust assignment to the SAML provider as well as a condition. However, whilst I've seen multiple tutorials on how to map an Azure AD account to multiple AWS accounts, I would like to do the opposite:
Due to Geo-Location requirements, we have multiple Azure AD tenancies, which each need to be granted access to AWS, I can easily create the providers for each tenancy, etc and I was hoping to add all the providers to the trusted principals array in the IAM policy. Unfortunately doing this shows the role in the user management list, but it is disabled and I cannot select it.
Further testing shows that Azure shows the roles as enabled only if they have a single federated principal regardless of what it is, however I would only be able to switch to that role from the matching Azure tenancy. Therefore I have to create roles for each tenancy which seems excessive and also shows multiple redundant options in the user management list. Is there any other option?
Thanks
John
Microsoft Security | Microsoft Entra | Microsoft Entra ID
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Marilee Turscak-MSFT 37,206 Reputation points Microsoft Employee Moderator2021-03-18T21:37:29.557+00:00 Based on the documentation, it seems that AWS expects the roles. https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/amazon-web-service-tutorial
Sign in to comment
Sign in to answer