Pages

Tuesday, April 14, 2020

Configure AWS Login With Azure AD Enterprise App

The idea is to enable users to sign in to AWS using their Azure AD credentials. This can be achieved by configuring single sign-on (SSO) between Azure AD and AWS. The process involves creating an enterprise application in Azure AD and configuring the AWS application to use Azure AD as the identity provider. Once this is set up, users can log in to AWS using their Azure AD credentials and access the AWS resources that they have been authorized to use. The tutorial provided by Microsoft explains the steps involved in setting up this SSO configuration between Azure AD and AWS.



  1. Azure >> Enterprise APP >> <<Configure Azure AD SSO
    1. Deploy Amazon Web Services Developer App
    2. Single Sign On >>.SAML
      1. Popup to save
        1. Identifier: https://signin.aws.amazon.com/saml
        2. Reply URL: https://signin.aws.amazon.com/saml
      2. Save
    3. SAML Signing Certificate
      1. Download "Federation Metadata XML"
    4. Add the AD user's to Application's User' and Group
  2. AWS >> IAM >> Identity provider
    1. Create
      1. SAML
      2. AZADAWS
      3. Upload the Metadata XML
    2. Verify Create
  3. AWS>> IAM >> ROLE << This Role will Come in Azure Application
    1. SAML 2.0 Federations
      1. Choose :  Earlier Created Identity provider
      2. Allow programmatic and AWS Management Console access
      3. Choose required permissions
      4. Create the role with Appropriate name
  4. AWS >> IAM >> POLICIES <<  This policy will allow to fetch the roles from AWS accounts.
    1. Choose JSON
      1. { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iam:ListRoles" ], "Resource": "*" } ] }
    2. Name : AzureAD_SSOUserRole_Policy.
    3. Create the Policy
  5. AWS >> IAM >> USER
    1. Name : AzureADRoleManager
    2. Choose Programmatic access
    3. Permission : Attach existing polices
      1. Choose : AzureAD_SSOUserRole_Policy
    4. Create User
    5. Copy Access and Secret key
  6. Azure Enterprise App >> Choose Amazon Web Services App which was deployed
    1. Provisoing
      1. Make it automatic
      2. Give Aws Access and Secret key
      3. Test and Save
      4. Make the "Provisioning Status" to ON
      5. Wait for a sync to complete
      6. Once Sync is Completed got the user's and Groups
        1. Choose the user, select Click EDIT
        2. Choose the AWS Role






Saturday, February 8, 2020

Issue with Mission Control in Mac 10.15.13

If you are experiencing issues with Mission Control on Mac version 10.15.13 after an update, there is a fix that involves using the Terminal app. Simply type or copy the following command: "defaults write com.apple.dock mcx-expose-disabled -bool FALSE", then type "killall Dock" to stop the Dock, which will automatically restart. After this, the Exposé activation should take effect.
Fix
  • Go to the Terminal app
  • Type or copy: defaults write com.apple.dock mcx-expose-disabled -bool FALSE 
  • Then type: killall Dock to stop the Dock that will then automatically be restarted. Only then the Exposé activation will take effect.


Wednesday, January 29, 2020

Azure AD integration to GCP Cloud for SSO

Idea is to enable SSO to GCP cloud with Azure AD configuration

Make sure cloud identity is subscripted in GCP account and we have a super admin user in that account.
Also the same domain is verified in both Azure and GCP.
Note: If Same domain is verified in any other Gsuit or GCP account, that should be used.

Base Document Followed



Process.
In GCP: Create 1 Super admin in Google env (Super admin is only available in admin.google.com which is available only if Gsuite or if Cloud Identity is register.)
In Azure:  Create 1 Application for the User Provisioning.
Make sure the user has been created in GCP user portal. Admin.google.com

In Azure Create Second App
We will face login error after configuring as per the GCP document.  Errors have been listed below. To solve we need add the Identifier and Reply URL.




Errors faced

Error1:
AADSTS650056: Misconfigured application. This could be due to one of the following: The client has not listed any permissions for 'AAD Graph' in the requested permissions in the client's application registration. Or, The admin has not consented in the tenant. Or, Check the application identifier in the request to ensure it matches the configured client application identifier. Please contact your admin to fix the configuration or consent on behalf of the tenant. Client app ID: 01303a13-8322-4e06-bee5-80d612907131.
Solution :  In SAML Config : add Identifier (Entity ID) :  google.com/a/<Domain Name>

Error2:
AADSTS900561: The endpoint only accepts POST requests. Received a GET request.
Solution :  In SAML Config : add Reply URL :  https://google.com/a/*