Resolving the AWS & Entra ID "Chicken and the Egg" Integration Problem

<sub>(2025/12/10)</sub> #AWS #EntraID ## Introduction I had a simple task the other day which was to integrate a new AWS tenant with Entra ID. However following the documentation from Microsoft and Amazon, a critical step for configuring AWS Entra ID integration was missing as in my console the "Download metadata file" option was not available: - https://learn.microsoft.com/en-us/entra/identity/saas-apps/aws-single-sign-on-tutorial - https://docs.aws.amazon.com/singlesignon/latest/userguide/idp-microsoft-entra.html For example compare the images in the documentation: ![[AWS - SSO 01.webp]] ![[AWS - SSO 02.webp]] Compared to my own console which is missing the "Download metadata file" option: ![[AWS - SSO 03.png]] This creates a problem as when you try to create the Entra ID `AWS IAM Identity Center` application, in order to configure SAML SSO you need to upload the missing metadata file to configure the `Basic SAML Configuration` section within Entra ID, thus creating a loop where each application requires a metadata file from each other: ![[AWS - SSO 04.png]] ## Solution In order to get around this problem of both applications requiring a metadata file from each other we will do the following: 1. Manually find values for the `Identifier (Entity ID URL)` and `Reply URL (Assertion Consumer Service URL)` for our Entra ID application 2. Export the Entra ID `Federation Metadata XML` into AWS 3. Then export the `IAM Identity Center` metadata file from AWS and import it into our Entra ID application so the values properly match ### Finding the Values This step is straightforward and will require the use of the AWS CLI: 1. Either launch a Cloudshell in your AWS portal or connect to AWS with your workstation via the AWS CLI: - If you are using a Mac then install the AWS CLI extension via Homebrew -> `brew install awscli` - Then connect to AWS with the `aws login` command and then select the region your IAM Identity Center is located in 2. Next, run the following command -> `aws sso-admin list-instances --region ca-west-1` replacing `ca-west-1` with your region once again The results of the last command should result in something similar to this: ``` { "Instances": [ { "InstanceArn": "arn:aws:sso:::instance/ssoins-EXAMPLEID", "IdentityStoreId": "XXXX", "OwnerAccountId": "XXXX", "CreatedDate": "2025-12-09T11:33:46.874000-07:00", "Status": "ACTIVE" } ] } ``` The important value we want is the `"InstanceArn": "arn:aws:sso:::instance/ssoins-EXAMPLEID"` as we will use it with the example values below. Since the metadata URLs needed for the Entra ID application follow a predictable pattern based on our region we will now use the output from the last command to modify the following example URLs below making sure to replace `<region>` with your region: - **Issuer URL (Identifier/Entity ID)**: `https://<region>.signin.aws.amazon.com/platform/saml/<instance-id>` - **ACS URL (Reply URL)**: `https://<region>.signin.aws.amazon.com/platform/saml/acs/<instance-id>` So in this case my Issuer URL (Identifier/Entity ID) would be: - https://ca-west-1.signin.aws.amazon.com/platform/saml/ssoins-EXAMPLEID And my ACS URL (Reply URL) would be: - https://ca-west-1.signin.aws.amazon.com/platform/saml/acs/ssoins-EXAMPLEID ## Export the Entra ID `Federation Metadata XML` into AWS Now within our Entra ID application we will use the values from the previous step by selecting the `Basic SAML Configuration` option inserting them, and then saving: ![[AWS - SSO 05.png]] Afterwards, download the `Federation Metadata XML` under SAML certificates: ![[AWS - SSO 06.png]] Now we will go back to the `Configure external identity provider` page in AWS and use the downloaded `Federation Metadata XML` file from your Entra application ID with the `IdP SAML metadata` option: ![[AWS - SSO 07.png]] ## Exporting the `IAM Identity Center` metadata file from AWS After you have uploaded the `Federation Metadata XML` file from your Entra ID application into AWS, you will now be brought to a page that will allow you to download the AWS metadata file which can now be uploaded into your Entra ID application with the `Upload metadata file` option, remembering to save the changes in your Entra ID application: ![[AWS - SSO 08.png]] ![[AWS - SSO 09.png]] After the above step, everything is now configured for Entra ID to integrate with AWS! ## Conclusion Hopefully this article helped you configure AWS to work with your Entra ID by filling in the missing pieces that the documentation lacks. Once everything is properly configured, you should be able to test with an account by assigning it permissions to your Entra ID application (if that account already exists within AWS). If you need to bring your accounts from Entra ID to AWS, [follow Amazon's guide for configuring SCIM synchronization (which should take you 5 minutes)](https://docs.aws.amazon.com/singlesignon/latest/userguide/idp-microsoft-entra.html#step4-entra-scim). Now all you need to do is assign some AWS permissions to your newly created AWS/Entra ID account. ![[AWS - SSO 10.png]]