How do I set up AD FS on an EC2 Windows instance to work with federation for a Cognito user pool?

Resolution

Use Server Manager to set up an AD FS server and domain controller on an EC2 Windows instance. To complete the setup, you must have a Cognito user pool with an app client and a domain name that you own. If you don't own a domain, then you can register a new domain with Amazon Route 53 or another DNS service.

For more information, see How do I set up AD FS as a SAML identity provider with an Amazon Cognito user pool?

Configure and launch a Windows instance

Complete the following steps:

1. Open the EC2 console.
2. Choose Launch Instance.
3. On the Choose an Amazon Machine Image (AMI) page, choose an AMI for Windows Server, such as the Microsoft Windows Server 2025 Base AMI.
4. Select your instance type.
5. For Keypairs, select an existing key pair from the dropdown list, or create new key pair.
   Important: Save your key pair's private key .pem file to connect to your Windows instance.
6. In the navigation pane, choose Create security group, and then select Allow RDP traffic.
   Note: To restrict Remote Desktop Protocol (RDP) access to your instance to only specific IP addresses, change the source IP address from Anywhere to My IP or Custom.
7. Choose Launch.

Associate an Elastic IP address with your Windows instance

Allocate an Elastic IP address to your AWS account. Then, associate your Elastic IP address with your Windows instance.

Use your Elastic IP address to create a record for your domain

Your domain for Active Directory Domain Services (AD DS) must have an A IPv4 address record with an Elastic IP address as the value. To create the record, use the Elastic IP address that's associated with your Windows instance.

Install AD DS, IIS, and AD FS on your Windows instance

Use your RDP client to connect to your Windows instance.

Open Server Manager in Windows, and then use the Add Roles and Features Wizard to install the following roles:

• Active Directory Domain Services
• Active Directory Federation Services
• Internet Information Services (IIS)

For more information, see Install or uninstall roles, role services, or features on the Microsoft website.

Configure AD DS on your Windows instance

To configure AD DS, use the Active Directory Domain Services Configuration Wizard in Server Manager. On the Deployment Configuration page, enter your domain, for example, example.com. After your configuration installation is complete, Windows notifies you that you're about to be signed out. When the server restarts, use your RDP client to connect to your Windows instance.

For more information, see Install Active Directory Domain Services on the Microsoft website.

Configure HTTP site binding in IIS

In Server Manager, use IIS to edit the HTTP site binding for your website. For more information, see How to add binding information to a site on the Microsoft website.

Important: When you edit the HTTP binding in IIS, enter your domain name for host name, for example, example.com. Don't change the IP address (All Unassigned) or Port (80).

Configure your Windows instance to allow file downloads

See How do I configure an EC2 Windows instance to allow file downloads through Internet Explorer?

Request a digital certificate for your domain

An SSL/TLS server certificate is required for HTTPS binding. To request a third-party certificate for your domain, use a trusted third-party certificate creation tool.

For more information, see Choosing a certificate on the Microsoft website.

(Optional) Configure HTTPS site binding in IIS

If the certificate creation tool that you use doesn't automatically add HTTPs site binding in IIS, then manually add the site binding.

For more information, see Create an SSL binding on the Microsoft website.

Configure AD FS on your Windows instance

To configure the Windows instance as a federation server, use the AD FS Federation Server Configuration Wizard in Server Manager.

For more information, see Prepare and deploy Active Directory Federation Services - on-premises certificate trust on the Microsoft website.

On the Specify Service Account page, for Select User or Service Account, choose the user that's named Administrator. Then, enter the password that you used for RDP to connect to the Windows instance.

Create a user in Active Directory

To create a new user in Active Directory, use the Active Directory Users and Computers tool. Add the new user to the Administrators group.

For more information, see Create a user and add to a group on the Microsoft website.

Add an email address for your Active Directory user

Complete the following steps:

1. In the Active Directory Users and Computers tool, open (double-click) Users to view the list of users.
2. In the list of users, find the user that you created. Open (right-click) the user to view the context menu, and then choose Properties.
3. In the Properties window, for user name, enter a valid email address for the user. The email address is included in the SAML assertion.

For more information, see General property page on the Microsoft website.

Add a claims-aware relying party trust in AD FS

In Server Manager, navigate to Tools AD FS Management. To add a claims-aware relying party trust, use the Add Relying Party Trust Wizard.

On the Configure URL page of the wizard, select Enable support for the SAML 2.0 WebSSO protocol. For Relying party SAML 2.0 SSO service URL, enter an assertion consumer endpoint URL, such as https://yourDomainPrefix.auth.region.amazoncognito.com/saml2/idpresponse. Replace yourDomainPrefix with your Cognito user pool's domain prefix. Replace Region with the user pool's AWS Region.

On the Configure Identifiers page of the wizard, for Relying party trust identifier, enter the URN urn:amazon:cognito:sp:yourUserPoolID. Replace yourUserPoolID with your Cognito user pool's ID.

For more information, see Using SAML identity providers with a user pool and To create a claims aware Relying Party Trust manually on the Microsoft website.

Edit your application's claims issuance policy in AD FS

Use Add Relying Party Trust Wizard to add a rule to the trust to send LDAP attributes as claims.

On the Configure Rule page, complete the following steps:

1. For Claim rule name, enter Email.
2. For Attribute store, choose Active Directory.
3. For LDAP Attribute, choose E-Mail-Addresses.
4. For Outgoing Claim Type, choose E-Mail Address.

For more information, see To create a rule to send LDAP attributes as claims for a Relying Party Trust in Windows Server 2016 on the Microsoft website.

Note: Map the incoming email address from Active Directory to the outgoing Name ID claim. The Email ID and Name ID claims then appear as the user's email address in the SAML assertion in the SAML response. Then, create a rule to send LDAP attributes as claims instead.

For more information, see To create a rule to send LDAP attributes as claims for Windows Server 2012 R2 on the Microsoft website.

Test the SAML IdP metadata URL for your server

Enter the https://example.com/federationmetadata/2007-06/federationmetadata.xml metadata document endpoint URL in your web browser with your domain.

If you're prompted to download the federationmetadata.xml file, then you correctly configured everything. Note the URL that you used, or download the .xml file. You must use either the URL or the file to configure SAML in the Cognito console.

For more information, see Configuring your third-party SAML identity provider.

Configure AD FS as a SAML IdP in Cognito

For instructions on how to configure AD FS as SAML IdP in Cognito, see Step 4: Complete the Amazon Cognito configuration in Simplify web app authentication: A guide to AD FS federation with Amazon Cognito user pools.

Related information

User pool sign-in with third party identity providers

Get started with Amazon EC2

Amazon EC2 key pairs and Amazon EC2 instances

Amazon EC2 security groups for your EC2 instances

Security group rules for different use cases