By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Steps and Requirements for AD connector between on-prem AD server and cognito without ADFS

0

Hi,

I would like to ask for references/guides on how to setup my AWS cognito to an existing on-prem AD server (Windows based) without ADFS

Topics
Security, Identity, & Compliance
Tags
AWS Directory ServiceAmazon Cognito
Language
English
asked 5 days ago20 views
1 Answer
0

To set up AWS Cognito with an existing on-premises Active Directory (AD) server without using ADFS, you can use AWS Directory Service's AD Connector. Here are the steps and requirements:

  1. Network Configuration:
  • Set up an Amazon Virtual Private Cloud (VPC) with at least two subnets in different Availability Zones.
  • Establish a connection between your VPC and on-premises network using either a hardware VPN or AWS Direct Connect.
  1. On-premises AD Requirements:
  • Ensure your existing AD domain has a functional level of Windows Server 2003 or higher.
  • Create a service account in your on-premises AD with necessary permissions (read users and groups, join computers to the domain, create computer objects).
  1. AD Connector Setup:
  • In the AWS Directory Service console, create an AD Connector.
  • Provide the following information:
  • Directory DNS name
  • NetBIOS name
  • DNS server IP addresses
  • Service account username and password
  • Choose the VPC and subnets for the AD Connector.
  1. Network and Security Configuration:
  • Configure security groups to allow traffic on required ports (typically LDAP on 389 and LDAPS on 636) between AD Connector and your on-premises AD.
  • Ensure proper routing is set up in your VPC to allow traffic between AD Connector and your on-premises network.
  1. Test the Connection:
  • Use the AWS-provided DirectoryServicePortTest tool to verify network connectivity.
  • Launch test EC2 instances in the VPC subnets to confirm DNS queries to on-premises domain controllers.
  1. Cognito Configuration:
  • In the Amazon Cognito console, create a new user pool.
  • Set up SAML identity provider integration, pointing to your AD Connector.
  • Configure attribute mapping between Cognito and your AD attributes.
  1. Application Integration:
  • Update your application to use Cognito for authentication.
  • Implement the necessary SDK or API calls to integrate Cognito with your application.

Remember to follow AWS best practices for security, including using least privilege principles for the service account and regularly rotating credentials. Also, ensure that your network configuration allows for secure communication between AWS and your on-premises environment.
Sources
AWS Directory Service – Other Directory Types – Amazon Web Services
AD Connector Private WebServer | AWS re:Post
Getting started with AD Connector - AWS Directory Service
Set up Active Directory to manage WorkSpaces | AWS re:Post

answered 5 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content