使用AWS re:Post即您表示您同意 AWS re:Post 使用条款
AWS re:Postre:Post

AWS VPN Client - iOS authentication options

0

Hi all,

We are migrating from legacy remote access solution to AWS VPN Client solution, and we have come across some architectural challenges.

I was wondering if someone maybe came across challenges or knows what direction I should look.

At the moment we are using OpenVPN as our remote access solution to access resources in AWS accounts. We have an OpenVPN server hosted in private subnet that end users can access using OpenVPN clients on MacOS, Windows and iOS devices.

To improve our security, we made a decision to migrate our remote access solution to AWS VPN Client. This will allow us to use our existing Azure Active Directory as authentication and authorization backend by using AzureAD as SAML Identity Provider for AWS VPN Client.

Users will be able to install AWS VPN Client on their devices, login to AWS VPN Client endpoint and then login using Azure AD including MFA.

This has been working smoothly for both MacOS and Windows devices. However we also have several developers that work on creating mobile applications and they have a requirement to use iOS device to connect via VPN.

Unfortunately, AWS VPN Client is not available for iOS devices. It is possible to use OpenVPN Client on iOS to login to AWS VPN Client endpoint, however SAML Authentication is not supported for this scenario. We have already enquired about this issue with AWS Support and we had a confirmation that SAML federation is not supported when using iOS.

This means we can’t use SAML and we are left with two other options for authentication for this scenario :

Mutual authentication with certificates. This solution assumes distribution of certificates to the clients. While this may work, this is suboptimal for us as this assumes that joiners and leavers procedures will need to be duplicated as separate set of credentials would be used.

AWS Managed AD or AD Connector. If we can synchronize subset of AWS Managed AD from the our current Azure AD , that would suit us perfect as this would mean we still have one identity store.

The questions I have is related to the second solution, i.e using AWS Managed AD.

Is it possible to have identities sync between Azure AD Managed AD and Azure AD? I could not find any guides or examples for this scenarios. Most examples are describing on prem or EC2 based AD sync using AD Connect or Azure Passthrough authentication, none of these apply to our case.

If this is not possible, what are the possible ways to solve our problem to ensure we don’t have a separate identity store like I described for the case with mutual authentication?

主题
安全、身份和合规性网络和内容交付
标签
安全、身份和合规性AWS 身份和访问权限管理AWS 目录服务AWS Client VPN
语言
English
Sergei
已提问 1 年前822 查看次数
1 回答
0

Hello Team,

From your query I understand you wish to know if there's a way to use Azure AD users and groups with your AWS MAD under a single identity.

You can create a 'Trust' from your Azure AD with your AWS managed AD. You just need to ensure that connectivity in the backend is in place.

AWS Managed Microsoft AD supports all three trust relationship directions: Incoming, Outgoing and Two-way (Bi-directional). You can choose them as per your use case.

However the trust relationship between Azure AD and AWS managed AD needs to be checked after initiating a trust relationship from Azure AD side only as trust relationship always initiated from on-premise side and get completed on AWS side. I did not find any such use case in our repository and also I can't test this setup on my end due to limitation on setting up Azure AD environments like yours.

The following are the prerequisites to setup the domain trust between AWS Managed AD and Ms Azure :

  • Azure Active Directory Domain Services (Azure AD DS) , using self-managed AD DS domain which support AD domain / forest trusts [1]
  • VPN connectivity between AWS VPC and Azure [2]
  • Inbound and outbound rules in security groups allowing traffic between the two networks

I would also like to clarify that Azure AD lies out of scope of AWS Support and I'm providing these details on best effort basis only. For the links which are not provided from AWS are considered third party information only. Hope you understand. We highly value your cooperation and support with us.

Thanks again for reaching out to us! Looking forward to hearing from you.

Have an AWSome day ahead!

References :

[1] https://docs.microsoft.com/en-us/azure/active-directory-domain-services/compare-identity-solutions
[2] https://blogs.technet.microsoft.com/canitpro/2016/01/11/step-by-step-connect-your-aws-and-azure-environments-with-a-vpn-tunnel/
[3] Creating a trust relationship : https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_setup_trust.html
[4] Tutorial: Create a trust relationship between your AWS Managed Microsoft AD and your self-managed Active Directory domain : https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_tutorial_setup_trust.html
{+} https://aws.amazon.com/blogs/database/integrate-amazon-rds-for-sql-server-db-instances-with-an-existing-active-directory-domain/
{+} Video Tutorial : https://www.youtube.com/watch?v=SIBCi76wspQ&ab_channel=AmazonWebServices

rePost-User-4749360
已回答 1 年前

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则

相关内容