Amazon’s Single Sign-On (SSO) service allows you to connect your directory / user store to several applications and AWS accounts. The benefits are pretty obvious as you start to pile on lots of accounts and apps, but the AWS documentation on configuration is a little vague, so I thought I’d throw this out there for whoever it might help.
My MFA solution is Duo. I often use Google Authenticator, but one of the requirements for MFA in my situation is to run a RADIUS server. AWS SSO can be configured in many ways, but for the purposes of this article, I’m using an AWS AD Connector to connect to AWS Managed Microsoft AD. I’ll assume that:
- You know your AD.
- You are mildly familiar with Duo.
- You have established network connectivity from your AWS SSO account to your AD user store (whether through VPC peering or Direct Connect, etc.).
- You have created a secret key to be used between RADIUS and SSO.
Let’s get right to it!
View the AD Connector that is associated with your SSO service. Take note of the AD Connector IP addresses. You need to make sure that these IP addresses can reach your RADIUS / Duo server.
Find or create the Security Group that allows UDP 1812 access to your RADIUS / Duo server. Add an Inbound Rule that allows UDP 1812 from your AD Connector. Create another rule for the second AD Connector. Make sure this Security Group is applied to the EC2 instance running your RADIUS / Duo server. Take note of the private IP address of that server because you’ll need it soon.
Now that your AD Connectors are allowed to speak to the RADIUS / Duo server, let’s take a look at the Duo config.
Because AWS SSO is only looking for “it worked” or “it didn’t work” response from RADIUS, we don’t have to worry about Duo carrying any of the authentication payload that a Duo authentication proxy might normally carry. This mode is called “Duo only” or it should be. Further information can be found on Duo’s site and they do a fantastic job with their documentation. Our authproxy.cfg will look something like this:
[radius_server_duo_only] ikey=WhateverYourIntegrationKeyIs skey=WhateverYourSecretKeyIs api_host=api-yourcodehere.duosecurity.com radius_ip_1=AD Connector #1 IP address radius_ip_2=AD Connector #2 IP address radius_secret_1=YourSecretKey radius_secret_2=YourSecretKey port=1812 client=duo_only_client
BACK TO AWS CONFIG
Now, we’re ready to enable MFA. Find the Multi-factor authentication section of your directory and enable it. The settings you’ll need to provide are:
- IP address of the RADIUS / Duo server
- Port 1812
- The secret key you have created for your connection
- Select the PAP protocol
Save your changes when you’re ready and you should be able to view the registration activity in the authproxy.log file on your RADIUS / Duo server.