Better Living Through Narratology

Connect AWS SSO to Duo MFA

Amazon’s Single Sign-On (SSO) service allows you to connect your directory / user store to several applications and AWS accounts.  The benefits are pretty obvious as you start to pile on lots of accounts and apps, but the AWS documentation on configuration is a little vague, so I thought I’d throw this out there for whoever it might help.

My MFA solution is Duo.  I often use Google Authenticator, but one of the requirements for MFA in my situation is to run a RADIUS server.  AWS SSO can be configured in many ways, but for the purposes of this article, I’m using an AWS AD Connector to connect to AWS Managed Microsoft AD.  I’ll assume that:

  1. You know your AD.
  2. You are mildly familiar with Duo.
  3. You have established network connectivity from your AWS SSO account to your AD user store (whether through VPC peering or Direct Connect, etc.).
  4. You have created a secret key to be used between RADIUS and SSO.

Let’s get right to it! (more…)

Posted in AWS, Duo, MFA, SSO | 1 Comment