SCENARIO 12 SAML 2.0 Entra ID AWS IAM Zero Trust

Entra ID + AWS SAML Federation

AWS console access via long-lived IAM user keys violated the Zero Trust mandate and triggered a SOC 2 finding. Federated all console access through Entra ID via SAML 2.0 — zero static credentials, zero IAM users. Three break/fix scenarios diagnosed with SAML Tracer and documented into a reusable SSO troubleshooting runbook.

SAML 2.0 Entra ID AWS IAM SAML Tracer STS AssumeRoleWithSAML SOC 2 CC6.1/CC6.3

Business Problem

IDSentinel Solutions engineers required access to the AWS Management Console to perform read-only infrastructure audits as part of the organization's cloud expansion. Access was being granted via individual IAM user accounts with long-lived access keys — a direct violation of the Zero Trust initiative and a finding flagged on the most recent SOC 2 audit.

The Security team mandated that all AWS console access be federated through Entra ID. No IAM users, no static credentials — role-based access issued as time-limited STS sessions driven by Entra identity and SAML assertion. The IAM team was additionally tasked with producing a reusable SSO troubleshooting runbook from three intentional break/fix scenarios.

Risk

  • Long-lived IAM access keys create permanent blast radius if compromised
  • No centralized identity control — AWS access exists outside the Entra ID lifecycle
  • Offboarded employees retain AWS access until keys are manually revoked
  • No audit trail linking AWS console sessions to Entra ID identities
  • Non-compliant with Zero Trust and least-privilege mandate
  • SOC 2 CC6.1 and CC6.3 exposure

Scope

FieldDetail
Affected identitiesEngineers requiring AWS Management Console access
IdPMicrosoft Entra ID (IDSentinelSolutions.com)
Service ProviderAWS (SAML 2.0 federation via IAM Identity Provider)
Access modelFederated role assumption — no IAM users, no static credentials
Controls implementedSAML trust policy with audience condition, least-privilege role, SAML Tracer assertion validation, break/fix lab with three documented failure modes

Solution Design — 2 Workstreams

WS 1

Entra ID + AWS SAML Federation

Entra ID configured as SAML 2.0 IdP. Enterprise app registered with SAML SSO, Role and RoleSessionName claim mapping, and federation metadata XML exported for AWS. IAM Identity Provider and federated role created in AWS with scoped trust policy. Federation validated end-to-end with SAML Tracer assertion capture.

WS 2

Break/Fix Lab + SSO Troubleshooting Runbook

Three real SAML failure modes intentionally reproduced — wrong ACS URL, missing Role attribute, stale IdP metadata. Each diagnosed with SAML Tracer, resolved, and documented with root cause, fix steps, and resolution time target. Compiled into a reusable production runbook.

// diagrams/saml-federation-architecture.png — Entra ID to AWS SAML federation flow expand
Entra ID to AWS SAML federation flow

Implementation

Workstream 1 — Entra ID + AWS SAML Federation

  • 01

    Entra Enterprise App Registration

    AWS Single Account Access enterprise app created from the Entra gallery. SAML SSO configured — entity ID (urn:amazon:webservices) and ACS URL (https://signin.aws.amazon.com/saml) populated. Federation Metadata XML downloaded for upload to AWS IAM.

    // 01-entra-app-registration/entra-enterprise-app-created expand
    AWS enterprise app created from Entra gallery
    // 01-entra-app-registration/saml-sso-method-selected expand
    SAML selected as SSO method
    // 01-entra-app-registration/basic-saml-config expand
    Basic SAML config — entity ID and ACS URL populated
    // 01-entra-app-registration/signing-certificate-downloaded expand
    Federation Metadata XML downloaded
  • 02

    SAML Attribute Mapping

    ClaimValuePurpose
    https://aws.amazon.com/SAML/Attributes/RoleRoleARN,IdPARNMaps assertion to IAM role in AWS STS
    https://aws.amazon.com/SAML/Attributes/RoleSessionNameuser.userprincipalnameEngineer's Entra UPN appears in CloudTrail session name
    // 02-saml-config/attribute-mapping-role expand
    Role claim configured — RoleARN,IdPARN format
    // 02-saml-config/attribute-mapping-uid expand
    RoleSessionName mapped to user.userprincipalname
    // 02-saml-config/saml-tracer-assertion-clean expand
    SAML Tracer — clean assertion with NameID, Role, RoleSessionName confirmed
  • 03

    AWS IAM Identity Provider Setup

    IAM Identity Provider IDSentinel-EntraIdP registered in AWS using the Entra federation metadata XML. Provider ARN noted for use in the role trust policy and Entra attribute mapping.

    // 03-aws-idp-setup/aws-idp-created expand
    AWS IAM Identity Provider — IDSentinel-EntraIdP created
    // 03-aws-idp-setup/aws-idp-metadata-uploaded expand
    Entra federation metadata XML uploaded to AWS
  • 04

    Federated IAM Role and Trust Policy

    Role IDSentinel-EntraFed-ReadOnly created with trust policy scoped to IDSentinel-EntraIdP and a SAML:aud condition enforcing the correct ACS endpoint. ReadOnlyAccess managed policy attached — no write permissions at any scope.

    // 04-aws-role-config/role-summary-page expand
    IDSentinel-EntraFed-ReadOnly role summary
    // 04-aws-role-config/trust-policy-saml-condition expand
    Trust policy with SAML:aud condition
    // 04-aws-role-config/permission-policy-attached expand
    ReadOnlyAccess managed policy attached
  • 05

    Federation Validated — SAML Tracer Assertion Confirmed

    Test user assigned to the enterprise app. Login initiated via MyApps portal — AWS Management Console loaded via federated SAML session with no password prompt, no IAM user credentials. Assumed role confirmed. Write access denied.

    // 05-federation-test/myapps-tile-visible expand
    AWS app tile visible in MyApps portal
    // 05-federation-test/aws-console-login-via-saml expand
    AWS Console loaded via federated SAML — no IAM credentials
    // 05-federation-test/assumed-role-shown expand
    Assumed role IDSentinel-EntraFed-ReadOnly confirmed in console
    // 05-federation-test/write-denied-confirmation expand
    Write access confirmed denied — ReadOnly enforced

Workstream 2 — Break/Fix Lab

  • 06

    Break 1 — Wrong ACS URL (Destination Mismatch)

    • Break: Reply URL changed to https://signin.aws.amazon.com/saml-broken
    • Symptom: Login fails at the Entra layer — assertion not reaching AWS
    • SAML Tracer: Destination field in assertion contains wrong URL
    • Fix: Reply URL restored to https://signin.aws.amazon.com/saml
    // 06-break-fix-lab/break1-wrong-acs-url-error expand
    Break 1 — login fails at Entra layer
    // 06-break-fix-lab/break1-saml-tracer-capture expand
    Break 1 — SAML Tracer confirms Destination mismatch
    // 06-break-fix-lab/break1-fix-applied expand
    Break 1 — Reply URL restored, login confirmed working
  • 07

    Break 2 — Missing Role Attribute (No Valid Role)

    • Break: Role claim deleted from Attributes & Claims
    • Symptom: Login fails at AWS after Entra auth succeeds — STS has no role to map session to
    • SAML Tracer: https://aws.amazon.com/SAML/Attributes/Role absent from decoded assertion
    • Fix: Role claim re-added with correct RoleARN,IdPARN format
    // 06-break-fix-lab/break2-attribute-error-aws expand
    Break 2 — AWS error — no valid role in assertion
    // 06-break-fix-lab/break2-saml-tracer-missing-attr expand
    Break 2 — SAML Tracer confirms Role attribute absent
    // 06-break-fix-lab/break2-fix-attribute-mapping expand
    Break 2 — Role claim re-added, login confirmed working
  • 08

    Break 3 — Stale IdP Metadata (Signature Validation Failure)

    • Break: Federation metadata XML uploaded to AWS modified to corrupt the X509Certificate — simulating a certificate rotation where SP metadata was not updated
    • Symptom: Entra auth succeeds but AWS rejects assertion — certificate used to sign no longer matches the AWS IdP registration
    • Fix: Original Entra federation metadata XML re-uploaded to IDSentinel-EntraIdP
    // 06-break-fix-lab/break3-cert-expired-error expand
    Break 3 — AWS rejects assertion due to certificate mismatch
    // 06-break-fix-lab/break3-aws-metadata-updated expand
    Break 3 — correct Entra metadata re-uploaded to AWS IdP
    // 06-break-fix-lab/break3-new-cert-generated expand
    Break 3 — signature validation passes, login confirmed working

Outcome

IAM user accounts for console access eliminated — zero static credentials in use
All AWS console access federated through Entra ID via SAML 2.0
Offboarding handled automatically — disabling Entra account removes AWS access, no manual key revocation
SAML assertion validated — NameID, Role attribute, RoleSessionName all confirmed via SAML Tracer
Three SAML failure modes reproduced, diagnosed with SAML Tracer, and resolved
SSO troubleshooting runbook produced — mean diagnosis time per break under 5 minutes with SAML Tracer

Implementation Results

MetricValue
IAM users created0 — federated access only
Static credentials issued0
IAM Identity Providers created1 (IDSentinel-EntraIdP)
Federated IAM roles created1 (IDSentinel-EntraFed-ReadOnly)
SAML attribute claims configured2 (Role, RoleSessionName)
SAML breaks reproduced3 of 3
Mean diagnosis time per breakUnder 5 minutes with SAML Tracer
SOC 2 evidence items produced5

Files