Integration of EntraID Identity into AWS SSO

[julialawrence]

User Story

As a modernisation platform customer, I would like to be able to use my justice identity to authenticate with AWS. This would allow users who aren't on Github to get access as well as align us with the general movement towards a single unified identity across MOJ.

Value / Purpose

Each additional source of identity introduces both an operational and security overhead and additionally, having a single source of identity simplifies user onboarding, and the JML process as a whole.

Useful Contacts

@julialawrence

Additional Information

This is likely to be as POC in advance of requesting additional AAD permissions from Tech Services to support full deployment.
Initially, an AzureAD app with delegated User.Read permissions will suffice but a fully solution will need more permissions.

Proposal / Unknowns

Hypothesis

If we... start by integrating AAD as a identity provider for Auth0
Then...when we switch over, we will be able to reuse these identities in AWS Identity Center

Proposal

The following POC:

1. Create an enterprise AAD connector in the Auth0 tenant that is supporting AWS SSO using these instructions
2. As additional AAD permissions will be required to sync users from AAD to Identity Center, manually create between 4 and 6 users and a group within Identity Center to correspond to the users who are able to auth
3. Potentially, prefix the created group with aad_ to avoid name clashes (this will require modifying the MP SSO code, and structure of environment json files)
4. Experiment with customisation authentication experience options in Auth0 to minimise confusion
5. Update one of AP environment files to assign a permission set to an AAD group
6. Test authentication
7. Stretch: Look at integrating one of our AP apps into SSO (not required, just nice to have)
8. Capture findings
9. Use findings to drive further identity converstions

Definition of Done

Example

• Enterprise connection created
• Users manually provisioned
• AP environments file updated with new group
• Authentication tested
• Findings captured

[SimonPPledger]

agreed to bring into this sprint after conversation with Julia

[markgov]

Contacted john dryden and matthew white to dicuss the offical way fo getting an azures app setup for sso access to add to auth0

[markgov]

John Dryden
10:14
demand record which will then get passed to the EUCS IDAM team

[markgov]

https://justiceuk.sharepoint.com/sites/DemandandBusinessRelationshipManagement/SitePages/New-Demand-Request.aspx

[markgov]

spoken to Juila and she has already done the first part which is getting an app in azurse setup

[markgov]

PR created on sso repo for auth0
ministryofjustice/moj-terraform-aws-sso#51

[markgov]

1. Julia to write temp Lambda SCIM for a few users
2. Test temp Lambda SCIM works
3. Import / provision Auth0 connection via code
4. Merge and deploy 2 and 3 and test
5. Request new Azure app with machine to machine permissions
6. When received rewrite Lambda and switch secrets to new app

[markgov]

ministryofjustice/aws-root-account#875

[markgov]