AWS Application Load Balancer with Azure AD oidc authentication
AWS Application Load Balancers can authenticate users with oidc. This is useful if you are using Azure AD and AWS within your organization.
This guide assumes you have an ALB and Azure AD already set up.
Step 1: Create an Azure AD app registration
Log in to Azure AD and navigate to “App Registrations” - Azure Active Directory admin center
Name your new OAuth application, choose what users can log in, and enter the URL for the app.
Step 2: Get your app’s ID and tenant ID, you will need these later
Step 3: Add the required URLs for ALB oidc authentication
You will need to enter the base URL and the base URL with /oauth2/idpresponse
Both are required for oidc to work.
Step 3: Generate your secret
Create a new secret and record its value. It will only be available in plain text for a limited period of time. You can always create a new one if required.
Step 4: Get your tenant’s OpenID configuration
You can easily get all the required URLs by looking up your tenant ID’s open ID configuration URL. Just replace XXXX-XXXX-XXXX with your Azure AD tenant ID as shown in step 2.
Example: https://login.microsoftonline.com/XXXX-XXXX-XXXX/v2.0/.well-known/openid-configuration
You will need the following values from this URL:
issuer
authorization_endpoint
token_endpoint
userinfo_endpoint
Step 5: Configure your ALB rule
Log into the AWS web console.
Navigate to Load Balancers within the EC2 service.
Click the ALB you want to configure and choose View/Edit rules under the listener's tab. Insert a new rule using the values from the previous steps as shown below.
Your AWS ALB will now use Azure AD to authenticate users before they can access the target behind the ALB rule. Be sure to read more about how this works via Microsoft’s and AWS’s documentation to ensure you meet your specific security requirements.
