Introduction

Single Sign-On (SSO) is more than just a convenience feature—it’s a critical part of modern identity security. By centralizing authentication, SSO enforces strong identity practices, supports Zero Trust principles, and enhances visibility and control across cloud services. For IT and security professionals, implementing SSO with Microsoft tools is also one of the most practical and impactful ways to demonstrate real-world identity security skills.

Objective

Enable Single Sign-On (SSO) for third-party SaaS applications, allowing users to access all essential business apps using their existing Microsoft 365 (Entra ID) credentials. This reduces password sprawl, streamlines user experience, and strengthens access governance.

If you're new to SSO, I’ve written a LinkedIn article that covers the basics fundamentals of Single Sign-On (SSO)—why it matters, how it works, and where to start—you can check it out here. It’s a great primer before diving into this use case.

Skills Applied

• Understanding SAML/OAuth/OpenID protocols

• Configuring Enterprise Applications in Microsoft Entra

• Managing user access and roles

• Securing authentication with Conditional Access

Business Scenario

The security team wants to reduce the risks of managing local IAM users in AWS, eliminate long-lived access keys, and centralize identity and access management for cloud infrastructure. Their goal is to use Microsoft Entra ID (formerly Azure AD) as the Identity Provider (IdP) for AWS Single Sign-On (SSO), allowing users to log in with their corporate credentials and access AWS resources based on group membership.

Company Overview: Oringo Ltd.

Oringo Ltd. is a rapidly expanding software firm offering SaaS-based solutions to enterprise clients. The company is transitioning to a cloud-first model using AWS and centralizing its identity management with Microsoft Entra ID (formerly Azure AD). As part of its security and compliance mandate, Oringo Ltd. is aligning its access management architecture with international standards such as DORA (Digital Operational Resilience Act), ISO 27001, and NIST SP 800-53. The organization seeks to adopt a Zero Trust framework, enhance access governance, and ensure strong compliance posture.

Project Brief

You have been appointed as an Identity and Access Management (IAM) consultant to implement a comprehensive SSO integration and Zero Trust model for Oringo Ltd. Your responsibilities include integrating AWS with Microsoft Entra ID using SAML authentication, configuring user provisioning, enforcing Zero Trust principles, and ensuring compliance with DORA, ISO 27001, and NIST frameworks.

Your Tasks

1. Integrate AWS with Microsoft Entra ID using SAML-based Single Sign-On (SSO), with Entra ID as the Identity Provider (IdP) and AWS as the Service Provider (SP).

2. Configure automatic user provisioning from Microsoft Entra ID to AWS based on departmental Entra groups.

3. Implement Role-Based Access Control (RBAC) by defining roles such as AdminAccess, DevReadOnly, and FinanceViewer and mapping them to Entra groups.

4. Enforce Zero Trust security controls including Multi-Factor Authentication (MFA) and Conditional Access (CA) policies such as device compliance, geographic restrictions, and risk-based sign-in controls.

Deliverables

1. Architecture Blueprint: A visual representation of the communication workflow between Microsoft Entra ID and AWS.

2. Functional Demonstration: Video evidence of a working SSO login flow and automatic user provisioning.

3. IAM Design Decision Document: This document will include design decisions around the mapping of Entra groups to AWS IAM roles with permissions. Naming Conventions, Conditional Access Policies.

4. RunBook: This will include implementation procedure inclusive of MFA and Conditional Access Policy Configuration; Screenshots and descriptions.

5. Compliance Mapping Table: Show how your implementation aligns with DORA, ISO 27001, and NIST SP 800-53 using a compliance mapping table (or if it doesn’t then ignore).

6. Final Project Presentation: A presentation to a key stakeholders-Project committee based off the following criteria.

1. Introduction & Scenario Understanding (10%)

• Clear explanation of the business scenario (Oringo Ltd.)

• Understanding of why SSO was implemented

Score focus: Clarity, context awareness, alignment with real-world needs

2. Architecture Design & Blueprint (20%)

• Well-explained architecture diagram:

• Entra ID as Identity Provider I AWS as Service Provider I Flow of SAML assertions

• Zero Trust elements visualized (e.g., CA, MFA, IP filters)

Score focus: Accuracy, completeness, clarity of diagrams and flows

3. SSO Configuration & Role Mapping (25%)

• Step-by-step explanation of SAML integration

• Details on how Entra groups were mapped to AWS IAM roles

• Explanation of IAM permissions

Score focus: Technical accuracy, logical role design, understanding of SAML config

4. Security Controls Implementation (15%)

Description and demonstration of:

• MFA enforcement

• Conditional Access policies (e.g., IP/location, device compliance)

Score focus: Security depth, Zero Trust application, practical use of Entra features

5. Auto-Provisioning Strategy (15%)

• Explanation of how users are automatically provisioned (or simulated)

• Attribute mapping and group-based access logic

Score focus: Clarity of provisioning logic, understanding of SCIM or equivalent

6. Compliance & Governance Mapping (5%)

• Link project design to any of the below regulatory and compliance standards:

o   DORA – operational resilience

o   ISO 27001 – access controls, secure authentication

o   NIST SP 800-53 – role management, audit, identity policies

Score focus: Understanding, clarity of compliance alignment

7. Presentation Quality & Reflection (10%)

• Slide quality, visual flow, and time management

• Team/individual reflection on:

o   Involvement and Participation

o   Challenges faced & Lessons learned

o   Improvements for real-world implementation

Score focus: Engagement, professionalism, insight

Supporting Document

[https://docs.aws.amazon.com/singlesignon/latest/userguide/idp-microsoft-entra.html](https://docs.aws.amazon.com/singlesignon/latest/userguide/idp-microsoft-entra.html)

[https://learn.microsoft.com/en-us/entra/identity/saas-apps/aws-single-sign-on-tutorial](https://learn.microsoft.com/en-us/entra/identity/saas-apps/aws-single-sign-on-tutorial)

[https://learn.microsoft.com/en-us/entra/identity/saas-apps/amazon-web-service-tutorial](https://learn.microsoft.com/en-us/entra/identity/saas-apps/amazon-web-service-tutorial)

[https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/aws/aws-azure-ad-security](https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/aws/aws-azure-ad-security)

Example of how to document your configuration for use on GitHub or any of your portfolio management platform.

[https://community.aws/content/2ncrDC7SdKd5qnGOb37yC4qoY0M/setting-up-microsoft-entra-id-saml-2-0-federation-with-amazon-workspaces-pools?lang=en](https://community.aws/content/2ncrDC7SdKd5qnGOb37yC4qoY0M/setting-up-microsoft-entra-id-saml-2-0-federation-with-amazon-workspaces-pools?lang=en)

Setup Free AWS Account

[https://k21academy.com/amazon-web-services/aws-solutions-architect/create-aws-free-tier-account/](https://k21academy.com/amazon-web-services/aws-solutions-architect/create-aws-free-tier-account/)

[https://aws.amazon.com/free/?all-free-tier.sort-by=item.additionalFields.SortRank&all-free-tier.sort-order=asc&awsf.Free%20Tier%20Types=*all&awsf.Free%20Tier%20Categories=*all](https://aws.amazon.com/free/?all-free-tier.sort-by=item.additionalFields.SortRank&all-free-tier.sort-order=asc&awsf.Free%20Tier%20Types=*all&awsf.Free%20Tier%20Categories=*all)