Azure AD → AWS SSO: Database Access Guide

01

Azure AD → AWS SSO Integration

Connecting Microsoft Entra ID (Azure AD) to AWS IAM Identity Center via SAML federation

a

Navigate to Azure Portal — Enterprise Applications
Sign in to the Azure Portal and open Azure Active Directory. From the left-hand navigation panel, select Enterprise Applications.
b

Create a Non-Gallery Application
Click + New application, choose Non-gallery application, name it (e.g. "AWS SSO"), then click Add.
c

Configure SAML Single Sign-On
Open the new application and select Single sign-on → SAML. Configure the Identifier (Entity ID) and Reply URL using the values provided by AWS IAM Identity Center.
d

Download & Upload Federation Metadata
Download the Federation Metadata XML from the SAML Signing Certificate section in Azure. In the AWS IAM Identity Center console, navigate to Settings → Identity source → Change, select External IdP, and upload the XML metadata file.
e

Accept & Complete Identity Source Setup
Review the configuration in AWS, type ACCEPT in the confirmation field, and click Change identity source to complete the AWS SSO side of the federation.

      Key Outcome: Azure AD acts as the external SAML 2.0 Identity Provider (IdP) for AWS. Users authenticate against Azure AD and receive federated access tokens for AWS resources — no separate AWS passwords needed.
    

02

Provisioning & OAuth Configuration

Automatic user/group sync from Azure AD to AWS SSO using SCIM and OAuth bearer tokens

🔑

OAuth Bearer Token

Retrieved from AWS IAM Identity Center Settings. Used by Azure AD to authenticate SCIM provisioning requests. Hidden by default — copy on first view.

🔄

Automatic Provisioning

Once configured, users and groups are automatically synced to AWS SSO. No manual account creation required — mappings are handled by attribute rules.

📋

Attribute Mapping

The mailNickname attribute is mapped as the source identifier. Username and email attributes are aligned between Azure AD and AWS SSO schemas.

👥

User Assignment

Assign users and/or groups to the AWS SSO Enterprise Application in Azure. Assigned users will see the AWS SSO app in their My Apps portal.

1

Enable Provisioning in Azure AD
In the Enterprise Application, go to Provisioning → Get started. Set Provisioning Mode to Automatic.
2

Enter SCIM Credentials from AWS
In AWS IAM Identity Center, go to Settings → Automatic provisioning → Enable. Copy the SCIM endpoint URL and Access token (OAuth bearer token). Paste both into the Azure AD Provisioning credentials fields.
3

Configure Attribute Mapping
Under Mappings, edit the mailNickname attribute. Set the source attribute to match your organization's username convention. Click Save.
4

Turn Provisioning On
Set Provisioning Status to On, then click Save. Azure AD will begin syncing assigned users and groups to AWS SSO on the next provisioning cycle.

      Note: The SCIM OAuth token should be stored securely — treat it like a password. If it needs to be rotated, generate a new token in AWS IAM Identity Center and update the Azure AD provisioning settings accordingly.
    

03

Token Generation

Generating a short-lived AWS SSO access token for database authentication

      Prerequisites: AWS SSO login profile (username) must already be configured. You'll need SSO organization/OU, your SSO username, and your AWS account ID.
    

Information Required to Generate a Token

SSO Org / OU

Your SSO tenant

Which OU you belong to — check with Admin if unsure

SSO Username

Your login identity

The account you used to sign in to AWS via SSO

AWS Account

Account ID

Retrieve from the AWS Console after logging in via SSO link

Permission Level

RW or RO

Read-Write (RW) or Read-Only (RO) — based on your role

Read-Write (RW)

Full SELECT, INSERT, UPDATE, DELETE
Schema modification privileges
For engineers with write access
Use only when writes are needed

Read-Only (RO)

SELECT queries only
No data modification
For analysts, on-call triage
Default / least-privilege mode

# Step 1 — Log in to AWS via SSO (browser-based)
aws sso login --profile <your-sso-profile>

# Step 2 — Generate a temporary DB authentication token
aws rds generate-db-auth-token \
  --hostname  <db-host> \
  --port      <port> \
  --region    <aws-region> \
  --username  <db-username-rw-or-ro> \
  --profile   <your-sso-profile>

15 MIN

Token Expiry Generated tokens are valid for 15 minutes from the time of creation. If your DB connection attempt fails after this window, regenerate the token using the command above.

04

Database Login

Connecting to the database using your token, certificate, and credentials

Required Parameters

Gather all 4 values before opening your DB client

① Host Name

DB endpoint URL

From RDS / Aurora console or provided by Admin

② Username

RW or RO user

Must match the username used in token generation

③ Token

Generated in Step 3

Use as the password — valid for 15 min only

④ Certificate

AWS RDS CA cert

Downloaded from AWS RDS console — enables SSL/TLS

      How to get the Certificate: In the AWS RDS console, navigate to Databases → <your DB> → Connectivity & security. Download the CA certificate bundle (rds-ca-bundle.pem) for your region.
    

Connecting via DBeaver

1

Create New Connection
Open DBeaver → Database → New Database Connection. Select your DB type (PostgreSQL, MySQL, etc.).
2

Fill Host & Credentials
Enter the Host and Port. Set Username to the RW or RO user. Paste the generated token as the Password.
3

Configure SSL
Go to the SSL tab in the connection settings. Enable SSL and set the CA Certificate to the rds-ca-bundle.pem file you downloaded.
4

Test & Connect
Click Test Connection. If successful, click Finish. Remember: tokens expire after 15 minutes — reconnect using a fresh token if needed.

      Alternative Tools: Any JDBC-compatible client works — TablePlus, DataGrip, pgAdmin, or direct psql / mysql CLI with the --ssl-ca flag. The token is always used as the password field.
    

✦

Quick Reference Checklist

Everything you need before connecting to the database

✓
Azure AD enterprise app created and SAML configured
✓
Federation metadata XML uploaded to AWS Identity Center
✓
SCIM provisioning enabled — users synced to AWS SSO
✓
AWS SSO profile configured locally (~/.aws/config)
✓
Logged in via aws sso login --profile ...
✓
Token generated — valid for 15 min
✓
RDS CA certificate downloaded from AWS console
✓
DB host name and correct username (RW / RO) confirmed
✓
SSL enabled in DB client with CA certificate
✓
Token used as password — reconnect with fresh token on expiry