One of customer’s migration point to Amazon Web Services was turning on SSO (Single Sign On) – as it’s quite convenient. After fast verification of the possibilities we have, it turned out that we can leverage ADFS. The customer already has ADFS deployed for other services, so there’s no need to convince Security Team that it is basically supposed to be used.

After a few days of a struggle with a complexity of Ping Federate, we managed to turn on SSO, make a nice redirection loop via mentioned ADFS. Returned SAML had everything we needed and Windchill said ”Error 500”.

A more thorough study of documents revealed that SSO with ADFS is definitely supported by Windchill, but creating a new user based on ADFS SAML response is not. Windchill needs user base for comparison, and this can be provided by querying domain’s controller with Idap, best with SSL.

We’ve got infrastructure deployed in AWS and domain controllers in customer’s server rooms. Exposing the controller to the world is not going to work with Security Team, but we have to query them somehow.

Let’s connect to a customer with VPN and query controllers through the tunnel with secure Idaps. But not to make things too easy, a few environments are already deployed in AWS, each of them in different VPC and each of them has to get to AD with its query. Each VPC with different subnet, overlapping customers on-prem networks.

 

What to do? How to manage?

There were a lot of options (the following are just a few of them):

  • Use Transit Gateway and make NAT on the customer’s side

Unfortunately, already deployed VPCs have the same IP addresses as customer had in their network. It’s not that it cannot be dealt with, but the time was running out and playing with routing in a global organization could take years.

  • Add a new VPC with network IP address range, which the customer does not have yet, do the routing, peering between already deployed VPSs to new one, add VPN Gateway to this VPC and voila.

A short presentation in PowerPoint, which shed some light to the problem in the customer’s eyes, resulted in making a decision about creating a new VPC, doing the routing, peering VPCs, connecting VPN and deploy AWS Directory Service in Shared VPC.

The great mystery of querying one domain for objects from another one with established Trust Relationship is still mystery. A little failure. Not even mentioning settings in Trust Relationship between the domains.

In the meantime, not to block the development of some additional tools, we set standard Amazon Linux in Shared VPC, and using a simple SSH tunneling, we skipped a few limitations related with the lack of transit VPC in AWS.

Another try was setting a read-only domain controller in AWS. This solution provided the access to the application even in case of problems with VPN tunnels. Organizing VPN went surprisingly well and, basically, it worked with the first one so it was left this way.

We have already had it, read-only domain controller, it could be queried with Idap and everything was fine, but not for the customer’s Security, which had agreed for this scenario before. What to do, Security knows better and they will not give us a public key for the internal CA, because it’s not a public key, just the internal one – ohh, the great PKI mystery.

Driven by some emotions, we decided that we’ve had enough of this ‘dance’. Fast review of the situation:

  • VPC connected via VPN with customer’s network – check
  • Credentials to log on to AD through ldap – check

 

What’s missing?

Something like ldap proxy for Active Direcotry. We’re setting something like that in Shared, we’re throwing ldap queries into this proxy, it redirects us smoothly to customer’s AD and we’re successful.

Another 5 hours of attempts and ta-dah! – it’s working! OpenLDAP works. Verification in Windchill and the problem’s gone. EC2 with OpenLdap works and… actually it’s boring.

Hmm, maybe we should put it into a docker container?

Hmm, maybe we should run the container in ECS?

Hmm, generally wd don’t need persistent storage, so maybe Fargate?

Building a container with LDAP Proxy on CentOS is basically just a few lines. Later on, a quick upload to ECR, task definition and service can be created.
But how to direct the traffic to the service? IP will be different every time container restarts. Maybe through LoadBalancer? – nope.

Defining Service, „Service Discovery” option can be used, which creates Hosted Zone in Route53 and updates A record, leading to the service – brilliant.

Now, it’s enough to associate VPC with Hosted Zone and shoot with Idaps queries to the name registered there.

Finally, not to pay special attention to that later on, it’s just enough to define an simple healthcheck, which will make ECS replace a broken container with a new one – within a minute.

What about the cost (without VPN)?

  • First option with AWS AD Service – approximately $90/month
  • Second option with EC2, which was the domain’s Controler in Read-Only mode – approximately $80/month
  • Third option with a container in Fargate run mode – approximately $10 (0,25CPU of 1GB RAM)

 

How useful was this post?

Click on a star to rate it!

Average rating 5 / 5. Vote count: 12

No votes so far! Be the first to rate this post.

If you violate the Regulations , your post will be deleted.

    _All posts in this category

    Navigating Cloud Disaster Recovery Realities

    In the ever-changing landscape of cloud technologies, the advent of AWS over a decade ago marked the onset of a transformative era. The…
    Read more

    Azure Cloud Security: How to ensure the Zero Trust Model and use AI to our advantage?

    Since the global popularization of remote work in recent years, IT security teams are facing ever-increasing challenges to ensure effective and secure access…
    Read more

    Is the Edge a new Cloud?

    Nowadays, many organizations that adopted the cloud are looking into the Edge as a natural extension for their cloud-based solutions. On the other hand,…
    Read more

    Quantum Computing: Where Schrödinger's Cat gets cozy in the Cloud

    Join me for a journey that will take us from the realm of reality as we know it to a world where a…
    Read more

    Will hybrid cloud and multi-cloud defend you from vendor lock-in? Do you really need to be wary of it?

    Vendor lock-in is a concept overly often associated with the IT industry, and in recent years, especially with cloud computing, although it is…
    Read more

    The critical role of cloud-based data platforms. Reshaping manufacturing data management

    Cloud-based data platforms revolutionize manufacturing data management by efficiently handling vast amounts of data in real-time. Manufacturers can collect data from various processes,…
    Read more

    How can AI Data Discovery help manufacturing companies?

    We are all blessed to live in very exciting times. Exponential technological progress over the last couple of decades has influenced not only…
    Read more

    Airline Rewards App: Mapping requirements to architecture for application migration and modernization

    In this article, I'll guide you through the steps, technical choices, and trade-offs of migrating and modernizing apps to the public cloud, emphasizing…
    Read more

    How to properly understand the public cloud in 2023? And why is it so difficult?

    Cloud computing is constantly changing and evolving. What we see today is different from what it was yesterday and not the same as…
    Read more

    Become a top example of a complete transition to Industry 4.0

    Digital transformation and moving towards the idea of Industry 4.0 (I4.0) & Smart Factory (in AWS) are not easy. There are many obstacles…
    Read more

    Automated testing of serverless applications: 6 key takeaways from AWS re:Invent Dev Chat

    The long-awaited 11th AWS re: Invent has just come to an end. Transition Technologies PSC marked its presence, among others, thanks to the…
    Read more

    How to get closer towards Industry 4.0?

    Ensure business growth in the digital age. Dive into #digitaltransformation to find new opportunities, business models, make changes in your organization and bring…
    Read more

    How to implement Industry 4.0 smarter, faster, and easier?

    The concept associated with Industry 4.0 is Smart Factory – in other words “intelligent factory”. This type of plant is based on integrated…
    Read more

    ThingWorx AWS Connector

    The ubiquitous fourth industrial revolution, named Industry 4.0, is now one of the fastest growing IoT markets. The digital transformation journey is more…
    Read more

    How to achieve AWS cloud cost optimization with FinOps?

    The cloud is not on-premise, which means that IT purchases don't happen according to a strategic plan, but immediately when the architect provisions…
    Read more

    Driving digital transformation in the cloud

    The cloud is a key success factor in digital transformation. It provides companies with many decisive advantages. However, the prerequisite for this is…
    Read more

    What should you know about serverless computing?

    Serverless cmputing still raises a lot of doubts, especially among those environments that are just starting to use cloud services or are just…
    Read more

    What is DevOps as a service and how you can benefit from it?

    DevOps is an innovative methodology that introduced a new quality of work on IT projects. It is based on the cooperation of autonomous…
    Read more

    9 reasons why you should use the cloud in your business

    According to "2019 State of the Cloud Report from Flexera" RightScale's report, 94% of companies use the cloud. It is no coincidence that…
    Read more

    How to start your journey with Azure and prepare for the AZ-900 exam

    The demand for Cloud specialists is dynamically growing. How to get a wide range of competences and quickly familiarize yourself with the subject…
    Read more

    Cloud in a time of crisis – how to improve work in your company

    The world we've known in recent years is changing a lot. It forces us to change our habits as well as the ways…
    Read more

    How to take care of the security of serverless applications in AWS?

    The AWS re:Invent 2019 conference, similarly to previous editions, was full of interesting lectures, such as breakout sessions, which aimed at familiarizing the…
    Read more

    SSM parameters in AWS automation

    Some time ago I was involved in a project that was to provide HA Windchill Cluster - actually, nothing new, the cluster itself…
    Read more

    How we touched the clouds – AWS re:invent 2019 seen with our eyes

    Apart from the funding, participation in the AWS conference re:Invent requires engagement and a bit of persistence on the participants’ side. In our…
    Read more

    How to make use of Talend Open Studio in the medical industry?

    The use of modern technologies in medicine is getting more and more popular. Paper patient records are becoming obsolete and are being replaced…
    Read more

    What is Amazon Web Services cloud?

    Cloud computing is one of the world’s most rapidly developing technologies. It is successively replacing traditional server solutions, obtaining a larger and larger…
    Read more

    Why serverless is the future of software and apps

    Every few years there is a new big thing in IT. Nowadays, all eyes are focused on Machine Learning (ML) and Artificial Intelligence…
    Read more

    _Let’s get in touch

    Contact us