Outdoor work 15/06/2018

Using Microsoft Office 365 login service with AWS hosted applications

We’ve recently been working on a simple time management app that we host in AWS Elastic Beanstalk. We wanted to hand off responsibility for authenticated users to the Microsoft Office 365 single sign on service (www.microsoftonline.com) hosted on Azure– the user base for the application all have Microsoft Work accounts already set up. We were looking at something like:

Office 365 Login to AWS hosted application - Logical Diagram

 

To get this logical flow implemented we had to work through a few details. It didn’t help that most of these types of setups employ direct EC2 instances rather than Elastic Beanstalk. But this is (currently) just a simple app so we wanted to maintain the ease of deployment and maintenance that Elastic Beanstalk affords us. We thought it was worth blogging some of the detail:

First things first. The Single Sign On is a secure https call so we had to implement end to end https encryption across the entire solution. AWS’s recommended solution for this is to place a HTTPS/SSL load balancer in front of the web app instance.

https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-create-https-ssl-load-balancer.html

 

Office 365 Login to AWS hosted application - Implementation Diagram

We updated the https information on the EC2 server which is hosting the site in Elastic Beanstalk. We set up a certificate key on an S3 bucket and pointed the server to it.

https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/SSLNET.SingleInstance.html.

We then modified the load balancer by setting up listeners on port 443 and enabling backend security so that the communication between the load balancer and the EC2 server is all over HTTPS:

https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https-endtoend.html

Once we’d set this up, we encountered a problem where the load balancer would flag the EC2 instance as unhealthy, and refuse to serve the page. The load balancer polls to see if a 200 (OK) HTTP code is coming back from the app. This wasn’t happening because the authentication was performing a 302 redirect to the Azure microsoftonline service. To overcome this, we wrote a HTTP module to run as a service in the web application. This service checks the user agent supplied by requests to the site to see if they are coming from the load balancer and return a healthy HTTP code.

Et voila - we’ve got a healthy end to end solution for authenticating in Microsoft online with backend AWS hosted apps.