Runtime Configuration How to manually run the sync (release 2024.12 and later)SSO configuration

Active Directory Synchronization

Runtime Configuration

All the CFN parameters related to Active Directory (AD) are optional during installation.

Form for optional Active Directory configuration details with multiple input fields.

After the initial installation, administrators can view or edit the AD configuration in the RES web portal under the Identity management page:

Active Directory global settings and domain configuration interface for RES deployment.

Active Directory Synchronization form with fields for configuration settings.

Administrators can filter the users or groups to sync via the new Users Filter and Groups Filter options. The filters must follow the LDAP filter syntax. An example filter is:


(sAMAccountname=<user>)

For any secret ARN provided at runtime (for example, ServiceAccountCredentialsSecretArn or DomainTLSCertificateSecretArn), make sure to add the following tags to the secret for RES to get permissions to read the secret value:

key: res:EnvironmentName, value: <your RES environment name>
key: res:ModuleName, value: directoryservice

Any AD configuration updates in the web portal will be picked up automatically during the next scheduled AD sync (hourly). Users may need to re-configure SSO after changing the AD configuration (for example, if they switch to a different AD).

How to manually run the sync (release 2024.12 and later)

The Active Directory synchronization process has been moved from the Cluster Manager infra host to a one-off Amazon Elastic Container Service (ECS) task behind the scenes. The process is scheduled to run every hour and you can find a running ECS task in the Amazon ECS console under the <res-environment-name>-ad-sync-cluster cluster while it is in progress.

To launch it manually:

Navigate to the Lambda console and search for the lambda called <res-environment>-scheduled-ad-sync.
Open the Lambda function and go to Test

In the Event JSON enter the following:


{
    "detail-type": "Scheduled Event"
}

Choose Test.
Observe the logs of the running AD Sync task under CloudWatch → Log Groups → <environment-name>/ad-sync. You'll see logs from each of the running ECS tasks. Select the most recent to view the logs.

Note

If you change the AD parameters or add AD filters, RES will add the new users given the newly specified parameters and remove users that were previously synced and are no longer included in the LDAP search space.
RES cannot remove a user/group that is actively assigned to a project. You must remove users from projects in order to have RES remove them from the environment.

SSO configuration

After AD configuration is provided, users must set up Single Sign-On (SSO) to be able to login to the RES web portal as an AD user. SSO configuration has been moved from the General Settings page to the new Identity management page. For more information about setting up SSO, see Identity management.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Amazon Cognito identity setup

Setting up SSO with IAM Identity Center