More Related Content Similar to Advanced Techniques for Federation of the AWS Management Console and Command Line Interface (CLI) - May 2017 AWS Online Tech Talks (20) More from Amazon Web Services (20) Advanced Techniques for Federation of the AWS Management Console and Command Line Interface (CLI) - May 2017 AWS Online Tech Talks1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Quint Van Deman – AWS Identity & Directory Services
May 25th, 2017
SAML Federation for AWS
2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Agenda
• Introduction
• Federation rationale & options
• Getting started with SAML federation for AWS
• Tackling more advanced SAML use-cases
• How to select an Identity Provider
• Pro tips from the field
• Demos!
• Q & A
3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Federation rationale & options
4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Federation rationale
Before:
After:
Result:
Unique credentials
Single sign-on (SSO)
Long-lived keys
Short-term tokens
One-off
Naturally aligned
Users Security Compliance
5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Multiple AWS federation options
Amazon Cognito AWS Directory
Service
Security Assertion
Markup Language
(SAML)
Custom Federation
Brokers
Provide API access
for end user web &
mobile applications
Use Active Directory
username and
password to access
AWS Management
Console
Use enterprise
credentials for
authentication and
authorization into
AWS Console, CLI
& APIs
Build your own
federation bridge to
support specialized
use cases
6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Quick SAML primer
Identity provider Service provider
Metadata
(in advance)
Assertion
(login flow)
7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Prior art
Generally “known science”:
• Basic federation with <insert your
favorite identity provider here>
• SSO experience for AWS
Management Console users.
• Federated access for AWS
CLI/API.
8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Remaining challenges
Option overload:
• Many accounts: direct
federation or hub/spoke?
• Role mapping: groups,
attributes, or a
combination?
Solutions not yet widely
published:
• Attribute-driven
authorizations.
• Strong authentication
techniques.
• Resource permissions for
federated users.
9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Demo: Initial SAML setup for
AWS
10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Initial SAML setup for AWS
11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Initial SAML setup for AWS - Recap
Prerequisite:
• Working SAML identity provider.
Checklist:
• AWS: IAM Identity Provider.
• AWS: IAM role for SAML (WebSSO).
• IdP: AWS Relying Party.
• IdP: AWS SAML assertion attributes.
• Directory: Groups per naming convention.
• Workstation: CLI/API helper.
12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Scaling: Multiple AWS accounts
13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Option 1: “Direct Federation” (everywhere)
14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Option 2: “Hub and Spoke”
15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Recommendation for multiple accounts
• Preferred approach: Direct Federation.
• Both solutions are technically valid and are in use.
• However, direct federation offers these advantages:
• The corporate directory is the sole source of truth for “who
has access to what.”
• Users can have access to a subset of accounts and different
roles per account.
• The user experience is better, particularly for new users.
• CLI and API automation don’t require the “extra hop.”
16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Demo: Multiple AWS Accounts
17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Multiple AWS Accounts
18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Multiple AWS Accounts - Recap
Prerequisite:
• IAM Roles for cross account trust.
Checklist:
• AWS: Automation to configure IAM Identity Provider.
• AWS: Automation to maintain IAM roles & policies.
• IdP: Nothing to do!
• Directory: Automation to create groups.
19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How do I choose an IdP that’s
right for me?
20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Choosing an IdP
• As long as the IdP can supported the required SAML
assertion attributes, it will work with AWS.
• Start with some self-directed questions:
• What are your needs for federation beyond AWS?
• What is your preferred model: SaaS or self-hosted/managed?
• Do you have existing relationships/infrastructure?
• Bias towards IdPs that can support dynamic attributes.
21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Demo: SAML attributes in role
assumption conditions (a.k.a
MFA-for-SAML)
22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
MFA-for-SAML
23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
MFA-for-SAML - Recap
Prerequisite:
• MFA of your choice integrated with your IdP.
Checklist:
• IdP: Send authentication method as additional attribute
in SAML assertion.
• AWS: Update role assumption trust policy.
24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Pro Tips: Lessons learned from
working with many customers
25. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Pro Tips
• AWS supports multiple federation setups in parallel –
experiment!
• Make sure you understand who has access to modify AD
group memberships.
• Consistency is the key to scale – modify group memberships,
not policy definitions.
• Think through your tools & processes for assigning users to
groups: will they scale?
• Choose a persistent & unique identifier (CloudTrail).
26. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Where to go from here
Re:Invent workshop materials: http://bit.ly/2dBXMUq
AWS Docs: About SAML 2.0-based Federation
AWS Docs: Configuring SAML Assertions
AWS Docs: Integrating 3rd Party SAML Providers
AWS Security Blog: SAML API/CLI Solution
AWS Whitepaper: Shibboleth + Openldap Walkthrough
AWS Security Blog: ADFS How to
AWS Security Blog: ADFS Multi-account How to
AWS Security Blog: AWS CloudTrail for Federated Users
27. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Q & A
28. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you!