SlideShare ist ein Scribd-Unternehmen logo

(SEC310) Integrating AWS with External Identity Management | AWS re:Invent 2014

Amazon Web Services
Amazon Web Services

Amazon Web Services IAM has a cohesive set of features, including authentication, service and resource authorization, and privilege delegation. But how does AWS IAM interact with an organization's external identity management framework? In this session, we will look at the identity disciplines, including authorization, identity governance and administration (IGA), provisioning, authentication and single sign-on-and their associated standards like XACML, SCIM, SAML, OAuth, OpenID Connect, and FIDO. We will specify how these externalized identity functions can be integrated with AWS to deliver a cohesive organizational identity management framework. We will also cover real-world deployments of externalized identity systems with AWS.

Technologie
1 von 56
Downloaden Sie, um offline zu lesen
•bi-directional on-premises gateway •translates on-premises 1.0 identity protocols to cloud 2.0 protocols •essential for most enterprises IDaaS •Identity Management as a Service •externally-hosted, turnkey SaaS •frequently used with an identity bridge
federation IDP SaaS application federation SP 2) SSO (SAML) Assertion
resource server ID Token refresh token access token A R A OpenID Provider OAuth authorization server relying party/client/app
resource server #2 refresh token #2 access token #2 A R A OpenID Provider #2 app ID Token ID Token #1
Path Arn LoginProfile AccessKeyID SecretAccessKey Attribute Retrieval Call UserName Path CreateDate UserId Arn ListUsers GetUser LoginProfile GetLoginProfile AccessKeyID ListAccessKeys SecretAccessKey VirtualMFADevice->Serial Number (Arn) ListVirtualMFADevices
domain joins user management Windows Group Policy user authentication native AD toolset users not in IAM store
•Identity stores •Federated user
Console username password username MFA
LT Access Key ID LT Secret Access Key { { } } API LT Access Key ID LT Secret Access Key MFA ST Secret Access Key ID ST SessionToken LT Access Key ID LT Secret Access Key
{ { } } API LT Access Key ID LT Secret Access Key LT Access Key ID LT Secret Access Key MFA ST Secret Access Key ID ST SessionToken LT Access Key ID LT Secret Access Key LT credentials ST credentials
•Identity stores •IAM user
Console SAML ST Secret Access Key ID ST SessionToken ST Security Token external authn external authn
Console SAML ST Secret Access Key ID ST SessionToken ST Security Token external authn external authn ST credentials
{ { } } API ST credentials external authn OpenID Connect ID Token
5) Query() 3) AssumeRole() 2) Retrieve RoleSessionName federated user IAM user 1) AD authentication Windows user policy store 4) ST credentials LT credentials Security Token Services
console federation IDP 2) SAML SSO Assertion X.509 certificate Bound to PrincipalArn federation SP Attribute Description SAML subject name Required for SAML RoleArn role for user entitlements PrincipalArn role of IDP in AWS RoleSessionName Enables user-specific auditing and access policies
federation IDP 1) authentication Assertion 2) authn, attributes 3) assertion federation SP RoleArn PrincipalArn ST credentials ST credentials
ID Token OpenID Provider client/relying party/app enterprise 5) Query() ST credentials ST credentials
ID token 5) Query ST credentials MFA Assertion
•SAML to AWS Management Console •SAML to AWS API •OpenIDConnect to AWS •ExternalMFAto AWS
prov. service
Get LDAP usersldapsearch() Begin syncGet AWS users ListUsers() GetLoginProfile() ListAccessKeys() ListVrtlMfaDvcs() Reconcile LDAP users to AWS usersEnd syncAdd users to IAM storeDelete users from IAM storeModify users in IAM storeMap LDAP hierarchy to AWS Path attribute
Begin addCreateAccessKey() End addStore Arn, AccessKeyID, LoginProfile CreateDate, MfaDevice SerialCreateUser() AddUserToGroup() (multiple groups) CreateVirtualMfaDevice() EnableMfaDevice() Distribute LT credentials to userDistribute MFASeed or create QRCodePNG for userCreateLoginProfile()
Begin deleteDeleteUser()End delete
Begin modifyEnd modifyUpdateUser() AddUserToGroup() RemUserFromGrp() UpdateLoginProfile()CreateAccessKey() NoYesHashes match? Hash LDAP and AWS user attributesStore Arn, LoginProfile CrtDate, AccessKeyID, MfaSerialDistribute LT credentials to userDistribute MFASeed or create QRCodePNG for userCreateVirtualMfaDevice() EnableMfaDevice()
on-premises directory user identities user attributes LT credentials group memberships MFA serial number
on-premises directory 1) authentication access 4) user attributes for authz 2) LT credentials,TokenArn LT credentials TokenArn TokenCode TokenCode
Get AWS users ListUsers() ListAccessKeys() ListVrtlMfaDvcs() Begin syncGet LDAP usersldapsearch() Reconcile AWS users to LDAP usersEnd syncAdd users to LDAPDelete users from LDAPModify users in LDAPMap LDAP hierarchy to AWS Path attribute
CreateAccessKey()Begin addEnd addAdd user to LDAP groupsldapmodify() ListMfaDevices() Create LDAP userldapadd() Create or lookup additional attributes
Begin deleteDelete LDAP userldapdelete() End delete
Begin modifyEnd modifyCreateAccessKey() NoYesHashes match? Hash LDAP and AWS user attributesAccessKeyID exist? Modify user in LDAPldapmodify() Add/delete user in LDAP groupsldapmodify() NoYes
•Sync Identities from IAM Store •Federated SSO with Simple AD and Amazon EC2
domain trust Simple AD on-premises
•Sync Identities from IAM Store •Sync Identitiesfrom Simple AD
Simple AD 2) User authn Federated IDP SaaS on-premises 1) user authn
Please give us your feedback on this session. Complete session evaluations and earn re:Invent swag. http://bit.ly/awsevals

Empfohlen

(SEC308) Navigating PCI Compliance in the Cloud | AWS re:Invent 2014
(SEC308) Navigating PCI Compliance in the Cloud | AWS re:Invent 2014(SEC308) Navigating PCI Compliance in the Cloud | AWS re:Invent 2014
(SEC308) Navigating PCI Compliance in the Cloud | AWS re:Invent 2014
Amazon Web Services
 
(SEC304) Bring Your Own Identities – Federating Access to Your AWS Environmen...
(SEC304) Bring Your Own Identities – Federating Access to Your AWS Environmen...(SEC304) Bring Your Own Identities – Federating Access to Your AWS Environmen...
(SEC304) Bring Your Own Identities – Federating Access to Your AWS Environmen...
Amazon Web Services
 
AWS CloudTrail to Track AWS Resources in Your Account (SEC207) | AWS re:Inven...
AWS CloudTrail to Track AWS Resources in Your Account (SEC207) | AWS re:Inven...AWS CloudTrail to Track AWS Resources in Your Account (SEC207) | AWS re:Inven...
AWS CloudTrail to Track AWS Resources in Your Account (SEC207) | AWS re:Inven...
Amazon Web Services
 
(MBL301) Creating Voice Experiences Using Amazon Alexa
(MBL301) Creating Voice Experiences Using Amazon Alexa(MBL301) Creating Voice Experiences Using Amazon Alexa
(MBL301) Creating Voice Experiences Using Amazon Alexa
Amazon Web Services
 
Monitoring and Alerting
Monitoring and AlertingMonitoring and Alerting
Monitoring and Alerting
Amazon Web Services
 
AWS Services Overview - September 2016 Webinar Series
AWS Services Overview - September 2016 Webinar SeriesAWS Services Overview - September 2016 Webinar Series
AWS Services Overview - September 2016 Webinar Series
Amazon Web Services
 
(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014
(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014
(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014
Amazon Web Services
 
(SEC302) Delegating Access to Your AWS Environment | AWS re:Invent 2014
(SEC302) Delegating Access to Your AWS Environment | AWS re:Invent 2014(SEC302) Delegating Access to Your AWS Environment | AWS re:Invent 2014
(SEC302) Delegating Access to Your AWS Environment | AWS re:Invent 2014
Amazon Web Services
 

Empfohlen

(SEC308) Navigating PCI Compliance in the Cloud | AWS re:Invent 2014
(SEC308) Navigating PCI Compliance in the Cloud | AWS re:Invent 2014(SEC308) Navigating PCI Compliance in the Cloud | AWS re:Invent 2014
(SEC308) Navigating PCI Compliance in the Cloud | AWS re:Invent 2014
Amazon Web Services
 
(SEC304) Bring Your Own Identities – Federating Access to Your AWS Environmen...
(SEC304) Bring Your Own Identities – Federating Access to Your AWS Environmen...(SEC304) Bring Your Own Identities – Federating Access to Your AWS Environmen...
(SEC304) Bring Your Own Identities – Federating Access to Your AWS Environmen...
Amazon Web Services
 
AWS CloudTrail to Track AWS Resources in Your Account (SEC207) | AWS re:Inven...
AWS CloudTrail to Track AWS Resources in Your Account (SEC207) | AWS re:Inven...AWS CloudTrail to Track AWS Resources in Your Account (SEC207) | AWS re:Inven...
AWS CloudTrail to Track AWS Resources in Your Account (SEC207) | AWS re:Inven...
Amazon Web Services
 
(MBL301) Creating Voice Experiences Using Amazon Alexa
(MBL301) Creating Voice Experiences Using Amazon Alexa(MBL301) Creating Voice Experiences Using Amazon Alexa
(MBL301) Creating Voice Experiences Using Amazon Alexa
Amazon Web Services
 
Monitoring and Alerting
Monitoring and AlertingMonitoring and Alerting
Monitoring and Alerting
Amazon Web Services
 
AWS Services Overview - September 2016 Webinar Series
AWS Services Overview - September 2016 Webinar SeriesAWS Services Overview - September 2016 Webinar Series
AWS Services Overview - September 2016 Webinar Series
Amazon Web Services
 
(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014
(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014
(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014
Amazon Web Services
 
(SEC302) Delegating Access to Your AWS Environment | AWS re:Invent 2014
(SEC302) Delegating Access to Your AWS Environment | AWS re:Invent 2014(SEC302) Delegating Access to Your AWS Environment | AWS re:Invent 2014
(SEC302) Delegating Access to Your AWS Environment | AWS re:Invent 2014
Amazon Web Services
 
(SEC306) Turn on CloudTrail: Log API Activity in Your AWS Account | AWS re:In...
(SEC306) Turn on CloudTrail: Log API Activity in Your AWS Account | AWS re:In...(SEC306) Turn on CloudTrail: Log API Activity in Your AWS Account | AWS re:In...
(SEC306) Turn on CloudTrail: Log API Activity in Your AWS Account | AWS re:In...
Amazon Web Services
 
Using AWS CloudTrail and AWS Config to Enhance Governance and Compliance of A...
Using AWS CloudTrail and AWS Config to Enhance Governance and Compliance of A...Using AWS CloudTrail and AWS Config to Enhance Governance and Compliance of A...
Using AWS CloudTrail and AWS Config to Enhance Governance and Compliance of A...
Amazon Web Services
 
(SEC301) Encryption and Key Management in AWS | AWS re:Invent 2014
(SEC301) Encryption and Key Management in AWS | AWS re:Invent 2014(SEC301) Encryption and Key Management in AWS | AWS re:Invent 2014
(SEC301) Encryption and Key Management in AWS | AWS re:Invent 2014
Amazon Web Services
 
(SEC406) NEW LAUNCH: Building Secure Applications with AWS Key Management Ser...
(SEC406) NEW LAUNCH: Building Secure Applications with AWS Key Management Ser...(SEC406) NEW LAUNCH: Building Secure Applications with AWS Key Management Ser...
(SEC406) NEW LAUNCH: Building Secure Applications with AWS Key Management Ser...
Amazon Web Services
 
Announcements for Mobile Developers
Announcements for Mobile DevelopersAnnouncements for Mobile Developers
Announcements for Mobile Developers
Amazon Web Services
 
(SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014
(SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014(SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014
(SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014
Amazon Web Services
 
AWS June Webinar Series - Deep Dive: Protecting Your Data with AWS Encryption
AWS June Webinar Series - Deep Dive: Protecting Your Data with AWS EncryptionAWS June Webinar Series - Deep Dive: Protecting Your Data with AWS Encryption
AWS June Webinar Series - Deep Dive: Protecting Your Data with AWS Encryption
Amazon Web Services
 
Building Serverless Chat Bots - AWS August Webinar Series
Building Serverless Chat Bots - AWS August Webinar SeriesBuilding Serverless Chat Bots - AWS August Webinar Series
Building Serverless Chat Bots - AWS August Webinar Series
Amazon Web Services
 
(SEC325) Satisfy PCI Obligations While Continuing to Innovate
(SEC325) Satisfy PCI Obligations While Continuing to Innovate(SEC325) Satisfy PCI Obligations While Continuing to Innovate
(SEC325) Satisfy PCI Obligations While Continuing to Innovate
Amazon Web Services
 
Federation
FederationFederation
Federation
Amazon Web Services
 
(SEC303) Mastering Access Control Policies | AWS re:Invent 2014
(SEC303) Mastering Access Control Policies | AWS re:Invent 2014(SEC303) Mastering Access Control Policies | AWS re:Invent 2014
(SEC303) Mastering Access Control Policies | AWS re:Invent 2014
Amazon Web Services
 
A guide on Aws Security Token Service
A guide on Aws Security Token ServiceA guide on Aws Security Token Service
A guide on Aws Security Token Service
Blazeclan Technologies Private Limited
 
Getting Maximum Performance from Amazon Redshift (DAT305) | AWS re:Invent 2013
Getting Maximum Performance from Amazon Redshift (DAT305) | AWS re:Invent 2013Getting Maximum Performance from Amazon Redshift (DAT305) | AWS re:Invent 2013
Getting Maximum Performance from Amazon Redshift (DAT305) | AWS re:Invent 2013
Amazon Web Services
 
AWS March 2016 Webinar Series - Best Practices for Managing Security Operatio...
AWS March 2016 Webinar Series - Best Practices for Managing Security Operatio...AWS March 2016 Webinar Series - Best Practices for Managing Security Operatio...
AWS March 2016 Webinar Series - Best Practices for Managing Security Operatio...
Amazon Web Services
 
(SEC318) AWS CloudTrail Deep Dive
(SEC318) AWS CloudTrail Deep Dive(SEC318) AWS CloudTrail Deep Dive
(SEC318) AWS CloudTrail Deep Dive
Amazon Web Services
 
Security Assurance and Governance in AWS (SEC203) | AWS re:Invent 2013
Security Assurance and Governance in AWS (SEC203) | AWS re:Invent 2013Security Assurance and Governance in AWS (SEC203) | AWS re:Invent 2013
Security Assurance and Governance in AWS (SEC203) | AWS re:Invent 2013
Amazon Web Services
 
(DVO304) AWS CloudFormation Best Practices
(DVO304) AWS CloudFormation Best Practices(DVO304) AWS CloudFormation Best Practices
(DVO304) AWS CloudFormation Best Practices
Amazon Web Services
 
Managing your identities in the cloud with AWS and Microsoft Active Directory...
Managing your identities in the cloud with AWS and Microsoft Active Directory...Managing your identities in the cloud with AWS and Microsoft Active Directory...
Managing your identities in the cloud with AWS and Microsoft Active Directory...
Amazon Web Services
 
AWS November Webinar Series - Introducing Config Rules
AWS November Webinar Series - Introducing Config RulesAWS November Webinar Series - Introducing Config Rules
AWS November Webinar Series - Introducing Config Rules
Amazon Web Services
 
Containers and the Evolution of Computing
Containers and the Evolution of ComputingContainers and the Evolution of Computing
Containers and the Evolution of Computing
Amazon Web Services
 
RBAC in Azure Kubernetes Service AKS
RBAC in Azure Kubernetes Service AKSRBAC in Azure Kubernetes Service AKS
RBAC in Azure Kubernetes Service AKS
Emad Alashi
 
Federation
Federation Federation
Federation
Amazon Web Services
 

Weitere ähnliche Inhalte

Was ist angesagt?

AWS June Webinar Series - Deep Dive: Protecting Your Data with AWS Encryption
AWS June Webinar Series - Deep Dive: Protecting Your Data with AWS EncryptionAWS June Webinar Series - Deep Dive: Protecting Your Data with AWS Encryption
AWS June Webinar Series - Deep Dive: Protecting Your Data with AWS Encryption
Amazon Web Services
 
Building Serverless Chat Bots - AWS August Webinar Series
Building Serverless Chat Bots - AWS August Webinar SeriesBuilding Serverless Chat Bots - AWS August Webinar Series
Building Serverless Chat Bots - AWS August Webinar Series
Amazon Web Services
 
(SEC325) Satisfy PCI Obligations While Continuing to Innovate
(SEC325) Satisfy PCI Obligations While Continuing to Innovate(SEC325) Satisfy PCI Obligations While Continuing to Innovate
(SEC325) Satisfy PCI Obligations While Continuing to Innovate
Amazon Web Services
 
AWS March 2016 Webinar Series - Best Practices for Managing Security Operatio...
AWS March 2016 Webinar Series - Best Practices for Managing Security Operatio...AWS March 2016 Webinar Series - Best Practices for Managing Security Operatio...
AWS March 2016 Webinar Series - Best Practices for Managing Security Operatio...
Amazon Web Services
 
(SEC318) AWS CloudTrail Deep Dive
(SEC318) AWS CloudTrail Deep Dive(SEC318) AWS CloudTrail Deep Dive
(SEC318) AWS CloudTrail Deep Dive
Amazon Web Services
 
Security Assurance and Governance in AWS (SEC203) | AWS re:Invent 2013
Security Assurance and Governance in AWS (SEC203) | AWS re:Invent 2013Security Assurance and Governance in AWS (SEC203) | AWS re:Invent 2013
Security Assurance and Governance in AWS (SEC203) | AWS re:Invent 2013
Amazon Web Services
 
(DVO304) AWS CloudFormation Best Practices
(DVO304) AWS CloudFormation Best Practices(DVO304) AWS CloudFormation Best Practices
(DVO304) AWS CloudFormation Best Practices
Amazon Web Services
 
AWS November Webinar Series - Introducing Config Rules
AWS November Webinar Series - Introducing Config RulesAWS November Webinar Series - Introducing Config Rules
AWS November Webinar Series - Introducing Config Rules
Amazon Web Services
 
Containers and the Evolution of Computing
Containers and the Evolution of ComputingContainers and the Evolution of Computing
Containers and the Evolution of Computing
Amazon Web Services
 

Was ist angesagt? (20)

(SEC306) Turn on CloudTrail: Log API Activity in Your AWS Account | AWS re:In...
(SEC306) Turn on CloudTrail: Log API Activity in Your AWS Account | AWS re:In...(SEC306) Turn on CloudTrail: Log API Activity in Your AWS Account | AWS re:In...
(SEC306) Turn on CloudTrail: Log API Activity in Your AWS Account | AWS re:In...
 
Using AWS CloudTrail and AWS Config to Enhance Governance and Compliance of A...
Using AWS CloudTrail and AWS Config to Enhance Governance and Compliance of A...Using AWS CloudTrail and AWS Config to Enhance Governance and Compliance of A...
Using AWS CloudTrail and AWS Config to Enhance Governance and Compliance of A...
 
(SEC301) Encryption and Key Management in AWS | AWS re:Invent 2014
(SEC301) Encryption and Key Management in AWS | AWS re:Invent 2014(SEC301) Encryption and Key Management in AWS | AWS re:Invent 2014
(SEC301) Encryption and Key Management in AWS | AWS re:Invent 2014
 
(SEC406) NEW LAUNCH: Building Secure Applications with AWS Key Management Ser...
(SEC406) NEW LAUNCH: Building Secure Applications with AWS Key Management Ser...(SEC406) NEW LAUNCH: Building Secure Applications with AWS Key Management Ser...
(SEC406) NEW LAUNCH: Building Secure Applications with AWS Key Management Ser...
 
Announcements for Mobile Developers
Announcements for Mobile DevelopersAnnouncements for Mobile Developers
Announcements for Mobile Developers
 
(SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014
(SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014(SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014
(SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014
 
AWS June Webinar Series - Deep Dive: Protecting Your Data with AWS Encryption
AWS June Webinar Series - Deep Dive: Protecting Your Data with AWS EncryptionAWS June Webinar Series - Deep Dive: Protecting Your Data with AWS Encryption
AWS June Webinar Series - Deep Dive: Protecting Your Data with AWS Encryption
 
Building Serverless Chat Bots - AWS August Webinar Series
Building Serverless Chat Bots - AWS August Webinar SeriesBuilding Serverless Chat Bots - AWS August Webinar Series
Building Serverless Chat Bots - AWS August Webinar Series
 
(SEC325) Satisfy PCI Obligations While Continuing to Innovate
(SEC325) Satisfy PCI Obligations While Continuing to Innovate(SEC325) Satisfy PCI Obligations While Continuing to Innovate
(SEC325) Satisfy PCI Obligations While Continuing to Innovate
 
Federation
FederationFederation
Federation
 
(SEC303) Mastering Access Control Policies | AWS re:Invent 2014
(SEC303) Mastering Access Control Policies | AWS re:Invent 2014(SEC303) Mastering Access Control Policies | AWS re:Invent 2014
(SEC303) Mastering Access Control Policies | AWS re:Invent 2014
 
A guide on Aws Security Token Service
A guide on Aws Security Token ServiceA guide on Aws Security Token Service
A guide on Aws Security Token Service
 
Getting Maximum Performance from Amazon Redshift (DAT305) | AWS re:Invent 2013
Getting Maximum Performance from Amazon Redshift (DAT305) | AWS re:Invent 2013Getting Maximum Performance from Amazon Redshift (DAT305) | AWS re:Invent 2013
Getting Maximum Performance from Amazon Redshift (DAT305) | AWS re:Invent 2013
 
AWS March 2016 Webinar Series - Best Practices for Managing Security Operatio...
AWS March 2016 Webinar Series - Best Practices for Managing Security Operatio...AWS March 2016 Webinar Series - Best Practices for Managing Security Operatio...
AWS March 2016 Webinar Series - Best Practices for Managing Security Operatio...
 
(SEC318) AWS CloudTrail Deep Dive
(SEC318) AWS CloudTrail Deep Dive(SEC318) AWS CloudTrail Deep Dive
(SEC318) AWS CloudTrail Deep Dive
 
Security Assurance and Governance in AWS (SEC203) | AWS re:Invent 2013
Security Assurance and Governance in AWS (SEC203) | AWS re:Invent 2013Security Assurance and Governance in AWS (SEC203) | AWS re:Invent 2013
Security Assurance and Governance in AWS (SEC203) | AWS re:Invent 2013
 
(DVO304) AWS CloudFormation Best Practices
(DVO304) AWS CloudFormation Best Practices(DVO304) AWS CloudFormation Best Practices
(DVO304) AWS CloudFormation Best Practices
 
Managing your identities in the cloud with AWS and Microsoft Active Directory...
Managing your identities in the cloud with AWS and Microsoft Active Directory...Managing your identities in the cloud with AWS and Microsoft Active Directory...
Managing your identities in the cloud with AWS and Microsoft Active Directory...
 
AWS November Webinar Series - Introducing Config Rules
AWS November Webinar Series - Introducing Config RulesAWS November Webinar Series - Introducing Config Rules
AWS November Webinar Series - Introducing Config Rules
 
Containers and the Evolution of Computing
Containers and the Evolution of ComputingContainers and the Evolution of Computing
Containers and the Evolution of Computing
 

Ähnlich wie (SEC310) Integrating AWS with External Identity Management | AWS re:Invent 2014

Early Adopting Java WSIT-Experiences with Windows CardSpace
Early Adopting Java WSIT-Experiences with Windows CardSpaceEarly Adopting Java WSIT-Experiences with Windows CardSpace
Early Adopting Java WSIT-Experiences with Windows CardSpace
Oliver Pfaff
 
Bye bye Identity Server
Bye bye Identity ServerBye bye Identity Server
Bye bye Identity Server
Sergio Navarro Pino
 
Help! I Have An Identity Crisis: A look at various mechanisms of Single Sign On
Help! I Have An Identity Crisis: A look at various mechanisms of Single Sign OnHelp! I Have An Identity Crisis: A look at various mechanisms of Single Sign On
Help! I Have An Identity Crisis: A look at various mechanisms of Single Sign On
Saloni Shah
 
Deep Dive on Amazon Cognito - DevDay Austin 2017
Deep Dive on Amazon Cognito - DevDay Austin 2017Deep Dive on Amazon Cognito - DevDay Austin 2017
Deep Dive on Amazon Cognito - DevDay Austin 2017
Amazon Web Services
 

Ähnlich wie (SEC310) Integrating AWS with External Identity Management | AWS re:Invent 2014 (20)

RBAC in Azure Kubernetes Service AKS
RBAC in Azure Kubernetes Service AKSRBAC in Azure Kubernetes Service AKS
RBAC in Azure Kubernetes Service AKS
 
Federation
Federation Federation
Federation
 
IAM Federation - Pop-up Loft TLV 2017
IAM Federation - Pop-up Loft TLV 2017IAM Federation - Pop-up Loft TLV 2017
IAM Federation - Pop-up Loft TLV 2017
 
Authentication in microservice systems - fsto 2017
Authentication in microservice systems - fsto 2017Authentication in microservice systems - fsto 2017
Authentication in microservice systems - fsto 2017
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0
 
Mixing Identity server, AAD, ASP .NET Identity
Mixing Identity server, AAD, ASP .NET IdentityMixing Identity server, AAD, ASP .NET Identity
Mixing Identity server, AAD, ASP .NET Identity
 
Mobile Cloud Identity
Mobile Cloud IdentityMobile Cloud Identity
Mobile Cloud Identity
 
Federation
FederationFederation
Federation
 
Azure Active Directory by Nikolay Mozgovoy
Azure Active Directory by Nikolay MozgovoyAzure Active Directory by Nikolay Mozgovoy
Azure Active Directory by Nikolay Mozgovoy
 
Early Adopting Java WSIT-Experiences with Windows CardSpace
Early Adopting Java WSIT-Experiences with Windows CardSpaceEarly Adopting Java WSIT-Experiences with Windows CardSpace
Early Adopting Java WSIT-Experiences with Windows CardSpace
 
When and Why Would I use Oauth2?
When and Why Would I use Oauth2?When and Why Would I use Oauth2?
When and Why Would I use Oauth2?
 
WSO2 Identity Server - Product Overview
WSO2 Identity Server - Product OverviewWSO2 Identity Server - Product Overview
WSO2 Identity Server - Product Overview
 
FIWARE Identity Management and Access Control
FIWARE Identity Management and Access ControlFIWARE Identity Management and Access Control
FIWARE Identity Management and Access Control
 
Bye bye Identity Server
Bye bye Identity ServerBye bye Identity Server
Bye bye Identity Server
 
Help! I Have An Identity Crisis: A look at various mechanisms of Single Sign On
Help! I Have An Identity Crisis: A look at various mechanisms of Single Sign OnHelp! I Have An Identity Crisis: A look at various mechanisms of Single Sign On
Help! I Have An Identity Crisis: A look at various mechanisms of Single Sign On
 
Incredible Edible Identity
Incredible Edible IdentityIncredible Edible Identity
Incredible Edible Identity
 
Deep Dive on Amazon Cognito - DevDay Austin 2017
Deep Dive on Amazon Cognito - DevDay Austin 2017Deep Dive on Amazon Cognito - DevDay Austin 2017
Deep Dive on Amazon Cognito - DevDay Austin 2017
 
SPIntersection 2016 - MICROSOFT CLOUD IDENTITIES IN AZURE AND OFFICE 365
SPIntersection 2016 - MICROSOFT CLOUD IDENTITIES IN AZURE AND OFFICE 365SPIntersection 2016 - MICROSOFT CLOUD IDENTITIES IN AZURE AND OFFICE 365
SPIntersection 2016 - MICROSOFT CLOUD IDENTITIES IN AZURE AND OFFICE 365
 
Office 365 identity
Office 365 identityOffice 365 identity
Office 365 identity
 
FIWARE Global Summit - Identity Management and Access Control
FIWARE Global Summit - Identity Management and Access ControlFIWARE Global Summit - Identity Management and Access Control
FIWARE Global Summit - Identity Management and Access Control
 

Mehr von Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Amazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Amazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
Amazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Amazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
Amazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Amazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
Amazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
Amazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
Amazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
Amazon Web Services
 

Mehr von Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Kürzlich hochgeladen

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 

Kürzlich hochgeladen (20)

Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 

(SEC310) Integrating AWS with External Identity Management | AWS re:Invent 2014

  • 1.
  • 2.
  • 3.
  • 4.
  • 5. •bi-directional on-premises gateway •translates on-premises 1.0 identity protocols to cloud 2.0 protocols •essential for most enterprises IDaaS •Identity Management as a Service •externally-hosted, turnkey SaaS •frequently used with an identity bridge
  • 6.
  • 7. federation IDP SaaS application federation SP 2) SSO (SAML) Assertion
  • 8. resource server ID Token refresh token access token A R A OpenID Provider OAuth authorization server relying party/client/app
  • 9. resource server #2 refresh token #2 access token #2 A R A OpenID Provider #2 app ID Token ID Token #1
  • 10.
  • 11.
  • 12. Path Arn LoginProfile AccessKeyID SecretAccessKey Attribute Retrieval Call UserName Path CreateDate UserId Arn ListUsers GetUser LoginProfile GetLoginProfile AccessKeyID ListAccessKeys SecretAccessKey VirtualMFADevice->Serial Number (Arn) ListVirtualMFADevices
  • 13. domain joins user management Windows Group Policy user authentication native AD toolset users not in IAM store
  • 14.
  • 17. LT Access Key ID LT Secret Access Key { { } } API LT Access Key ID LT Secret Access Key MFA ST Secret Access Key ID ST SessionToken LT Access Key ID LT Secret Access Key
  • 18. { { } } API LT Access Key ID LT Secret Access Key LT Access Key ID LT Secret Access Key MFA ST Secret Access Key ID ST SessionToken LT Access Key ID LT Secret Access Key LT credentials ST credentials
  • 20. Console SAML ST Secret Access Key ID ST SessionToken ST Security Token external authn external authn
  • 21. Console SAML ST Secret Access Key ID ST SessionToken ST Security Token external authn external authn ST credentials
  • 22. { { } } API ST credentials external authn OpenID Connect ID Token
  • 23. 5) Query() 3) AssumeRole() 2) Retrieve RoleSessionName federated user IAM user 1) AD authentication Windows user policy store 4) ST credentials LT credentials Security Token Services
  • 24.
  • 25.
  • 26. console federation IDP 2) SAML SSO Assertion X.509 certificate Bound to PrincipalArn federation SP Attribute Description SAML subject name Required for SAML RoleArn role for user entitlements PrincipalArn role of IDP in AWS RoleSessionName Enables user-specific auditing and access policies
  • 27. federation IDP 1) authentication Assertion 2) authn, attributes 3) assertion federation SP RoleArn PrincipalArn ST credentials ST credentials
  • 28. ID Token OpenID Provider client/relying party/app enterprise 5) Query() ST credentials ST credentials
  • 29. ID token 5) Query ST credentials MFA Assertion
  • 30. •SAML to AWS Management Console •SAML to AWS API •OpenIDConnect to AWS •ExternalMFAto AWS
  • 32. Get LDAP usersldapsearch() Begin syncGet AWS users ListUsers() GetLoginProfile() ListAccessKeys() ListVrtlMfaDvcs() Reconcile LDAP users to AWS usersEnd syncAdd users to IAM storeDelete users from IAM storeModify users in IAM storeMap LDAP hierarchy to AWS Path attribute
  • 33. Begin addCreateAccessKey() End addStore Arn, AccessKeyID, LoginProfile CreateDate, MfaDevice SerialCreateUser() AddUserToGroup() (multiple groups) CreateVirtualMfaDevice() EnableMfaDevice() Distribute LT credentials to userDistribute MFASeed or create QRCodePNG for userCreateLoginProfile()
  • 35. Begin modifyEnd modifyUpdateUser() AddUserToGroup() RemUserFromGrp() UpdateLoginProfile()CreateAccessKey() NoYesHashes match? Hash LDAP and AWS user attributesStore Arn, LoginProfile CrtDate, AccessKeyID, MfaSerialDistribute LT credentials to userDistribute MFASeed or create QRCodePNG for userCreateVirtualMfaDevice() EnableMfaDevice()
  • 36.
  • 37.
  • 38. on-premises directory user identities user attributes LT credentials group memberships MFA serial number
  • 39. on-premises directory 1) authentication access 4) user attributes for authz 2) LT credentials,TokenArn LT credentials TokenArn TokenCode TokenCode
  • 40. Get AWS users ListUsers() ListAccessKeys() ListVrtlMfaDvcs() Begin syncGet LDAP usersldapsearch() Reconcile AWS users to LDAP usersEnd syncAdd users to LDAPDelete users from LDAPModify users in LDAPMap LDAP hierarchy to AWS Path attribute
  • 41. CreateAccessKey()Begin addEnd addAdd user to LDAP groupsldapmodify() ListMfaDevices() Create LDAP userldapadd() Create or lookup additional attributes
  • 42. Begin deleteDelete LDAP userldapdelete() End delete
  • 43. Begin modifyEnd modifyCreateAccessKey() NoYesHashes match? Hash LDAP and AWS user attributesAccessKeyID exist? Modify user in LDAPldapmodify() Add/delete user in LDAP groupsldapmodify() NoYes
  • 44.
  • 45. •Sync Identities from IAM Store •Federated SSO with Simple AD and Amazon EC2
  • 46. domain trust Simple AD on-premises
  • 47.
  • 48. •Sync Identities from IAM Store •Sync Identitiesfrom Simple AD
  • 49. Simple AD 2) User authn Federated IDP SaaS on-premises 1) user authn
  • 50.
  • 51.
  • 52.
  • 53.
  • 54.
  • 55.
  • 56. Please give us your feedback on this session. Complete session evaluations and earn re:Invent swag. http://bit.ly/awsevals