Amazon Web Services IAM has a cohesive set of features, including authentication, service and resource authorization, and privilege delegation. But how does AWS IAM interact with an organization's external identity management framework? In this session, we will look at the identity disciplines, including authorization, identity governance and administration (IGA), provisioning, authentication and single sign-on-and their associated standards like XACML, SCIM, SAML, OAuth, OpenID Connect, and FIDO. We will specify how these externalized identity functions can be integrated with AWS to deliver a cohesive organizational identity management framework. We will also cover real-world deployments of externalized identity systems with AWS.
5. •bi-directional on-premises gateway
•translates on-premises 1.0 identity protocols to cloud 2.0 protocols
•essential for most enterprises
IDaaS
•Identity Management as a Service
•externally-hosted, turnkey SaaS
•frequently used with an identity bridge
20. Console
SAML
ST Secret Access Key ID
ST SessionToken
ST Security Token
external authn
external authn
21. Console
SAML
ST Secret Access Key ID
ST SessionToken
ST Security Token
external authn
external authn
ST credentials
22. {
{
}
}
API
ST credentials
external authn
OpenID Connect
ID Token
23. 5) Query()
3) AssumeRole()
2) Retrieve RoleSessionName
federated user IAM user
1) AD
authentication
Windows user policy store
4) ST credentials LT credentials
Security Token
Services
24.
25.
26. console
federation IDP
2) SAML SSO
Assertion
X.509 certificate
Bound to PrincipalArn
federation SP
Attribute Description
SAML subject name Required for SAML
RoleArn role for user entitlements
PrincipalArn role of IDP in AWS
RoleSessionName Enables user-specific
auditing and access policies
27. federation IDP
1) authentication
Assertion
2) authn, attributes
3) assertion
federation SP
RoleArn
PrincipalArn
ST credentials
ST credentials
28. ID Token
OpenID Provider
client/relying party/app
enterprise
5) Query()
ST credentials
ST credentials
29. ID token
5) Query
ST credentials
MFA
Assertion
30. •SAML to AWS Management Console
•SAML to AWS API
•OpenIDConnect to AWS
•ExternalMFAto AWS
32. Get LDAP usersldapsearch() Begin syncGet AWS users ListUsers() GetLoginProfile() ListAccessKeys() ListVrtlMfaDvcs() Reconcile LDAP users to AWS usersEnd syncAdd users to IAM storeDelete users from IAM storeModify users in IAM storeMap LDAP hierarchy to AWS Path attribute
33. Begin addCreateAccessKey() End addStore Arn, AccessKeyID, LoginProfile CreateDate, MfaDevice SerialCreateUser() AddUserToGroup() (multiple groups) CreateVirtualMfaDevice() EnableMfaDevice() Distribute LT credentials to userDistribute MFASeed or create QRCodePNG for userCreateLoginProfile()
35. Begin modifyEnd modifyUpdateUser() AddUserToGroup() RemUserFromGrp() UpdateLoginProfile()CreateAccessKey() NoYesHashes match? Hash LDAP and AWS user attributesStore Arn, LoginProfile CrtDate, AccessKeyID, MfaSerialDistribute LT credentials to userDistribute MFASeed or create QRCodePNG for userCreateVirtualMfaDevice() EnableMfaDevice()
36.
37.
38. on-premises
directory
user identities
user attributes
LT credentials
group memberships
MFA serial number
39. on-premises
directory
1) authentication
access
4) user attributes for authz
2) LT credentials,TokenArn
LT credentials
TokenArn
TokenCode
TokenCode
40. Get AWS users ListUsers() ListAccessKeys() ListVrtlMfaDvcs() Begin syncGet LDAP usersldapsearch() Reconcile AWS users to LDAP usersEnd syncAdd users to LDAPDelete users from LDAPModify users in LDAPMap LDAP hierarchy to AWS Path attribute
41. CreateAccessKey()Begin addEnd addAdd user to LDAP groupsldapmodify() ListMfaDevices() Create LDAP userldapadd() Create or lookup additional attributes
43. Begin modifyEnd modifyCreateAccessKey() NoYesHashes match? Hash LDAP and AWS user attributesAccessKeyID exist? Modify user in LDAPldapmodify() Add/delete user in LDAP groupsldapmodify() NoYes