Get Closer to the Cloud with Federated Single Sign-On
Welcome
Maya Cabassi
Partner Marketing Manager
Amazon Web Services
Webinar Overview Submit Your Questions using the Q&A tool.
A copy of today’s presentation will be made available on:
AWS SlideShare Channel@ http://www.slideshare.net/AmazonWebServices/
AWS Webinar Channel on YouTube@ http://www.youtube.com/channel/UCT-
nPlVzJI-ccQXlxjSvJmw
Ben Brauer Sn. Product Manager Amazon Web Services
Introducing
Mark Diodati Technical Dir. Office of the CTO
Ping Identity
Overview of AWS Identity Access Management (IAM)
How to deploy Ping Identity Federated Single Sign-
On in AWS
Q&A
What We’ll Cover
IAM is about Access Control • One of customers’ top considerations when moving to the cloud
CONTROL
• Why do we want control?
– Appropriate access to do appropriate actions
– I want to implement security best practices
– I want to be at least as secure as on premise
– I must comply with certain industry specific security regulations
IAM Concepts in AWS
• Create and Manage Users and Groups
• Security – Multiple users, with individual permissions – Individual security credentials (access keys, password, MFA) – Secure by default
• Control – Centralized control of user access
– Fine-grained permissions
– Control Users’ access to APIs and AWS Console
– Cross-account access
• Integrated – No changes to service APIs
– Federated
Identity Management Concepts
IAM Users: administrators and
consumers of AWS services and resources
Groups: a collection of IAM users and policy that applies to all the IAM users in the group
Examples
Bob can log into the AWS Management Console to administer his company’s account
IAM users in the developers group are allowed to access EC2 instances tagged with development, but are not allowed to access instances tagged with production
Managed Entities
Identity and Access Management
Who has access? What can they do?
IAM Users/Groups Access Policies
Authentication Authorization
What is Identity Federation?
Who has access?
AWS + Partner Solutions
Within AWS
IAM Users
Identity Management Solutions
External User
Authentication
Benefits of Identity Federation
• Eliminate managing duplicate user identities
• End users do not need yet another password to remember
• Leverage your existing investment in identity management solutions
• Re-use your internal identity management processes (e.g., password length, rotation, etc…)
Identity Management Concepts in AWS
IAM Users: administrators and consumers
of AWS services and resources
Groups: a collection of IAM users and policy that applies to all the IAM users in the group
IAM Roles: grants a trusted party temporary access to your AWS account
Examples
Bob can log into the AWS Management Console to administer his company’s account
IAM users in the developers group are allowed to access EC2 instances tagged with development, but are not allowed to access instances tagged with production
Managed Entities
Grant access to an identity provider to enable federated users access to the AWS Management Console.
Identity Federation Example
Log into the AWS console without a username and password!
Active Directory
AWS AND FEDERATION
Integrating AWS with External Identity Systems
15
IaaS and PaaS need love, too
dep
loym
ents
number of users
increased IAM needs
deployments users
more administrators
more end-user services
organizational confidence
more services
17
say wha?
federation is an interoperable technology
provides single sign-on across security
domains
uses security assertion markup language
(SAML)
18
say wha?
federation identity provider (IDP) authenticates users
gives users SSO (SAML) credentials
redirects users to federation SP
19
say wha?
federation service provider (SP) accepts user’s SAML credentials
creates user credentials for the local
application
20
federation in action
hosted
on-premises
federation IDP
SaaS application
federation SP
SS
O
(SA
ML)
LDAP
21
use cases
1) AWS IAM as federation SP (new!) accepts user’s SAML credentials
creates AWS user credentials for access to services
2) federation IDP runs in EC2 instance authenticates users, gives SAML credentials
3) federation IDP runs in EC2 instance accepts SAML credentials, creates local credentials
22
federation: interfacing with AWS
default possible
23
Good Ole Days
hosted
on-premises
custom code storage of IAM user keys storage of federated user keys proprietary connection
Am
azon A
PI LDAP
(mostly) non-web interaction
24
1) AWS as federation SP
hosted
on-premises
commercial federation IDP no storage of IAM user keys no storage of federated user keys
security token service
resides in AWS
SS
O
(SA
ML)
LDAP
(mostly) web interaction
25
AWS federation SAML attributes
Name Description
SAML subject name “uid=tstark,ou=people,o=cloudidentity.com”
Role concatenation of two attributes • Amazon Resource Name (ARN) of the AWS role with the
entitlements for the federated user • ARN of the AWS role with entitlements for the identity
provider “arn:aws:iam::012323142877:role/S3-Users, arn:aws:iam::012323142877:saml-provider/PING-IDP”
Role Session Name Enables user-specific access policies for the federated user “tstark”
26
2) EC2 instance with federation IDP
hosted
on-premises
ec2 instance
IDP
application
authentication partner
27
3) EC2 instance with federation SP
hosted
on-premises
SP (with app)
federation IDP
ec2 instance
recommendations
• understand your AWS access requirements
– Non-web access may be a challenge using federation technology
• don’t use the AWS (superuser) account for the IDP user
– Otherwise, privilege and catastrophe awaits you
• carefully scope the access rights for your roles
– IAM IDP user role
– federated user role
28
29
sample integration
ec2 instance LDAP
A Look Ahead: Cloud Identity Summit
www.cloudidentitysummit.com
30
Jim Scharf: Identity Management for the Cloud Ben Brauer: Securing your AWS Environment Shon Shah: Delegating Access to your AWS Environment Conor Cahill: Federating Access to your AWS Environment
What We’ll Cover
Contacts: Ping Identity: https://www.pingidentity.com/ AWS: aws.amazon.com/contact-us
We appreciate your feedback on this presentation.
Please take a moment for a quick survey.