aws re:invent 2016: workshop: choose your own saml adventure: a self-directed journey to aws...
Post on 06-Jan-2017
151 Views
Preview:
TRANSCRIPT
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Quint Van Deman, AWS Professional Services
Balaji Iyer, AWS Professional Services
Rahul Sareen, AWS Professional Services
Zaher Dannawi, AWS Identity
November 29, 2016
SEC306
Workshop: Choose Your Own SAML Adventure
A Self-Directed Journey to AWS Identity Federation Mastery
What to expect from the session
SAML for AWS:
State of the Union
• Federation rationale
• Prior art & remaining
challenges
Collaborative
hands-on exercise
• Foundational →
advanced
• Non-linear progression
Ask the AWS
Federation Ninjas
• Your own challenges
• Your feedback & ideas
SAML for AWS:
State of the Union
Federation rationale
Before:
After:
Result:
Unique credentials
Single sign-on (SSO)
Long-lived keys
Short-term tokens
One-off
Naturally aligned
Users Security Compliance
Prior art
Generally “known science”*:
• Basic federation with <insert your
favorite identity provider here>
• SSO experience for AWS
Management Console users.
• Federated access for AWS
CLI/API.
*Compiled list within session materials
Remaining challenges
Option overload:
• Many accounts: direct
federation or hub/spoke?
• Role mapping: groups,
attributes, or a
combination?
Solutions not yet widely
published:
• Attribute-driven
authorizations.
• Strong authentication
techniques.
• Resource permissions for
federated users.
Collaborative hands-on exercise
& Ask the Experts
Collaborative hands-on exercise
Choose your own
SAML adventure!
Initial Path:
Open source
or Microsoft?
1st hour:
Build initial
federation setup
2nd hour:
Your choice of
advanced use
cases
Exercise architecture
Instance with EIP
SAML IdP and
user directory
Note: The IdP architecture represented here
has been simplified to focus on the learning
objectives. Not appropriate for production use.
Amazon S3
permissions
Many AWS accounts
Custom
durations
MFA for
SAML
Time for teamwork!
Pair up Strangers only Open source → Stage left
Microsoft → Stage right
Find match:
8 ≤ Total ≤ 12
?
Ask the Experts
• Your opportunity to tap into the collective federation knowledge of
the Amazonians in the room.
• Runs parallel to hands-on exercise.
• Submissions via email (details on following slide):
• Your name.
• Your question/topic/feature request.
• Your table number.
• We will answer what we can in the room. We will follow up with an
AWS Security Blog post before the end of December in which we
address as many questions asked here as possible.
Lab materials
Let’s get started
Ask the Experts
federationworkshopreinvent2016
@amazon.com
(Include: name, table, question)
http://bit.ly/2dBXMUq
Review and recap
• This slide is a placeholder.
• We will take 2-3 of the “Ask the Experts” submissions:
• Build a slide in the room for each
• Summarize the question
• Provide our perspective on how best to tackle
• 2-3 minutes max per question
Reference materials
• AWS Docs: About SAML 2.0-based Federation
• AWS Docs: Configuring SAML Assertions
• AWS Docs: Integrating 3rd Party SAML Providers
• AWS Security Blog: SAML API/CLI Solution
• AWS Whitepaper: Shibboleth + OpenLDAP Walkthrough
• AWS Security Blog: ADFS How to
• AWS Security Blog: ADFS Multi-Account How to
• AWS Security Blog: AWS CloudTrail for Federated Users
Thank you!
Remember to complete
your evaluations!
top related