aws re:invent 2016: workshop: choose your own saml adventure: a self-directed journey to aws...

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Quint Van Deman, AWS Professional Services

Balaji Iyer, AWS Professional Services

Rahul Sareen, AWS Professional Services

Zaher Dannawi, AWS Identity

November 29, 2016

SEC306

Workshop: Choose Your Own SAML Adventure

A Self-Directed Journey to AWS Identity Federation Mastery

What to expect from the session

SAML for AWS:

State of the Union

• Federation rationale

• Prior art & remaining

challenges

Collaborative

hands-on exercise

• Foundational →

advanced

• Non-linear progression

Ask the AWS

Federation Ninjas

• Your own challenges

• Your feedback & ideas

SAML for AWS:

State of the Union

Federation rationale

Before:

After:

Result:

Unique credentials

Single sign-on (SSO)

Long-lived keys

Short-term tokens

One-off

Naturally aligned

Users Security Compliance

Prior art

Generally “known science”*:

• Basic federation with <insert your

favorite identity provider here>

• SSO experience for AWS

Management Console users.

• Federated access for AWS

CLI/API.

*Compiled list within session materials

Remaining challenges

Option overload:

• Many accounts: direct

federation or hub/spoke?

• Role mapping: groups,

attributes, or a

combination?

Solutions not yet widely

published:

• Attribute-driven

authorizations.

• Strong authentication

techniques.

• Resource permissions for

federated users.

Collaborative hands-on exercise

& Ask the Experts

Collaborative hands-on exercise

Choose your own

SAML adventure!

Initial Path:

Open source

or Microsoft?

1st hour:

Build initial

federation setup

2nd hour:

Your choice of

advanced use

cases

Exercise architecture

Instance with EIP

SAML IdP and

user directory

Note: The IdP architecture represented here

has been simplified to focus on the learning

objectives. Not appropriate for production use.

Amazon S3

permissions

Many AWS accounts

Custom

durations

MFA for

SAML

Time for teamwork!

Pair up Strangers only Open source → Stage left

Microsoft → Stage right

Find match:

8 ≤ Total ≤ 12

?

Ask the Experts

• Your opportunity to tap into the collective federation knowledge of

the Amazonians in the room.

• Runs parallel to hands-on exercise.

• Submissions via email (details on following slide):

• Your name.

• Your question/topic/feature request.

• Your table number.

• We will answer what we can in the room. We will follow up with an

AWS Security Blog post before the end of December in which we

address as many questions asked here as possible.

Lab materials

Let’s get started

Ask the Experts

federationworkshopreinvent2016

@amazon.com

(Include: name, table, question)

http://bit.ly/2dBXMUq

Review and recap

• This slide is a placeholder.

• We will take 2-3 of the “Ask the Experts” submissions:

• Build a slide in the room for each

• Summarize the question

• Provide our perspective on how best to tackle

• 2-3 minutes max per question

Reference materials

• AWS Docs: About SAML 2.0-based Federation

• AWS Docs: Configuring SAML Assertions

• AWS Docs: Integrating 3rd Party SAML Providers

• AWS Security Blog: SAML API/CLI Solution

• AWS Whitepaper: Shibboleth + OpenLDAP Walkthrough

• AWS Security Blog: ADFS How to

• AWS Security Blog: ADFS Multi-Account How to

• AWS Security Blog: AWS CloudTrail for Federated Users

Thank you!

Remember to complete

your evaluations!