(sec310) integrating aws with external identity management | aws re:invent 2014

• bi-directional on-premises gateway

• translates on-premises 1.0 identity

protocols to cloud 2.0 protocols

• essential for most enterprises

IDaaS

• Identity Management as a Service

• externally-hosted, turnkey SaaS

• frequently used with an identity bridge

federation IDP

SaaS application

federation SP

2)

SS

O (

SA

ML

)

Assertion

resource server

ID Token refreshtoken

accesstoken

AR

A

OpenID ProviderOAuthauthorization server

relying party/client/app

resource server #2

refreshtoken #2

accesstoken #2

AR

A

OpenID Provider #2

app

ID Token

ID Token #1

Path Arn LoginProfile AccessKeyID SecretAccessKey

Attribute Retrieval Call

UserName Path CreateDate UserId Arn

ListUsers GetUser

LoginProfile GetLoginProfile

AccessKeyID ListAccessKeys

SecretAccessKey

VirtualMFADevice->Serial Number (Arn) ListVirtualMFADevices

domain joins

user management

Windows Group Policy

user authentication

native AD toolset

users not in IAM store

• Identity stores

• Federated user

Console

username

password

username

MFA

LT Access Key ID

LT Secret Access Key{

{}

}

APILT Access Key ID

LT Secret Access Key

MFA

ST Secret Access Key ID

ST SessionToken

LT Access Key ID

LT Secret Access Key

{{}

}

API

LT Access Key ID

LT Secret Access Key

LT Access Key ID

LT Secret Access Key

MFA

ST Secret Access Key ID

ST SessionToken

LT Access Key ID

LT Secret Access Key LT credentials

ST credentials

• Identity stores

• IAM user

Console

SAML

ST Secret Access Key ID

ST SessionToken

ST Security Token

external authn

external authn

Console

SAML

ST Secret Access Key ID

ST SessionToken

ST Security Token

external authn

external authn

ST credentials

{{}

}

API

ST credentials

external authn

OpenID Connect

ID Token

5) Query()3) AssumeRole()

2) Retrieve RoleSessionName

IAM userfederated user

1) AD

authentication

Windows user policy store

4) ST credentials LT credentials

Security Token

Services

console

federation IDP

2)

SA

ML S

SO

Assertion

X.509 certificate

Bound to PrincipalArn

federation SP

Attribute Description

SAML subject name Required for SAML

RoleArn role for user entitlements

PrincipalArn role of IDP in AWS

RoleSessionName Enables user-specific auditing and access policies

federation IDP

1) authentication

Assertion

2) authn, attributes

3) assertion

federation SP

RoleArn

PrincipalArn

ST credentials

ST credentials

ID Token

OpenID Provider

client/relying party/app

enterprise

5)

Qu

ery

()

ST credentials

ST credentials

ID token5

) Q

ue

ryST credentials

MFA

Assertion

• SAML to AWS Management Console

• SAML to AWS API

• OpenID Connect to AWS

• External MFA to AWS

prov.

service

Get LDAP usersldapsearch()

Begin sync

Get AWS users ListUsers()

GetLoginProfile()ListAccessKeys()ListVrtlMfaDvcs()

Reconcile LDAP users to AWS users

End syncAdd users to

IAM storeDelete users

from IAM storeModify users in IAM store

Map LDAP hierarchy to AWS Path

attribute

Begin add CreateAccessKey()

End add

Store Arn, AccessKeyID, LoginProfile CreateDate,

MfaDevice Serial

CreateUser()

AddUserToGroup()(multiple groups)

CreateVirtualMfaDevice()

EnableMfaDevice()

Distribute LT credentials to

user

Distribute MFASeed or

create QRCodePNG

for user

CreateLoginProfile()

Begin delete DeleteUser() End delete

Begin modify

End modify

UpdateUser()AddUserToGroup()RemUserFromGrp()

UpdateLoginProfile() CreateAccessKey()

No

Yes

Hashes match?Hash LDAP and AWS

user attributes

Store Arn, LoginProfile CrtDate,

AccessKeyID, MfaSerial

Distribute LT credentials to

user

Distribute MFASeed or

create QRCodePNG

for user

CreateVirtualMfaDevice()

EnableMfaDevice()

on-premises

directory

use

r ide

ntitie

s

user attributes

LT credentials

group memberships

MFA serial number

on-premises

directory

1) authentication

access4) user attributes for authz

2) LT credentials,TokenArn

LT credentials

TokenArn

TokenCode

TokenCode

Get AWS users ListUsers()

ListAccessKeys()ListVrtlMfaDvcs()

Begin sync

Get LDAP usersldapsearch()

Reconcile AWS users to LDAP users

End sync

Add users to LDAP

Delete users from LDAP

Modify users in LDAP

Map LDAP hierarchy to AWS Path

attribute

CreateAccessKey()Begin add

End addAdd user to LDAP

groupsldapmodify()

ListMfaDevices()Create LDAP user

ldapadd()Create or lookup

additional attributes

Begin deleteDelete LDAP user

ldapdelete()End delete

Begin modify

End modifyCreateAccessKey()

No

Yes

Hashes match?

Hash LDAP and AWS user attributes

AccessKeyID exist?

Modify user in LDAPldapmodify()

Add/delete user in LDAP groupsldapmodify()

No

Yes

• Sync Identities from IAM Store

• Federated SSO with Simple AD and Amazon EC2

domain trust

Simple AD on-premises

• Sync Identities from IAM Store

• Sync Identities from Simple AD

Simple AD

SaaSFederated IDP2) User authn

on-premises1

) u

se

r a

uth

n

Please give us your feedback on this session.

Complete session evaluations and earn re:Invent swag.

http://bit.ly/awsevals