(sec310) integrating aws with external identity management | aws re:invent 2014
DESCRIPTION
Amazon Web Services IAM has a cohesive set of features, including authentication, service and resource authorization, and privilege delegation. But how does AWS IAM interact with an organization's external identity management framework? In this session, we will look at the identity disciplines, including authorization, identity governance and administration (IGA), provisioning, authentication and single sign-on-and their associated standards like XACML, SCIM, SAML, OAuth, OpenID Connect, and FIDO. We will specify how these externalized identity functions can be integrated with AWS to deliver a cohesive organizational identity management framework. We will also cover real-world deployments of externalized identity systems with AWS.TRANSCRIPT
• bi-directional on-premises gateway
• translates on-premises 1.0 identity
protocols to cloud 2.0 protocols
• essential for most enterprises
IDaaS
• Identity Management as a Service
• externally-hosted, turnkey SaaS
• frequently used with an identity bridge
federation IDP
SaaS application
federation SP
2)
SS
O (
SA
ML
)
Assertion
resource server
ID Token refreshtoken
accesstoken
AR
A
OpenID ProviderOAuthauthorization server
relying party/client/app
resource server #2
refreshtoken #2
accesstoken #2
AR
A
OpenID Provider #2
app
ID Token
ID Token #1
Path Arn LoginProfile AccessKeyID SecretAccessKey
Attribute Retrieval Call
UserName Path CreateDate UserId Arn
ListUsers GetUser
LoginProfile GetLoginProfile
AccessKeyID ListAccessKeys
SecretAccessKey
VirtualMFADevice->Serial Number (Arn) ListVirtualMFADevices
domain joins
user management
Windows Group Policy
user authentication
native AD toolset
users not in IAM store
• Identity stores
• Federated user
Console
username
password
username
MFA
LT Access Key ID
LT Secret Access Key{
{}
}
APILT Access Key ID
LT Secret Access Key
MFA
ST Secret Access Key ID
ST SessionToken
LT Access Key ID
LT Secret Access Key
{{}
}
API
LT Access Key ID
LT Secret Access Key
LT Access Key ID
LT Secret Access Key
MFA
ST Secret Access Key ID
ST SessionToken
LT Access Key ID
LT Secret Access Key LT credentials
ST credentials
• Identity stores
• IAM user
Console
SAML
ST Secret Access Key ID
ST SessionToken
ST Security Token
external authn
external authn
Console
SAML
ST Secret Access Key ID
ST SessionToken
ST Security Token
external authn
external authn
ST credentials
{{}
}
API
ST credentials
external authn
OpenID Connect
ID Token
5) Query()3) AssumeRole()
2) Retrieve RoleSessionName
IAM userfederated user
1) AD
authentication
Windows user policy store
4) ST credentials LT credentials
Security Token
Services
console
federation IDP
2)
SA
ML S
SO
Assertion
X.509 certificate
Bound to PrincipalArn
federation SP
Attribute Description
SAML subject name Required for SAML
RoleArn role for user entitlements
PrincipalArn role of IDP in AWS
RoleSessionName Enables user-specific auditing and access policies
federation IDP
1) authentication
Assertion
2) authn, attributes
3) assertion
federation SP
RoleArn
PrincipalArn
ST credentials
ST credentials
ID Token
OpenID Provider
client/relying party/app
enterprise
5)
Qu
ery
()
ST credentials
ST credentials
ID token5
) Q
ue
ryST credentials
MFA
Assertion
• SAML to AWS Management Console
• SAML to AWS API
• OpenID Connect to AWS
• External MFA to AWS
prov.
service
Get LDAP usersldapsearch()
Begin sync
Get AWS users ListUsers()
GetLoginProfile()ListAccessKeys()ListVrtlMfaDvcs()
Reconcile LDAP users to AWS users
End syncAdd users to
IAM storeDelete users
from IAM storeModify users in IAM store
Map LDAP hierarchy to AWS Path
attribute
Begin add CreateAccessKey()
End add
Store Arn, AccessKeyID, LoginProfile CreateDate,
MfaDevice Serial
CreateUser()
AddUserToGroup()(multiple groups)
CreateVirtualMfaDevice()
EnableMfaDevice()
Distribute LT credentials to
user
Distribute MFASeed or
create QRCodePNG
for user
CreateLoginProfile()
Begin delete DeleteUser() End delete
Begin modify
End modify
UpdateUser()AddUserToGroup()RemUserFromGrp()
UpdateLoginProfile() CreateAccessKey()
No
Yes
Hashes match?Hash LDAP and AWS
user attributes
Store Arn, LoginProfile CrtDate,
AccessKeyID, MfaSerial
Distribute LT credentials to
user
Distribute MFASeed or
create QRCodePNG
for user
CreateVirtualMfaDevice()
EnableMfaDevice()
on-premises
directory
use
r ide
ntitie
s
user attributes
LT credentials
group memberships
MFA serial number
on-premises
directory
1) authentication
access4) user attributes for authz
2) LT credentials,TokenArn
LT credentials
TokenArn
TokenCode
TokenCode
Get AWS users ListUsers()
ListAccessKeys()ListVrtlMfaDvcs()
Begin sync
Get LDAP usersldapsearch()
Reconcile AWS users to LDAP users
End sync
Add users to LDAP
Delete users from LDAP
Modify users in LDAP
Map LDAP hierarchy to AWS Path
attribute
CreateAccessKey()Begin add
End addAdd user to LDAP
groupsldapmodify()
ListMfaDevices()Create LDAP user
ldapadd()Create or lookup
additional attributes
Begin deleteDelete LDAP user
ldapdelete()End delete
Begin modify
End modifyCreateAccessKey()
No
Yes
Hashes match?
Hash LDAP and AWS user attributes
AccessKeyID exist?
Modify user in LDAPldapmodify()
Add/delete user in LDAP groupsldapmodify()
No
Yes
• Sync Identities from IAM Store
• Federated SSO with Simple AD and Amazon EC2
domain trust
Simple AD on-premises
• Sync Identities from IAM Store
• Sync Identities from Simple AD
Simple AD
SaaSFederated IDP2) User authn
on-premises1
) u
se
r a
uth
n
Please give us your feedback on this session.
Complete session evaluations and earn re:Invent swag.
http://bit.ly/awsevals