AWS Partner Webcast - Get Closer to the Cloud with Federated Single Sign-On

910 views
640 views

Published on

Bring the cloud closer to you and your customers by using your existing identity stores to access AWS services. Manage access to all of your cloud services and on-premises applications centrally. Join this webinar to learn how the Ping Identity platform offers federated single sign-on (SSO) to quickly and securely manage authentication of partners and customers through seamless integration with AWS Identity and Access Management service. You will also hear from Ping Identity partner and Amazon Web Services Customer, Geezeo, who will share best practices based on their experience.

What you'll learn:
• How the Ping Identity platform can be deployed simply and securely in Amazon EC2 adjacent to your offerings
• How any partner that can generate a SAML assertion can easily connect to AWS APIs while also continuing to manage its own customer identities
• How Geezeo has benefited from the Ping Identity platform’s seamless integration capabilities

Who should attend:
• Security and Identity professionals, Solution or System Architects, System Administrators, Development Leads and other Technical IT Leaders

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
910
On SlideShare
0
From Embeds
0
Number of Embeds
8
Actions
Shares
0
Downloads
15
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

AWS Partner Webcast - Get Closer to the Cloud with Federated Single Sign-On

  1. 1. Get Closer to the Cloud with Federated Single Sign-On
  2. 2. Welcome Maya Cabassi Partner Marketing Manager Amazon Web Services
  3. 3. Webinar Overview  Submit Your Questions using the Q&A tool.  A copy of today’s presentation will be made available on:  AWS SlideShare Channel@ http://www.slideshare.net/AmazonWebServices/  AWS Webinar Channel on YouTube@ http://www.youtube.com/channel/UCT- nPlVzJI-ccQXlxjSvJmw
  4. 4. Ben Brauer Sn. Product Manager Amazon Web Services Introducing Mark Diodati Technical Dir. Office of the CTO Ping Identity
  5. 5.  Overview of AWS Identity Access Management (IAM)  How to deploy Ping Identity Federated Single Sign- On in AWS  Q&A What We’ll Cover
  6. 6. IAM is about Access Control • One of customers’ top considerations when moving to the cloud CONTROL • Why do we want control? – Appropriate access to do appropriate actions – I want to implement security best practices – I want to be at least as secure as on premise – I must comply with certain industry specific security regulations
  7. 7. IAM Concepts in AWS • Create and Manage Users and Groups • Security – Multiple users, with individual permissions – Individual security credentials (access keys, password, MFA) – Secure by default • Control – Centralized control of user access – Fine-grained permissions – Control Users’ access to APIs and AWS Console – Cross-account access • Integrated – No changes to service APIs – Federated
  8. 8. Identity Management Concepts IAM Users: administrators and consumers of AWS services and resources Groups: a collection of IAM users and policy that applies to all the IAM users in the group Examples Bob can log into the AWS Management Console to administer his company’s account IAM users in the developers group are allowed to access EC2 instances tagged with development, but are not allowed to access instances tagged with production Managed Entities
  9. 9. Identity and Access Management Who has access? What can they do? IAM Users/Groups Access Policies Authentication Authorization
  10. 10. What is Identity Federation? Who has access? AWS + Partner Solutions Within AWS IAM Users Identity Management Solutions External User Authentication
  11. 11. Benefits of Identity Federation • Eliminate managing duplicate user identities • End users do not need yet another password to remember • Leverage your existing investment in identity management solutions • Re-use your internal identity management processes (e.g., password length, rotation, etc…)
  12. 12. Identity Management Concepts in AWS IAM Users: administrators and consumers of AWS services and resources Groups: a collection of IAM users and policy that applies to all the IAM users in the group IAM Roles: grants a trusted party temporary access to your AWS account Examples Bob can log into the AWS Management Console to administer his company’s account IAM users in the developers group are allowed to access EC2 instances tagged with development, but are not allowed to access instances tagged with production Managed Entities Grant access to an identity provider to enable federated users access to the AWS Management Console.
  13. 13. Identity Federation Example Log into the AWS console without a username and password! Active Directory
  14. 14. AWS AND FEDERATION Integrating AWS with External Identity Systems
  15. 15. 15 IaaS and PaaS need love, too deployments number of users
  16. 16. increased IAM needs deployments users more administrators more end-user services organizational confidence more services
  17. 17. 17 say wha? federation is an interoperable technology provides single sign-on across security domains uses security assertion markup language (SAML)
  18. 18. 18 say wha? federation identity provider (IDP) authenticates users gives users SSO (SAML) credentials redirects users to federation SP
  19. 19. 19 say wha? federation service provider (SP) accepts user’s SAML credentials creates user credentials for the local application
  20. 20. 20 federation in action hosted on-premises federation IDP SaaS application federation SP SSO (SAML) LDAP
  21. 21. 21 use cases 1) AWS IAM as federation SP (new!) accepts user’s SAML credentials creates AWS user credentials for access to services 2) federation IDP runs in EC2 instance authenticates users, gives SAML credentials 3) federation IDP runs in EC2 instance accepts SAML credentials, creates local credentials
  22. 22. 22 federation: interfacing with AWS default possible
  23. 23. 23 Good Ole Days hosted on-premises custom code storage of IAM user keys storage of federated user keys proprietary connectionAmazonAPI LDAP (mostly) non-web interaction
  24. 24. 24 1) AWS as federation SP hosted on-premises commercial federation IDP no storage of IAM user keys no storage of federated user keys security token service resides in AWS SSO (SAML) LDAP (mostly) web interaction
  25. 25. 25 AWS federation SAML attributes Name Description SAML subject name “uid=tstark,ou=people,o=cloudidentity.com” Role concatenation of two attributes • Amazon Resource Name (ARN) of the AWS role with the entitlements for the federated user • ARN of the AWS role with entitlements for the identity provider “arn:aws:iam::012323142877:role/S3-Users, arn:aws:iam::012323142877:saml-provider/PING-IDP” Role Session Name Enables user-specific access policies for the federated user “tstark”
  26. 26. 26 2) EC2 instance with federation IDP hosted on-premises ec2 instance IDP application authentication partner
  27. 27. 27 3) EC2 instance with federation SP hosted on-premises SP (with app) federation IDP ec2 instance
  28. 28. recommendations • understand your AWS access requirements – Non-web access may be a challenge using federation technology • don’t use the AWS (superuser) account for the IDP user – Otherwise, privilege and catastrophe awaits you • carefully scope the access rights for your roles – IAM IDP user role – federated user role 28
  29. 29. 29 sample integration ec2 instance LDAP
  30. 30. A Look Ahead: Cloud Identity Summit www.cloudidentitysummit.com 30 Jim Scharf: Identity Management for the Cloud Ben Brauer: Securing your AWS Environment Shon Shah: Delegating Access to your AWS Environment Conor Cahill: Federating Access to your AWS Environment
  31. 31. What We’ll Cover Contacts: Ping Identity: https://www.pingidentity.com/ AWS: aws.amazon.com/contact-us
  32. 32. We appreciate your feedback on this presentation. Please take a moment for a quick survey.

×