SlideShare a Scribd company logo

AWS re:Invent 2016: Workshop: Choose Your Own SAML Adventure: A Self-Directed Journey to AWS Identity Federation Mastery (SEC306)

AWS supports identity federation using SAML (Security Assertion Markup Language) 2.0. Using SAML, you can configure your AWS accounts to integrate with your identity provider (IdP). Your federated users then are authenticated and authorized by your organization's IdP, and they can use single sign-on (SSO) to access AWS. In this workshop, you choose your own path through the exercises to direct yourself to the technologies and use cases that matter to you. We start by guiding you through deploying an IdP and configuring SAML federation for AWS, including federated CLI access. We will then continue to walk you through a number of advanced SAML use cases, including how to: Write S3 bucket policies for specific federated users. Use SAML attributes to enforce additional authorization requirements. Automate federation configurations across a large number of AWS accounts. Implement other advanced SAML use cases for AWS.

1 of 16
Download to read offline
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Quint Van Deman, AWS Professional Services
Balaji Iyer, AWS Professional Services
Rahul Sareen, AWS Professional Services
Zaher Dannawi, AWS Identity
November 29, 2016
SEC306
Workshop: Choose Your Own SAML Adventure
A Self-Directed Journey to AWS Identity Federation Mastery
What to expect from the session
SAML for AWS:
State of the Union
• Federation rationale
• Prior art & remaining
challenges
Collaborative
hands-on exercise
• Foundational →
advanced
• Non-linear progression
Ask the AWS
Federation Ninjas
• Your own challenges
• Your feedback & ideas
SAML for AWS:
State of the Union
Federation rationale
Before:
After:
Result:
Unique credentials
Single sign-on (SSO)
Long-lived keys
Short-term tokens
One-off
Naturally aligned
Users Security Compliance
Prior art
Generally “known science”*:
• Basic federation with <insert your
favorite identity provider here>
• SSO experience for AWS
Management Console users.
• Federated access for AWS
CLI/API.
*Compiled list within session materials
Remaining challenges
Option overload:
• Many accounts: direct
federation or hub/spoke?
• Role mapping: groups,
attributes, or a
combination?
Solutions not yet widely
published:
• Attribute-driven
authorizations.
• Strong authentication
techniques.
• Resource permissions for
federated users.
Ad

Recommended

Deep Dive on Amazon Cognito - March 2017 AWS Online Tech Talks
Deep Dive on Amazon Cognito - March 2017 AWS Online Tech TalksDeep Dive on Amazon Cognito - March 2017 AWS Online Tech Talks
Deep Dive on Amazon Cognito - March 2017 AWS Online Tech TalksAmazon Web Services
 
Designing security & governance via AWS Control Tower & Organizations - SEC30...
Designing security & governance via AWS Control Tower & Organizations - SEC30...Designing security & governance via AWS Control Tower & Organizations - SEC30...
Designing security & governance via AWS Control Tower & Organizations - SEC30...Amazon Web Services
 
Build and Deploy Serverless Applications with AWS SAM
Build and Deploy Serverless Applications with AWS SAM Build and Deploy Serverless Applications with AWS SAM
Build and Deploy Serverless Applications with AWS SAM Amazon Web Services
 
AWS Monitoring & Logging
AWS Monitoring & LoggingAWS Monitoring & Logging
AWS Monitoring & LoggingJason Poley
 
Deep Dive on AWS Single Sign-On - AWS Online Tech Talks
Deep Dive on AWS Single Sign-On - AWS Online Tech TalksDeep Dive on AWS Single Sign-On - AWS Online Tech Talks
Deep Dive on AWS Single Sign-On - AWS Online Tech TalksAmazon Web Services
 

More Related Content

What's hot

Introduction to AWS IAM
Introduction to AWS IAMIntroduction to AWS IAM
Introduction to AWS IAMKnoldus Inc.
 
AWS Web Application Firewall and AWS Shield - Webinar
AWS Web Application Firewall and AWS Shield - Webinar AWS Web Application Firewall and AWS Shield - Webinar
AWS Web Application Firewall and AWS Shield - Webinar Amazon Web Services
 
Introduction to AWS Organizations
Introduction to AWS OrganizationsIntroduction to AWS Organizations
Introduction to AWS OrganizationsAmazon Web Services
 
Amazon Relational Database Service (Amazon RDS)
Amazon Relational Database Service (Amazon RDS)Amazon Relational Database Service (Amazon RDS)
Amazon Relational Database Service (Amazon RDS)Amazon Web Services
 
SRV403_Serverless Authentication and Authorization
SRV403_Serverless Authentication and AuthorizationSRV403_Serverless Authentication and Authorization
SRV403_Serverless Authentication and AuthorizationAmazon Web Services
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
 
Amazon CloudWatch - Observability and Monitoring
Amazon CloudWatch - Observability and MonitoringAmazon CloudWatch - Observability and Monitoring
Amazon CloudWatch - Observability and MonitoringRick Hwang
 
Intro to Amazon S3
Intro to Amazon S3Intro to Amazon S3
Intro to Amazon S3Yu Lun Teo
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
 
Network Security and Access Control within AWS
Network Security and Access Control within AWS Network Security and Access Control within AWS
Network Security and Access Control within AWS Amazon Web Services
 

What's hot (20)

Deep dive into AWS IAM
Deep dive into AWS IAMDeep dive into AWS IAM
Deep dive into AWS IAM
 
AWS Lambda
AWS LambdaAWS Lambda
AWS Lambda
 
Introduction to AWS IAM
Introduction to AWS IAMIntroduction to AWS IAM
Introduction to AWS IAM
 
AWS Web Application Firewall and AWS Shield - Webinar
AWS Web Application Firewall and AWS Shield - Webinar AWS Web Application Firewall and AWS Shield - Webinar
AWS Web Application Firewall and AWS Shield - Webinar
 
Introduction to AWS Organizations
Introduction to AWS OrganizationsIntroduction to AWS Organizations
Introduction to AWS Organizations
 
Amazon S3 Masterclass
Amazon S3 MasterclassAmazon S3 Masterclass
Amazon S3 Masterclass
 
Amazon Relational Database Service (Amazon RDS)
Amazon Relational Database Service (Amazon RDS)Amazon Relational Database Service (Amazon RDS)
Amazon Relational Database Service (Amazon RDS)
 
SRV403_Serverless Authentication and Authorization
SRV403_Serverless Authentication and AuthorizationSRV403_Serverless Authentication and Authorization
SRV403_Serverless Authentication and Authorization
 
AWS Lambda Features and Uses
AWS Lambda Features and UsesAWS Lambda Features and Uses
AWS Lambda Features and Uses
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
 
Amazon CloudWatch - Observability and Monitoring
Amazon CloudWatch - Observability and MonitoringAmazon CloudWatch - Observability and Monitoring
Amazon CloudWatch - Observability and Monitoring
 
Intro to Amazon S3
Intro to Amazon S3Intro to Amazon S3
Intro to Amazon S3
 
AWS Route53
AWS Route53AWS Route53
AWS Route53
 
AWS Secrets Manager
AWS Secrets ManagerAWS Secrets Manager
AWS Secrets Manager
 
Amazon Cognito
Amazon CognitoAmazon Cognito
Amazon Cognito
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
 
Security Architectures on AWS
Security Architectures on AWSSecurity Architectures on AWS
Security Architectures on AWS
 
Aws IAM
Aws IAMAws IAM
Aws IAM
 
Network Security and Access Control within AWS
Network Security and Access Control within AWS Network Security and Access Control within AWS
Network Security and Access Control within AWS
 
Deep Dive: Amazon RDS
Deep Dive: Amazon RDSDeep Dive: Amazon RDS
Deep Dive: Amazon RDS
 

Viewers also liked

AWS re:Invent 2016: Get the Most from AWS KMS: Architecting Applications for ...
AWS re:Invent 2016: Get the Most from AWS KMS: Architecting Applications for ...AWS re:Invent 2016: Get the Most from AWS KMS: Architecting Applications for ...
AWS re:Invent 2016: Get the Most from AWS KMS: Architecting Applications for ...Amazon Web Services
 
AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Cust...
AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Cust...AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Cust...
AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Cust...Amazon Web Services
 
AWS re:Invent 2016: Reduce Your Blast Radius by Using Multiple AWS Accounts P...
AWS re:Invent 2016: Reduce Your Blast Radius by Using Multiple AWS Accounts P...AWS re:Invent 2016: Reduce Your Blast Radius by Using Multiple AWS Accounts P...
AWS re:Invent 2016: Reduce Your Blast Radius by Using Multiple AWS Accounts P...Amazon Web Services
 
AWS re:Invent 2016: Enabling Enterprise Migrations: Creating an AWS Landing Z...
AWS re:Invent 2016: Enabling Enterprise Migrations: Creating an AWS Landing Z...AWS re:Invent 2016: Enabling Enterprise Migrations: Creating an AWS Landing Z...
AWS re:Invent 2016: Enabling Enterprise Migrations: Creating an AWS Landing Z...Amazon Web Services
 
AWS re:Invent 2016: Cloud Monitoring - Understanding, Preparing, and Troubles...
AWS re:Invent 2016: Cloud Monitoring - Understanding, Preparing, and Troubles...AWS re:Invent 2016: Cloud Monitoring - Understanding, Preparing, and Troubles...
AWS re:Invent 2016: Cloud Monitoring - Understanding, Preparing, and Troubles...Amazon Web Services
 
Presentación Jaime Vela, PERU INCUBA
Presentación Jaime Vela, PERU INCUBAPresentación Jaime Vela, PERU INCUBA
Presentación Jaime Vela, PERU INCUBACOPEME
 
Proceedit 20130205 modelo de negocio para miembros
Proceedit 20130205 modelo de negocio para miembrosProceedit 20130205 modelo de negocio para miembros
Proceedit 20130205 modelo de negocio para miembrosAurora López García
 
Trabajo de compu
Trabajo de compuTrabajo de compu
Trabajo de compuMCGT
 
2008 Trends
2008 Trends2008 Trends
2008 TrendsTBledsoe
 
Natural Language Processing (NLP) Market - Information Technology Outlook (20...
Natural Language Processing (NLP) Market - Information Technology Outlook (20...Natural Language Processing (NLP) Market - Information Technology Outlook (20...
Natural Language Processing (NLP) Market - Information Technology Outlook (20...ResearchFox
 
Day2 sp5 2015-icgfm_miami conference_sawadogo_final_sp
Day2 sp5 2015-icgfm_miami conference_sawadogo_final_spDay2 sp5 2015-icgfm_miami conference_sawadogo_final_sp
Day2 sp5 2015-icgfm_miami conference_sawadogo_final_spicgfmconference
 
Innere Aufrüstung in der EU und Aktivismus im Netz: Chancen & Risiken
Innere Aufrüstung in der EU und Aktivismus im Netz: Chancen & RisikenInnere Aufrüstung in der EU und Aktivismus im Netz: Chancen & Risiken
Innere Aufrüstung in der EU und Aktivismus im Netz: Chancen & RisikenAktion Freiheit statt Angst e.V.
 
Presentación del Consejo Regulador DOP Azafrán de La Mancha utilizada en el c...
Presentación del Consejo Regulador DOP Azafrán de La Mancha utilizada en el c...Presentación del Consejo Regulador DOP Azafrán de La Mancha utilizada en el c...
Presentación del Consejo Regulador DOP Azafrán de La Mancha utilizada en el c...Consejo Regulador DOP Azafrán de La Mancha
 
Minneapolis RiverCurrent 9-29-11
Minneapolis RiverCurrent 9-29-11Minneapolis RiverCurrent 9-29-11
Minneapolis RiverCurrent 9-29-11Mill City Times
 
Cisco UCCX használata külsős szoftverrel
Cisco UCCX használata külsős szoftverrelCisco UCCX használata külsős szoftverrel
Cisco UCCX használata külsős szoftverrelGloster telekom Kft.
 

Viewers also liked (20)

AWS re:Invent 2016: Get the Most from AWS KMS: Architecting Applications for ...
AWS re:Invent 2016: Get the Most from AWS KMS: Architecting Applications for ...AWS re:Invent 2016: Get the Most from AWS KMS: Architecting Applications for ...
AWS re:Invent 2016: Get the Most from AWS KMS: Architecting Applications for ...
 
AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Cust...
AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Cust...AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Cust...
AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Cust...
 
AWS re:Invent 2016: Reduce Your Blast Radius by Using Multiple AWS Accounts P...
AWS re:Invent 2016: Reduce Your Blast Radius by Using Multiple AWS Accounts P...AWS re:Invent 2016: Reduce Your Blast Radius by Using Multiple AWS Accounts P...
AWS re:Invent 2016: Reduce Your Blast Radius by Using Multiple AWS Accounts P...
 
AWS re:Invent 2016: Enabling Enterprise Migrations: Creating an AWS Landing Z...
AWS re:Invent 2016: Enabling Enterprise Migrations: Creating an AWS Landing Z...AWS re:Invent 2016: Enabling Enterprise Migrations: Creating an AWS Landing Z...
AWS re:Invent 2016: Enabling Enterprise Migrations: Creating an AWS Landing Z...
 
AWS re:Invent 2016: Cloud Monitoring - Understanding, Preparing, and Troubles...
AWS re:Invent 2016: Cloud Monitoring - Understanding, Preparing, and Troubles...AWS re:Invent 2016: Cloud Monitoring - Understanding, Preparing, and Troubles...
AWS re:Invent 2016: Cloud Monitoring - Understanding, Preparing, and Troubles...
 
Presentación Jaime Vela, PERU INCUBA
Presentación Jaime Vela, PERU INCUBAPresentación Jaime Vela, PERU INCUBA
Presentación Jaime Vela, PERU INCUBA
 
Proceedit 20130205 modelo de negocio para miembros
Proceedit 20130205 modelo de negocio para miembrosProceedit 20130205 modelo de negocio para miembros
Proceedit 20130205 modelo de negocio para miembros
 
Pais de Megha
Pais de MeghaPais de Megha
Pais de Megha
 
Capitulo 6
Capitulo  6Capitulo  6
Capitulo 6
 
Trabajo de compu
Trabajo de compuTrabajo de compu
Trabajo de compu
 
Lexpro Litigation Presentation
Lexpro Litigation PresentationLexpro Litigation Presentation
Lexpro Litigation Presentation
 
2008 Trends
2008 Trends2008 Trends
2008 Trends
 
Natural Language Processing (NLP) Market - Information Technology Outlook (20...
Natural Language Processing (NLP) Market - Information Technology Outlook (20...Natural Language Processing (NLP) Market - Information Technology Outlook (20...
Natural Language Processing (NLP) Market - Information Technology Outlook (20...
 
Day2 sp5 2015-icgfm_miami conference_sawadogo_final_sp
Day2 sp5 2015-icgfm_miami conference_sawadogo_final_spDay2 sp5 2015-icgfm_miami conference_sawadogo_final_sp
Day2 sp5 2015-icgfm_miami conference_sawadogo_final_sp
 
Pga 2012 2013
Pga 2012 2013Pga 2012 2013
Pga 2012 2013
 
Innere Aufrüstung in der EU und Aktivismus im Netz: Chancen & Risiken
Innere Aufrüstung in der EU und Aktivismus im Netz: Chancen & RisikenInnere Aufrüstung in der EU und Aktivismus im Netz: Chancen & Risiken
Innere Aufrüstung in der EU und Aktivismus im Netz: Chancen & Risiken
 
Presentación del Consejo Regulador DOP Azafrán de La Mancha utilizada en el c...
Presentación del Consejo Regulador DOP Azafrán de La Mancha utilizada en el c...Presentación del Consejo Regulador DOP Azafrán de La Mancha utilizada en el c...
Presentación del Consejo Regulador DOP Azafrán de La Mancha utilizada en el c...
 
Minneapolis RiverCurrent 9-29-11
Minneapolis RiverCurrent 9-29-11Minneapolis RiverCurrent 9-29-11
Minneapolis RiverCurrent 9-29-11
 
Tabletak
TabletakTabletak
Tabletak
 
Cisco UCCX használata külsős szoftverrel
Cisco UCCX használata külsős szoftverrelCisco UCCX használata külsős szoftverrel
Cisco UCCX használata külsős szoftverrel
 

Similar to AWS re:Invent 2016: Workshop: Choose Your Own SAML Adventure: A Self-Directed Journey to AWS Identity Federation Mastery (SEC306)

IAM Federation - Pop-up Loft TLV 2017
IAM Federation - Pop-up Loft TLV 2017IAM Federation - Pop-up Loft TLV 2017
IAM Federation - Pop-up Loft TLV 2017Amazon Web Services
 
AWS re:Invent 2016: Workshop: Addressing Your Business Needs with AWS (ARC210)
AWS re:Invent 2016: Workshop: Addressing Your Business Needs with AWS (ARC210)AWS re:Invent 2016: Workshop: Addressing Your Business Needs with AWS (ARC210)
AWS re:Invent 2016: Workshop: Addressing Your Business Needs with AWS (ARC210)Amazon Web Services
 
Querying and Analyzing Data in Amazon S3
Querying and Analyzing Data in Amazon S3Querying and Analyzing Data in Amazon S3
Querying and Analyzing Data in Amazon S3Amazon Web Services
 
AWS 201 - Development and Test on AWS Webinar
AWS 201 - Development and Test on AWS WebinarAWS 201 - Development and Test on AWS Webinar
AWS 201 - Development and Test on AWS WebinarAmazon Web Services
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
 
Workshop: AWS Lamda Signal Corps vs Zombies
Workshop: AWS Lamda Signal Corps vs ZombiesWorkshop: AWS Lamda Signal Corps vs Zombies
Workshop: AWS Lamda Signal Corps vs ZombiesAmazon Web Services
 
Open Writing ! - Collaborative Authoring on Apache’s First Open-Source Cloud ...
Open Writing ! -	Collaborative Authoring on Apache’s First Open-Source Cloud ...Open Writing ! -	Collaborative Authoring on Apache’s First Open-Source Cloud ...
Open Writing ! - Collaborative Authoring on Apache’s First Open-Source Cloud ...Radhika Puthiyetath
 
Hacking Exposed EBS Volumes
Hacking Exposed EBS Volumes Hacking Exposed EBS Volumes
Hacking Exposed EBS Volumes Bishop Fox
 
Start building for voice with alexa
Start building for voice with alexaStart building for voice with alexa
Start building for voice with alexaEitan Sela
 
The iot acdemy_awstraining_part4_aws_lab
The iot acdemy_awstraining_part4_aws_labThe iot acdemy_awstraining_part4_aws_lab
The iot acdemy_awstraining_part4_aws_labThe IOT Academy
 
AWS Summit Auckland - Getting Started with AWS Lambda and the Serverless Cloud
AWS Summit Auckland - Getting Started with AWS Lambda and the Serverless CloudAWS Summit Auckland - Getting Started with AWS Lambda and the Serverless Cloud
AWS Summit Auckland - Getting Started with AWS Lambda and the Serverless CloudAmazon Web Services
 
What i-wish-i-knew-about-aws-certification
What i-wish-i-knew-about-aws-certificationWhat i-wish-i-knew-about-aws-certification
What i-wish-i-knew-about-aws-certificationAndrew Brown
 
AWS IAM and security
AWS IAM and securityAWS IAM and security
AWS IAM and securityErik Paulsson
 
AWS CloudFormation under the Hood (DMG303) | AWS re:Invent 2013
AWS CloudFormation under the Hood (DMG303) | AWS re:Invent 2013AWS CloudFormation under the Hood (DMG303) | AWS re:Invent 2013
AWS CloudFormation under the Hood (DMG303) | AWS re:Invent 2013Amazon Web Services
 

Similar to AWS re:Invent 2016: Workshop: Choose Your Own SAML Adventure: A Self-Directed Journey to AWS Identity Federation Mastery (SEC306) (20)

IAM Federation - Pop-up Loft TLV 2017
IAM Federation - Pop-up Loft TLV 2017IAM Federation - Pop-up Loft TLV 2017
IAM Federation - Pop-up Loft TLV 2017
 
AWS re:Invent 2016: Workshop: Addressing Your Business Needs with AWS (ARC210)
AWS re:Invent 2016: Workshop: Addressing Your Business Needs with AWS (ARC210)AWS re:Invent 2016: Workshop: Addressing Your Business Needs with AWS (ARC210)
AWS re:Invent 2016: Workshop: Addressing Your Business Needs with AWS (ARC210)
 
Querying and Analyzing Data in Amazon S3
Querying and Analyzing Data in Amazon S3Querying and Analyzing Data in Amazon S3
Querying and Analyzing Data in Amazon S3
 
AWS 201 - Development and Test on AWS Webinar
AWS 201 - Development and Test on AWS WebinarAWS 201 - Development and Test on AWS Webinar
AWS 201 - Development and Test on AWS Webinar
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
 
Workshop: AWS Lamda Signal Corps vs Zombies
Workshop: AWS Lamda Signal Corps vs ZombiesWorkshop: AWS Lamda Signal Corps vs Zombies
Workshop: AWS Lamda Signal Corps vs Zombies
 
Aws slides
Aws slidesAws slides
Aws slides
 
Aws slides
Aws slidesAws slides
Aws slides
 
Open Writing ! - Collaborative Authoring on Apache’s First Open-Source Cloud ...
Open Writing ! -	Collaborative Authoring on Apache’s First Open-Source Cloud ...Open Writing ! -	Collaborative Authoring on Apache’s First Open-Source Cloud ...
Open Writing ! - Collaborative Authoring on Apache’s First Open-Source Cloud ...
 
Deep Dive on AWS Lambda
Deep Dive on AWS LambdaDeep Dive on AWS Lambda
Deep Dive on AWS Lambda
 
Hacking Exposed EBS Volumes
Hacking Exposed EBS Volumes Hacking Exposed EBS Volumes
Hacking Exposed EBS Volumes
 
Masterclass - Amazon WorkSpaces
Masterclass - Amazon WorkSpacesMasterclass - Amazon WorkSpaces
Masterclass - Amazon WorkSpaces
 
Start building for voice with alexa
Start building for voice with alexaStart building for voice with alexa
Start building for voice with alexa
 
The iot acdemy_awstraining_part4_aws_lab
The iot acdemy_awstraining_part4_aws_labThe iot acdemy_awstraining_part4_aws_lab
The iot acdemy_awstraining_part4_aws_lab
 
AWS Summit Auckland - Getting Started with AWS Lambda and the Serverless Cloud
AWS Summit Auckland - Getting Started with AWS Lambda and the Serverless CloudAWS Summit Auckland - Getting Started with AWS Lambda and the Serverless Cloud
AWS Summit Auckland - Getting Started with AWS Lambda and the Serverless Cloud
 
What i-wish-i-knew-about-aws-certification
What i-wish-i-knew-about-aws-certificationWhat i-wish-i-knew-about-aws-certification
What i-wish-i-knew-about-aws-certification
 
Federation
FederationFederation
Federation
 
AWS IAM and security
AWS IAM and securityAWS IAM and security
AWS IAM and security
 
AWS CloudFormation under the Hood (DMG303) | AWS re:Invent 2013
AWS CloudFormation under the Hood (DMG303) | AWS re:Invent 2013AWS CloudFormation under the Hood (DMG303) | AWS re:Invent 2013
AWS CloudFormation under the Hood (DMG303) | AWS re:Invent 2013
 
Federation
FederationFederation
Federation
 

More from Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

More from Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Recently uploaded

Confoo 2024 Gettings started with OpenAI and data science
Confoo 2024 Gettings started with OpenAI and data scienceConfoo 2024 Gettings started with OpenAI and data science
Confoo 2024 Gettings started with OpenAI and data scienceSusan Ibach
 
Automation Ops Series: Session 1 - Introduction and setup DevOps for UiPath p...
Automation Ops Series: Session 1 - Introduction and setup DevOps for UiPath p...Automation Ops Series: Session 1 - Introduction and setup DevOps for UiPath p...
Automation Ops Series: Session 1 - Introduction and setup DevOps for UiPath p...DianaGray10
 
Bringing nullability into existing code - dammit is not the answer.pptx
Bringing nullability into existing code - dammit is not the answer.pptxBringing nullability into existing code - dammit is not the answer.pptx
Bringing nullability into existing code - dammit is not the answer.pptxMaarten Balliauw
 
"How we created an SRE team in Temabit as a part of FOZZY Group in conditions...
"How we created an SRE team in Temabit as a part of FOZZY Group in conditions..."How we created an SRE team in Temabit as a part of FOZZY Group in conditions...
"How we created an SRE team in Temabit as a part of FOZZY Group in conditions...Fwdays
 
Introduction to Multimodal LLMs with LLaVA
Introduction to Multimodal LLMs with LLaVAIntroduction to Multimodal LLMs with LLaVA
Introduction to Multimodal LLMs with LLaVARobert McDermott
 
"Journey of Aspiration: Unveiling the Path to Becoming a Technocrat and Entre...
"Journey of Aspiration: Unveiling the Path to Becoming a Technocrat and Entre..."Journey of Aspiration: Unveiling the Path to Becoming a Technocrat and Entre...
"Journey of Aspiration: Unveiling the Path to Becoming a Technocrat and Entre...shaiyuvasv
 
How we think about an advisor tech stack
How we think about an advisor tech stackHow we think about an advisor tech stack
How we think about an advisor tech stackSummit
 
"Testing of Helm Charts or There and Back Again", Yura Rochniak
"Testing of Helm Charts or There and Back Again", Yura Rochniak"Testing of Helm Charts or There and Back Again", Yura Rochniak
"Testing of Helm Charts or There and Back Again", Yura RochniakFwdays
 
LF Energy Webinar: Introduction to TROLIE
LF Energy Webinar: Introduction to TROLIELF Energy Webinar: Introduction to TROLIE
LF Energy Webinar: Introduction to TROLIEDanBrown980551
 
"Platform Engineering with Development Containers", Igor Fesenko
"Platform Engineering with Development Containers", Igor Fesenko"Platform Engineering with Development Containers", Igor Fesenko
"Platform Engineering with Development Containers", Igor FesenkoFwdays
 
"AIRe - AI Reliability Engineering", Denys Vasyliev
"AIRe - AI Reliability Engineering", Denys Vasyliev"AIRe - AI Reliability Engineering", Denys Vasyliev
"AIRe - AI Reliability Engineering", Denys VasylievFwdays
 
AI Act & Standardization: UNINFO involvement
AI Act & Standardization: UNINFO involvementAI Act & Standardization: UNINFO involvement
AI Act & Standardization: UNINFO involvementMimmo Squillace
 
Bit N Build Poland
Bit N Build PolandBit N Build Poland
Bit N Build PolandGDSC PJATK
 
Traffic Signboard Classification with Voice alert to the driver.pptx
Traffic Signboard Classification with Voice alert to the driver.pptxTraffic Signboard Classification with Voice alert to the driver.pptx
Traffic Signboard Classification with Voice alert to the driver.pptxharimaxwell0712
 
How to write an effective Cyber Incident Response Plan
How to write an effective Cyber Incident Response PlanHow to write an effective Cyber Incident Response Plan
How to write an effective Cyber Incident Response PlanDatabarracks
 
Leveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docx
Leveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docxLeveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docx
Leveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docxVotarikari Shravan
 
Importance of magazines in education ppt
Importance of magazines in education pptImportance of magazines in education ppt
Importance of magazines in education pptsafnarafeek2002
 
Act Like an Owner, Challenge Like a VC by former CPO, Tripadvisor
Act Like an Owner,  Challenge Like a VC by former CPO, TripadvisorAct Like an Owner,  Challenge Like a VC by former CPO, Tripadvisor
Act Like an Owner, Challenge Like a VC by former CPO, TripadvisorProduct School
 
Battle of React State Managers in frontend applications
Battle of React State Managers in frontend applicationsBattle of React State Managers in frontend applications
Battle of React State Managers in frontend applicationsEvangelia Mitsopoulou
 
Introducing the New FME Community Webinar - Feb 21, 2024 (2).pdf
Introducing the New FME Community Webinar - Feb 21, 2024 (2).pdfIntroducing the New FME Community Webinar - Feb 21, 2024 (2).pdf
Introducing the New FME Community Webinar - Feb 21, 2024 (2).pdfSafe Software
 

Recently uploaded (20)

Confoo 2024 Gettings started with OpenAI and data science
Confoo 2024 Gettings started with OpenAI and data scienceConfoo 2024 Gettings started with OpenAI and data science
Confoo 2024 Gettings started with OpenAI and data science
 
Automation Ops Series: Session 1 - Introduction and setup DevOps for UiPath p...
Automation Ops Series: Session 1 - Introduction and setup DevOps for UiPath p...Automation Ops Series: Session 1 - Introduction and setup DevOps for UiPath p...
Automation Ops Series: Session 1 - Introduction and setup DevOps for UiPath p...
 
Bringing nullability into existing code - dammit is not the answer.pptx
Bringing nullability into existing code - dammit is not the answer.pptxBringing nullability into existing code - dammit is not the answer.pptx
Bringing nullability into existing code - dammit is not the answer.pptx
 
"How we created an SRE team in Temabit as a part of FOZZY Group in conditions...
"How we created an SRE team in Temabit as a part of FOZZY Group in conditions..."How we created an SRE team in Temabit as a part of FOZZY Group in conditions...
"How we created an SRE team in Temabit as a part of FOZZY Group in conditions...
 
Introduction to Multimodal LLMs with LLaVA
Introduction to Multimodal LLMs with LLaVAIntroduction to Multimodal LLMs with LLaVA
Introduction to Multimodal LLMs with LLaVA
 
"Journey of Aspiration: Unveiling the Path to Becoming a Technocrat and Entre...
"Journey of Aspiration: Unveiling the Path to Becoming a Technocrat and Entre..."Journey of Aspiration: Unveiling the Path to Becoming a Technocrat and Entre...
"Journey of Aspiration: Unveiling the Path to Becoming a Technocrat and Entre...
 
How we think about an advisor tech stack
How we think about an advisor tech stackHow we think about an advisor tech stack
How we think about an advisor tech stack
 
"Testing of Helm Charts or There and Back Again", Yura Rochniak
"Testing of Helm Charts or There and Back Again", Yura Rochniak"Testing of Helm Charts or There and Back Again", Yura Rochniak
"Testing of Helm Charts or There and Back Again", Yura Rochniak
 
LF Energy Webinar: Introduction to TROLIE
LF Energy Webinar: Introduction to TROLIELF Energy Webinar: Introduction to TROLIE
LF Energy Webinar: Introduction to TROLIE
 
"Platform Engineering with Development Containers", Igor Fesenko
"Platform Engineering with Development Containers", Igor Fesenko"Platform Engineering with Development Containers", Igor Fesenko
"Platform Engineering with Development Containers", Igor Fesenko
 
"AIRe - AI Reliability Engineering", Denys Vasyliev
"AIRe - AI Reliability Engineering", Denys Vasyliev"AIRe - AI Reliability Engineering", Denys Vasyliev
"AIRe - AI Reliability Engineering", Denys Vasyliev
 
AI Act & Standardization: UNINFO involvement
AI Act & Standardization: UNINFO involvementAI Act & Standardization: UNINFO involvement
AI Act & Standardization: UNINFO involvement
 
Bit N Build Poland
Bit N Build PolandBit N Build Poland
Bit N Build Poland
 
Traffic Signboard Classification with Voice alert to the driver.pptx
Traffic Signboard Classification with Voice alert to the driver.pptxTraffic Signboard Classification with Voice alert to the driver.pptx
Traffic Signboard Classification with Voice alert to the driver.pptx
 
How to write an effective Cyber Incident Response Plan
How to write an effective Cyber Incident Response PlanHow to write an effective Cyber Incident Response Plan
How to write an effective Cyber Incident Response Plan
 
Leveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docx
Leveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docxLeveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docx
Leveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docx
 
Importance of magazines in education ppt
Importance of magazines in education pptImportance of magazines in education ppt
Importance of magazines in education ppt
 
Act Like an Owner, Challenge Like a VC by former CPO, Tripadvisor
Act Like an Owner,  Challenge Like a VC by former CPO, TripadvisorAct Like an Owner,  Challenge Like a VC by former CPO, Tripadvisor
Act Like an Owner, Challenge Like a VC by former CPO, Tripadvisor
 
Battle of React State Managers in frontend applications
Battle of React State Managers in frontend applicationsBattle of React State Managers in frontend applications
Battle of React State Managers in frontend applications
 
Introducing the New FME Community Webinar - Feb 21, 2024 (2).pdf
Introducing the New FME Community Webinar - Feb 21, 2024 (2).pdfIntroducing the New FME Community Webinar - Feb 21, 2024 (2).pdf
Introducing the New FME Community Webinar - Feb 21, 2024 (2).pdf
 

AWS re:Invent 2016: Workshop: Choose Your Own SAML Adventure: A Self-Directed Journey to AWS Identity Federation Mastery (SEC306)

  • 1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Quint Van Deman, AWS Professional Services Balaji Iyer, AWS Professional Services Rahul Sareen, AWS Professional Services Zaher Dannawi, AWS Identity November 29, 2016 SEC306 Workshop: Choose Your Own SAML Adventure A Self-Directed Journey to AWS Identity Federation Mastery
  • 2. What to expect from the session SAML for AWS: State of the Union • Federation rationale • Prior art & remaining challenges Collaborative hands-on exercise • Foundational → advanced • Non-linear progression Ask the AWS Federation Ninjas • Your own challenges • Your feedback & ideas
  • 3. SAML for AWS: State of the Union
  • 4. Federation rationale Before: After: Result: Unique credentials Single sign-on (SSO) Long-lived keys Short-term tokens One-off Naturally aligned Users Security Compliance
  • 5. Prior art Generally “known science”*: • Basic federation with <insert your favorite identity provider here> • SSO experience for AWS Management Console users. • Federated access for AWS CLI/API. *Compiled list within session materials
  • 6. Remaining challenges Option overload: • Many accounts: direct federation or hub/spoke? • Role mapping: groups, attributes, or a combination? Solutions not yet widely published: • Attribute-driven authorizations. • Strong authentication techniques. • Resource permissions for federated users.
  • 8. Collaborative hands-on exercise Choose your own SAML adventure! Initial Path: Open source or Microsoft? 1st hour: Build initial federation setup 2nd hour: Your choice of advanced use cases
  • 9. Exercise architecture Instance with EIP SAML IdP and user directory Note: The IdP architecture represented here has been simplified to focus on the learning objectives. Not appropriate for production use. Amazon S3 permissions Many AWS accounts Custom durations MFA for SAML
  • 10. Time for teamwork! Pair up Strangers only Open source → Stage left Microsoft → Stage right Find match: 8 ≤ Total ≤ 12 ?
  • 11. Ask the Experts • Your opportunity to tap into the collective federation knowledge of the Amazonians in the room. • Runs parallel to hands-on exercise. • Submissions via email (details on following slide): • Your name. • Your question/topic/feature request. • Your table number. • We will answer what we can in the room. We will follow up with an AWS Security Blog post before the end of December in which we address as many questions asked here as possible.
  • 12. Lab materials Let’s get started Ask the Experts federationworkshopreinvent2016 @amazon.com (Include: name, table, question) http://bit.ly/2dBXMUq
  • 13. Review and recap • This slide is a placeholder. • We will take 2-3 of the “Ask the Experts” submissions: • Build a slide in the room for each • Summarize the question • Provide our perspective on how best to tackle • 2-3 minutes max per question
  • 14. Reference materials • AWS Docs: About SAML 2.0-based Federation • AWS Docs: Configuring SAML Assertions • AWS Docs: Integrating 3rd Party SAML Providers • AWS Security Blog: SAML API/CLI Solution • AWS Whitepaper: Shibboleth + OpenLDAP Walkthrough • AWS Security Blog: ADFS How to • AWS Security Blog: ADFS Multi-Account How to • AWS Security Blog: AWS CloudTrail for Federated Users