Workshop: We love APIs
Your SlideShare is downloading.
×
Check these out next
Recommended
More Related Content
Slideshows for you (20)
Viewers also liked (20)
Similar to AWS re:Invent 2016: Workshop: Choose Your Own SAML Adventure: A Self-Directed Journey to AWS Identity Federation Mastery (SEC306) (20)
More from Amazon Web Services (20)
Recently uploaded (20)
AWS re:Invent 2016: Workshop: Choose Your Own SAML Adventure: A Self-Directed Journey to AWS Identity Federation Mastery (SEC306)
- 1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Quint Van Deman, AWS Professional Services Balaji Iyer, AWS Professional Services Rahul Sareen, AWS Professional Services Zaher Dannawi, AWS Identity November 29, 2016 SEC306 Workshop: Choose Your Own SAML Adventure A Self-Directed Journey to AWS Identity Federation Mastery
- 2. What to expect from the session SAML for AWS: State of the Union • Federation rationale • Prior art & remaining challenges Collaborative hands-on exercise • Foundational → advanced • Non-linear progression Ask the AWS Federation Ninjas • Your own challenges • Your feedback & ideas
- 3. SAML for AWS: State of the Union
- 4. Federation rationale Before: After: Result: Unique credentials Single sign-on (SSO) Long-lived keys Short-term tokens One-off Naturally aligned Users Security Compliance
- 5. Prior art Generally “known science”*: • Basic federation with <insert your favorite identity provider here> • SSO experience for AWS Management Console users. • Federated access for AWS CLI/API. *Compiled list within session materials
- 6. Remaining challenges Option overload: • Many accounts: direct federation or hub/spoke? • Role mapping: groups, attributes, or a combination? Solutions not yet widely published: • Attribute-driven authorizations. • Strong authentication techniques. • Resource permissions for federated users.
- 7. Collaborative hands-on exercise & Ask the Experts
- 8. Collaborative hands-on exercise Choose your own SAML adventure! Initial Path: Open source or Microsoft? 1st hour: Build initial federation setup 2nd hour: Your choice of advanced use cases
- 9. Exercise architecture Instance with EIP SAML IdP and user directory Note: The IdP architecture represented here has been simplified to focus on the learning objectives. Not appropriate for production use. Amazon S3 permissions Many AWS accounts Custom durations MFA for SAML
- 10. Time for teamwork! Pair up Strangers only Open source → Stage left Microsoft → Stage right Find match: 8 ≤ Total ≤ 12 ?
- 11. Ask the Experts • Your opportunity to tap into the collective federation knowledge of the Amazonians in the room. • Runs parallel to hands-on exercise. • Submissions via email (details on following slide): • Your name. • Your question/topic/feature request. • Your table number. • We will answer what we can in the room. We will follow up with an AWS Security Blog post before the end of December in which we address as many questions asked here as possible.
- 12. Lab materials Let’s get started Ask the Experts federationworkshopreinvent2016 @amazon.com (Include: name, table, question) http://bit.ly/2dBXMUq
- 13. Review and recap • This slide is a placeholder. • We will take 2-3 of the “Ask the Experts” submissions: • Build a slide in the room for each • Summarize the question • Provide our perspective on how best to tackle • 2-3 minutes max per question
- 14. Reference materials • AWS Docs: About SAML 2.0-based Federation • AWS Docs: Configuring SAML Assertions • AWS Docs: Integrating 3rd Party SAML Providers • AWS Security Blog: SAML API/CLI Solution • AWS Whitepaper: Shibboleth + OpenLDAP Walkthrough • AWS Security Blog: ADFS How to • AWS Security Blog: ADFS Multi-Account How to • AWS Security Blog: AWS CloudTrail for Federated Users
- 15. Thank you!
- 16. Remember to complete your evaluations!
