Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

AWS re:Invent 2016: Workshop: Choose Your Own SAML Adventure: A Self-Directed Journey to AWS Identity Federation Mastery (SEC306)

AWS supports identity federation using SAML (Security Assertion Markup Language) 2.0. Using SAML, you can configure your AWS accounts to integrate with your identity provider (IdP). Your federated users then are authenticated and authorized by your organization's IdP, and they can use single sign-on (SSO) to access AWS.

In this workshop, you choose your own path through the exercises to direct yourself to the technologies and use cases that matter to you. We start by guiding you through deploying an IdP and configuring SAML federation for AWS, including federated CLI access. We will then continue to walk you through a number of advanced SAML use cases, including how to:

Write S3 bucket policies for specific federated users.
Use SAML attributes to enforce additional authorization requirements.
Automate federation configurations across a large number of AWS accounts.
Implement other advanced SAML use cases for AWS.

  • Be the first to comment

AWS re:Invent 2016: Workshop: Choose Your Own SAML Adventure: A Self-Directed Journey to AWS Identity Federation Mastery (SEC306)

  1. 1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Quint Van Deman, AWS Professional Services Balaji Iyer, AWS Professional Services Rahul Sareen, AWS Professional Services Zaher Dannawi, AWS Identity November 29, 2016 SEC306 Workshop: Choose Your Own SAML Adventure A Self-Directed Journey to AWS Identity Federation Mastery
  2. 2. What to expect from the session SAML for AWS: State of the Union • Federation rationale • Prior art & remaining challenges Collaborative hands-on exercise • Foundational → advanced • Non-linear progression Ask the AWS Federation Ninjas • Your own challenges • Your feedback & ideas
  3. 3. SAML for AWS: State of the Union
  4. 4. Federation rationale Before: After: Result: Unique credentials Single sign-on (SSO) Long-lived keys Short-term tokens One-off Naturally aligned Users Security Compliance
  5. 5. Prior art Generally “known science”*: • Basic federation with <insert your favorite identity provider here> • SSO experience for AWS Management Console users. • Federated access for AWS CLI/API. *Compiled list within session materials
  6. 6. Remaining challenges Option overload: • Many accounts: direct federation or hub/spoke? • Role mapping: groups, attributes, or a combination? Solutions not yet widely published: • Attribute-driven authorizations. • Strong authentication techniques. • Resource permissions for federated users.
  7. 7. Collaborative hands-on exercise & Ask the Experts
  8. 8. Collaborative hands-on exercise Choose your own SAML adventure! Initial Path: Open source or Microsoft? 1st hour: Build initial federation setup 2nd hour: Your choice of advanced use cases
  9. 9. Exercise architecture Instance with EIP SAML IdP and user directory Note: The IdP architecture represented here has been simplified to focus on the learning objectives. Not appropriate for production use. Amazon S3 permissions Many AWS accounts Custom durations MFA for SAML
  10. 10. Time for teamwork! Pair up Strangers only Open source → Stage left Microsoft → Stage right Find match: 8 ≤ Total ≤ 12 ?
  11. 11. Ask the Experts • Your opportunity to tap into the collective federation knowledge of the Amazonians in the room. • Runs parallel to hands-on exercise. • Submissions via email (details on following slide): • Your name. • Your question/topic/feature request. • Your table number. • We will answer what we can in the room. We will follow up with an AWS Security Blog post before the end of December in which we address as many questions asked here as possible.
  12. 12. Lab materials Let’s get started Ask the Experts federationworkshopreinvent2016 (Include: name, table, question)
  13. 13. Review and recap • This slide is a placeholder. • We will take 2-3 of the “Ask the Experts” submissions: • Build a slide in the room for each • Summarize the question • Provide our perspective on how best to tackle • 2-3 minutes max per question
  14. 14. Reference materials • AWS Docs: About SAML 2.0-based Federation • AWS Docs: Configuring SAML Assertions • AWS Docs: Integrating 3rd Party SAML Providers • AWS Security Blog: SAML API/CLI Solution • AWS Whitepaper: Shibboleth + OpenLDAP Walkthrough • AWS Security Blog: ADFS How to • AWS Security Blog: ADFS Multi-Account How to • AWS Security Blog: AWS CloudTrail for Federated Users
  15. 15. Thank you!
  16. 16. Remember to complete your evaluations!