Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
•bi-directional on-premises gateway 
•translates on-premises 1.0 identity protocols to cloud 2.0 protocols 
•essential for...
federation IDP 
SaaS application 
federation SP 
2) SSO (SAML) 
Assertion
resource server 
ID Token 
refresh 
token 
access 
token 
A 
R 
A 
OpenID Provider 
OAuth 
authorization server 
relying p...
resource server #2 
refresh 
token #2 
access 
token #2 
A 
R 
A 
OpenID Provider #2 
app 
ID Token 
ID Token #1
Path Arn LoginProfile AccessKeyID SecretAccessKey 
Attribute Retrieval Call 
UserName 
Path 
CreateDate 
UserId 
Arn 
List...
domain joins 
user management 
Windows Group Policy 
user authentication 
native AD toolset 
users not in IAM store
•Identity stores 
•Federated user
Console 
username 
password 
username 
MFA
LT Access Key ID 
LT Secret Access Key 
{ 
{ 
} 
} 
API 
LT Access Key ID 
LT Secret Access Key 
MFA 
ST Secret Access Key...
{ 
{ 
} 
} 
API 
LT Access Key ID 
LT Secret Access Key 
LT Access Key ID 
LT Secret Access Key 
MFA 
ST Secret Access Key...
•Identity stores 
•IAM user
Console 
SAML 
ST Secret Access Key ID 
ST SessionToken 
ST Security Token 
external authn 
external authn
Console 
SAML 
ST Secret Access Key ID 
ST SessionToken 
ST Security Token 
external authn 
external authn 
ST credentials
{ 
{ 
} 
} 
API 
ST credentials 
external authn 
OpenID Connect 
ID Token
5) Query() 
3) AssumeRole() 
2) Retrieve RoleSessionName 
federated user IAM user 
1) AD 
authentication 
Windows user pol...
console 
federation IDP 
2) SAML SSO 
Assertion 
X.509 certificate 
Bound to PrincipalArn 
federation SP 
Attribute Descri...
federation IDP 
1) authentication 
Assertion 
2) authn, attributes 
3) assertion 
federation SP 
RoleArn 
PrincipalArn 
ST...
ID Token 
OpenID Provider 
client/relying party/app 
enterprise 
5) Query() 
ST credentials 
ST credentials
ID token 
5) Query 
ST credentials 
MFA 
Assertion
•SAML to AWS Management Console 
•SAML to AWS API 
•OpenIDConnect to AWS 
•ExternalMFAto AWS
prov. 
service
Get LDAP usersldapsearch() Begin syncGet AWS users ListUsers() GetLoginProfile() ListAccessKeys() ListVrtlMfaDvcs() Reconc...
Begin addCreateAccessKey() End addStore Arn, AccessKeyID, LoginProfile CreateDate, MfaDevice SerialCreateUser() AddUserToG...
Begin deleteDeleteUser()End delete
Begin modifyEnd modifyUpdateUser() AddUserToGroup() RemUserFromGrp() UpdateLoginProfile()CreateAccessKey() NoYesHashes mat...
on-premises 
directory 
user identities 
user attributes 
LT credentials 
group memberships 
MFA serial number
on-premises 
directory 
1) authentication 
access 
4) user attributes for authz 
2) LT credentials,TokenArn 
LT credential...
Get AWS users ListUsers() ListAccessKeys() ListVrtlMfaDvcs() Begin syncGet LDAP usersldapsearch() Reconcile AWS users to L...
CreateAccessKey()Begin addEnd addAdd user to LDAP groupsldapmodify() ListMfaDevices() Create LDAP userldapadd() Create or ...
Begin deleteDelete LDAP userldapdelete() End delete
Begin modifyEnd modifyCreateAccessKey() NoYesHashes match? Hash LDAP and AWS user attributesAccessKeyID exist? Modify user...
•Sync Identities from IAM Store 
•Federated SSO with Simple AD and Amazon EC2
domain trust 
Simple AD on-premises
•Sync Identities from IAM Store 
•Sync Identitiesfrom Simple AD
Simple AD 
2) User authn Federated IDP SaaS 
on-premises 
1) user authn
Please give us your feedback on this session. 
Complete session evaluations and earn re:Invent swag. 
http://bit.ly/awseva...
(SEC310) Integrating AWS with External Identity Management | AWS re:Invent 2014
(SEC310) Integrating AWS with External Identity Management | AWS re:Invent 2014
(SEC310) Integrating AWS with External Identity Management | AWS re:Invent 2014
(SEC310) Integrating AWS with External Identity Management | AWS re:Invent 2014
(SEC310) Integrating AWS with External Identity Management | AWS re:Invent 2014
(SEC310) Integrating AWS with External Identity Management | AWS re:Invent 2014
(SEC310) Integrating AWS with External Identity Management | AWS re:Invent 2014
(SEC310) Integrating AWS with External Identity Management | AWS re:Invent 2014
(SEC310) Integrating AWS with External Identity Management | AWS re:Invent 2014
(SEC310) Integrating AWS with External Identity Management | AWS re:Invent 2014
(SEC310) Integrating AWS with External Identity Management | AWS re:Invent 2014
(SEC310) Integrating AWS with External Identity Management | AWS re:Invent 2014
(SEC310) Integrating AWS with External Identity Management | AWS re:Invent 2014
(SEC310) Integrating AWS with External Identity Management | AWS re:Invent 2014
(SEC310) Integrating AWS with External Identity Management | AWS re:Invent 2014
(SEC310) Integrating AWS with External Identity Management | AWS re:Invent 2014
(SEC310) Integrating AWS with External Identity Management | AWS re:Invent 2014
(SEC310) Integrating AWS with External Identity Management | AWS re:Invent 2014
(SEC310) Integrating AWS with External Identity Management | AWS re:Invent 2014
(SEC310) Integrating AWS with External Identity Management | AWS re:Invent 2014
Upcoming SlideShare
Loading in …5
×

(SEC310) Integrating AWS with External Identity Management | AWS re:Invent 2014

4,944 views

Published on

Amazon Web Services IAM has a cohesive set of features, including authentication, service and resource authorization, and privilege delegation. But how does AWS IAM interact with an organization's external identity management framework? In this session, we will look at the identity disciplines, including authorization, identity governance and administration (IGA), provisioning, authentication and single sign-on-and their associated standards like XACML, SCIM, SAML, OAuth, OpenID Connect, and FIDO. We will specify how these externalized identity functions can be integrated with AWS to deliver a cohesive organizational identity management framework. We will also cover real-world deployments of externalized identity systems with AWS.

Published in: Technology

(SEC310) Integrating AWS with External Identity Management | AWS re:Invent 2014

  1. 1. •bi-directional on-premises gateway •translates on-premises 1.0 identity protocols to cloud 2.0 protocols •essential for most enterprises IDaaS •Identity Management as a Service •externally-hosted, turnkey SaaS •frequently used with an identity bridge
  2. 2. federation IDP SaaS application federation SP 2) SSO (SAML) Assertion
  3. 3. resource server ID Token refresh token access token A R A OpenID Provider OAuth authorization server relying party/client/app
  4. 4. resource server #2 refresh token #2 access token #2 A R A OpenID Provider #2 app ID Token ID Token #1
  5. 5. Path Arn LoginProfile AccessKeyID SecretAccessKey Attribute Retrieval Call UserName Path CreateDate UserId Arn ListUsers GetUser LoginProfile GetLoginProfile AccessKeyID ListAccessKeys SecretAccessKey VirtualMFADevice->Serial Number (Arn) ListVirtualMFADevices
  6. 6. domain joins user management Windows Group Policy user authentication native AD toolset users not in IAM store
  7. 7. •Identity stores •Federated user
  8. 8. Console username password username MFA
  9. 9. LT Access Key ID LT Secret Access Key { { } } API LT Access Key ID LT Secret Access Key MFA ST Secret Access Key ID ST SessionToken LT Access Key ID LT Secret Access Key
  10. 10. { { } } API LT Access Key ID LT Secret Access Key LT Access Key ID LT Secret Access Key MFA ST Secret Access Key ID ST SessionToken LT Access Key ID LT Secret Access Key LT credentials ST credentials
  11. 11. •Identity stores •IAM user
  12. 12. Console SAML ST Secret Access Key ID ST SessionToken ST Security Token external authn external authn
  13. 13. Console SAML ST Secret Access Key ID ST SessionToken ST Security Token external authn external authn ST credentials
  14. 14. { { } } API ST credentials external authn OpenID Connect ID Token
  15. 15. 5) Query() 3) AssumeRole() 2) Retrieve RoleSessionName federated user IAM user 1) AD authentication Windows user policy store 4) ST credentials LT credentials Security Token Services
  16. 16. console federation IDP 2) SAML SSO Assertion X.509 certificate Bound to PrincipalArn federation SP Attribute Description SAML subject name Required for SAML RoleArn role for user entitlements PrincipalArn role of IDP in AWS RoleSessionName Enables user-specific auditing and access policies
  17. 17. federation IDP 1) authentication Assertion 2) authn, attributes 3) assertion federation SP RoleArn PrincipalArn ST credentials ST credentials
  18. 18. ID Token OpenID Provider client/relying party/app enterprise 5) Query() ST credentials ST credentials
  19. 19. ID token 5) Query ST credentials MFA Assertion
  20. 20. •SAML to AWS Management Console •SAML to AWS API •OpenIDConnect to AWS •ExternalMFAto AWS
  21. 21. prov. service
  22. 22. Get LDAP usersldapsearch() Begin syncGet AWS users ListUsers() GetLoginProfile() ListAccessKeys() ListVrtlMfaDvcs() Reconcile LDAP users to AWS usersEnd syncAdd users to IAM storeDelete users from IAM storeModify users in IAM storeMap LDAP hierarchy to AWS Path attribute
  23. 23. Begin addCreateAccessKey() End addStore Arn, AccessKeyID, LoginProfile CreateDate, MfaDevice SerialCreateUser() AddUserToGroup() (multiple groups) CreateVirtualMfaDevice() EnableMfaDevice() Distribute LT credentials to userDistribute MFASeed or create QRCodePNG for userCreateLoginProfile()
  24. 24. Begin deleteDeleteUser()End delete
  25. 25. Begin modifyEnd modifyUpdateUser() AddUserToGroup() RemUserFromGrp() UpdateLoginProfile()CreateAccessKey() NoYesHashes match? Hash LDAP and AWS user attributesStore Arn, LoginProfile CrtDate, AccessKeyID, MfaSerialDistribute LT credentials to userDistribute MFASeed or create QRCodePNG for userCreateVirtualMfaDevice() EnableMfaDevice()
  26. 26. on-premises directory user identities user attributes LT credentials group memberships MFA serial number
  27. 27. on-premises directory 1) authentication access 4) user attributes for authz 2) LT credentials,TokenArn LT credentials TokenArn TokenCode TokenCode
  28. 28. Get AWS users ListUsers() ListAccessKeys() ListVrtlMfaDvcs() Begin syncGet LDAP usersldapsearch() Reconcile AWS users to LDAP usersEnd syncAdd users to LDAPDelete users from LDAPModify users in LDAPMap LDAP hierarchy to AWS Path attribute
  29. 29. CreateAccessKey()Begin addEnd addAdd user to LDAP groupsldapmodify() ListMfaDevices() Create LDAP userldapadd() Create or lookup additional attributes
  30. 30. Begin deleteDelete LDAP userldapdelete() End delete
  31. 31. Begin modifyEnd modifyCreateAccessKey() NoYesHashes match? Hash LDAP and AWS user attributesAccessKeyID exist? Modify user in LDAPldapmodify() Add/delete user in LDAP groupsldapmodify() NoYes
  32. 32. •Sync Identities from IAM Store •Federated SSO with Simple AD and Amazon EC2
  33. 33. domain trust Simple AD on-premises
  34. 34. •Sync Identities from IAM Store •Sync Identitiesfrom Simple AD
  35. 35. Simple AD 2) User authn Federated IDP SaaS on-premises 1) user authn
  36. 36. Please give us your feedback on this session. Complete session evaluations and earn re:Invent swag. http://bit.ly/awsevals

×