AWS offers customers multiple solutions for federating identities on the AWS Cloud. In this session, we will embark on a tour of these solutions and the use cases they support. Along the way, we will dive deep with demonstrations and best practices to help you be successful managing identies on the AWS Cloud. We will cover how and when to use Security Assertion Markup Language 2.0 (SAML), OpenID Connect (OIDC), and other AWS native federation mechanisms. You will learn how these solutions enable federated access to the AWS Management Console, APIs, and CLI, AWS Infrastructure and Managed Services, your web and mobile applications running on the AWS Cloud, and much more.

1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Q u i n t V a n D e m a n
B u s i n e s s D e v e l o p m e n t M a n a g e r ,
I d e n t i t y & D i r e c t o r y S e r v i c e s
S I D 3 4 4
Soup to Nuts: Identity Federation for AWS
November 27, 2017

2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Build consistent
vernacular and mental
model
Tour the major
federation bridges
across AWS
Fun and lively session
with demos
Links to key content
and patterns
What to expect
(C) Copyright Jean-Remy Duboc and licensed for reuse
under the Creative Commons Attribution-Generic 2.0
License
By Adam.J.W.C. (Own work) [CC BY 3.0
(http://creativecommons.org/licenses/by/3.0], via
Wikimedia Commons

3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Building a consistent vernacular and
mental model

4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What do we mean when we say
“federation”?

5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
I d e n t i t y c o n s u m e r sI d e n t i t y p r o v i d e r s
Definition (for today)
Stores
identities
Authentication Authorization
(Coarse)
Authorization
(Fine)
Trust
Stores
references
Protocols
No Sync

6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Rationale
Users Security Compliance
Before
After
Unique credentials
1:Many reuse
Credentials everywhere
Centrally managed
Bespoke
Unified
Result

7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Understanding planes of access
Amazon EC2
Control plane—AWS API
(e.g. ec2:StartInstance)
Data plane—Amazon VPC
connection (e.g., SSH, RDP)
Different:
• Paths
• Credentials
• Protocols

8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Understanding planes of access
Amazon
DynamoDB
Control plane—AWS API
(e.g. dynamodb:CreateTable)
Data plane—AWS API
(e.g. dynamodb:GetItem)
Same:
• Path
• Credential
• Protocol

9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Mental model
Evaluation SelectionUse cases Blueprints

10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Bridge #1: Security assertion markup
language (SAML)

11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
SAML primer
Service provider
(SP)
Metadata (in advance)
Assertion
Identity provider
(IdP)
AuthN &
AuthZ
User

12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
SAML federation
SAML
Internal
AD
SAML IdP
Amazon Cognito
Console API CLI Data plane APIs

13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
SAML federation
Demonstrations

14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
SAML demo review
Amazon S3
permissions
Many AWS accounts
Custom
durations
MFA for
SAML
http://bit.ly/2dBXMUq
SAML federation for the
AWS Management Console,
APIs, and CLI
Self-paced
workshop materials
(all this and much more)

15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
SAML demo review
SAML federation for an Amazon Cognito-
enabled web application and custom API
(using Amazon API Gateway)
Amazon Cognito documentation
(includes sample code)
http://amzn.to/2wSH4IC
CloudFront Amazon S3 SPA
Amazon Cognito
Amazon Cognito
SAML IdP Assertion
Tokens API Gateway
(Chalice)

16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
SAML federation
SAML
Internal
AD
SAML IdP
Amazon Cognito
Console API CLI Data plane APIs
Amazon
Redshift
Amazon RDS
(Aurora, MySQL)
Amazon
QuickSight
Amazon
AppStream
SaaS Apps (Outside AWS)

17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Bridge #2: OpenID Connect (OIDC)

18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
OIDC primer
Relying Party
(RP)
Metadata & Registration (in advance)
Tokens
OpenID provider
(OP)
User
AuthN &
AuthZ

19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
OIDC federation
SAML
OIDC
OIDCExternal
Internal
AD
OIDC OP
SAML IdP
Amazon Cognito
Amazon
Redshift
Amazon RDS
(Aurora, MySQL)
Amazon
QuickSight
Amazon
AppStream
Apps
Data plane APIs
SaaS Apps (Outside AWS)
Console API CLI

20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
OIDC federation
Demonstrations

21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
OIDC demo review
OIDC federation for an Amazon Cognito-
enabled web app and custom API (using
Amazon API Gateway)
Amazon Cognito documentation
(includes sample code)
CloudFront Amazon S3 SPA
Amazon Cognito
Amazon Cognito
OP
Tokens API Gateway
(Chalice)
Tokens http://amzn.to/2wSH4IC

22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
OIDC demo review
OIDC federation for an Amazon Cognito-
enabled backend application and external API
Amazon Cognito documentation
Cognito Tokens
Systems Manager
Parameter Store
External API
http://amzn.to/2grl7NV

23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon Cognito: Related session
For even more details and demonstrations, check out:
SID332 11/30/17 (Thursday) 1:45 PM—MGM, Level 3, Premiere Ballroom 314
Identity Management for Your Users and Apps:
A Deep Dive on Amazon Cognito

24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Bridge #3: Active Directory trust
with Kerberos

25. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AD trust/Kerberos primer
On-premises
Active Directory
Domain Controller
AWS Directory Service
For Microsoft Active Directory
Kerberos-enabled
resource
AD Forest Trust Domain Join
User Group
Add group membership

26. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AD trust
SAML
OIDC
OIDC
AD Trust
External
Internal
AD
OIDC OP
SAML IdP
Amazon Cognito
Amazon
Redshift
Amazon RDS
(Aurora, MySQL)
Amazon
QuickSight
Amazon
AppStream
Apps
Data plane APIs
Windows/
Amazon EC2
Amazon
WorkSpaces
Amazon RDS
(SQL Server)
Amazon
WorkDocs
Amazon
WorkMail
SaaS Apps (Outside AWS)
Console API CLI

27. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AD trust: Related sessions
For demonstrations, check out these related sessions:
WIN311 11/28/17 (Tuesday) 1:00 PM—MGM, Level 3, Premiere 301
Unified Access Management with AWS Managed Services for Microsoft
Active Directory
WIN403 11/30/17 (Thursday) 3:15 PM—MGM, Level 1, Grand Ballroom 113
AWS Directory Service for Microsoft Active Directory Deep Dive

28. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AD trust details for Windows/Amazon EC2
Use on-premises AD identities for
authentication and authorization in
Windows/Amazon EC2
AWS Directory Service documentation
On-premises
Active Directory
Domain Controller
AWS Directory Service
For Microsoft Active Directory
Domain joined
Windows Amazon
EC2 instance
AD Forest Trust Domain Join
User Group
Add group membership
http://amzn.to/2ysq4Ns

29. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AD trust details for Amazon WorkSpaces
Use on-premises AD identities to
provision and access Amazon WorkSpaces
Amazon WorkSpaces
documentation
On-premises
Active Directory
Domain Controller
AWS Directory Service
For Microsoft Active Directory
AD Forest Trust
User Admin
Search &
Provision
Domain Join
Login
(AuthN & AuthZ)
http://amzn.to/2x6IcZB

30. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Bridge #4: AWS cross-account (XA)
trust

31. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS XA trust primer
Target AWS account
IAM Role
Permission Policy:
Controls access to
AWS services & resources
Trust Policy:
Specifies the Principals who
can assume the role, and a
shared secret (external id)
Source AWS account
IAM Role
IAM User
Permission Policy:
Allows sts:AssumeRole
to remote role (in
target)
sts:AssumeRole
Short-term credential
Invoke AWS APIs
Access Mgmt Console
(You) (External entity)(or vice versa)
Note: AWS XA trusts also support many other use cases

32. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Cross-account trust
Cross-
account
trust
Amazon Cognito
Amazon
Redshift
Amazon RDS
(Aurora, MySQL)
Amazon
QuickSight
Amazon
AppStream
Data plane APIs
Windows/
Amazon EC2
Amazon
WorkSpaces
Amazon RDS
(SQL Server)
Amazon
WorkDocs
Amazon
WorkMail
SaaS Apps (Outside AWS)
Console API CLI
External
Apps
AWS
Credential

33. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Cross-account trust details
Use AWS credentials from one account
to federate into another account
IAM documentation
aws sts assume-role --role-arn arn:aws:iam::012345678912:role/RoleName
--role-session-name use_traceable_name --external-id mysharedsecret
{
"AssumedRoleUser": {
"AssumedRoleId": "XXXXXXXXXXXXXXXXXXXXX:use_traceable_name",
"Arn": “<roleARN>/use_traceable_name"
},
"Credentials": {
"SecretAccessKey": "ssssssssssssssssssssssssssssssssssssssss",
"SessionToken": "ttttttttttttttttttttttttttttttttttttttttttt",
"Expiration": "2017-10-19T00:01:38Z",
"AccessKeyId": "aaaaaaaaaaaaaaaaaaaaaaa"
}
}
http://amzn.to/2zzwE2n

34. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Bridge #5: Custom federation broker

35. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Custom federation broker primer
Broker
Credential
User
Entitlements and
policies
sts:AssumeRole (or)
sts:GetFederationToken
Scoping policy
Short-term credential
authN & authZ
Note: mostly a legacy mechanism

36. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Custom broker
Cross-
account
trust
Custom
Amazon Cognito
Amazon
Redshift
Amazon RDS
(Aurora, MySQL)
Amazon
QuickSight
Amazon
AppStream
Data plane APIs
SaaS Apps (Outside AWS)
Console API CLI
External
Apps
BrokerCredential
AWS Cred
Windows/
Amazon EC2
Amazon
WorkSpaces
Amazon RDS
(SQL Server)
Amazon
WorkDocs
Amazon
WorkMail

37. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Wrap-up

38. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Summary
SAML
OIDC
AD Trust
XA Trust
Custom
Many bridges, for different:
• Planes of access
• Protocols
• Source credentials
Remember our mental model:

39. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Remaining white space
CC0 Public Domain - Free for commercial use
http://maxpixel.freegreatpicture.com/Shadow-White-Space-Renovate-Blank-Renovated-Light-763247

40. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Other helpful links
• SAML:
• Amazon Redshift—http://amzn.to/2yxWX98
• Amazon RDS, MySQL, and Amazon Aurora—http://amzn.to/2gjBDvP
• Amazon AppStream 2.0—http://amzn.to/2gkU17q
• Amazon QuickSight—http://amzn.to/2xPfyf3
• OIDC:
• Amazon Cognito Federated Identities—http://amzn.to/2gl3yvp
• sts:AssumeRoleWithWebIdentity—http://amzn.to/2yTcOCr
• AD trust:
• Amazon RDS SQL Server—http://amzn.to/2glehop
• WorkDocs—http://amzn.to/2x6CNBz
• WorkMail—http://amzn.to/2kZFxyZ
• AWS IAM cross-account trust—http://amzn.to/2kZvRon
• Custom federation broker—http://amzn.to/2yyqzov
• Chalice (Python serverless framework for AWS)—https://github.com/aws/chalice

41. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you!