Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

AD Authenticate All The Things

734 views

Published on

Authentication and authorization to the AWS management console using your on-premise Active Directory isn't all that straightforward, at first. This deck covers the easily adaptable and scalable methodology we created and have been following over the past year, leveraging our existing IdP and adhering to strict conventions.

Published in: Technology
  • Be the first to comment

AD Authenticate All The Things

  1. 1. AD Authenticate the AWS Management Console Alan Williams Enterprise Architect Advanced AWS Meetup – June 2015
  2. 2. © 2015 Autodesk  Technology Generalist  Background in Infrastructure  @ Autodesk ~10 years  Spoken at OpenWorld, .conf and re:Invent  AWS user for ~5 years  Motorcyclist  Soft spot for pit bulls  @alanwill on Who Am I?
  3. 3. © 2015 Autodesk  Leader in 3D design, engineering and entertainment software  Introduced AutoCAD in 1982  Empowering the Maker movement  Helping our customers imagine, design and create a better world  ~11,000 global employees Who is Autodesk?
  4. 4. autodesk.com/careers
  5. 5. © 2015 Autodesk  Problem  Solution  Demo  How  Benefits  Next Agenda
  6. 6. Problem
  7. 7. © 2015 Autodesk  Identity Management  Too many  Lots of AWS accounts  Access Control  Too complex to manage  Too difficult to enforce  Inconvenient  What’s my password? Problem
  8. 8. Solution
  9. 9. © 2015 Autodesk
  10. 10. © 2015 Autodesk  AWS Federated Logins  IAM Identity Providers  On-premises Identity Provider  PingFederate, Okta etc…  On-premises Identity Store  Active Directory  SAML  Security Assertion Markup Language Solution
  11. 11. Demo
  12. 12. How (the gory details)
  13. 13. © 2015 Autodesk Workflow *Diagram adapted from AWS STS documentation for Autodesk relevance http://docs.aws.amazon.com/STS/latest/UsingSTS/STSMgmtConsole-SAML.html
  14. 14. © 2015 Autodesk  Go to IdP page  Example: https://aws.company.com  Enter AD credentials  jdoe / ******** #1 – IdP Initiated SSO
  15. 15. © 2015 Autodesk  AD  Validates credentials  Responds with all user’s security groups to IdP  IdP  Applies filters and performs field extraction  Sends to client AWS account(s) + IAM role(s) in SAML assertion #2/3 – Authentication
  16. 16. © 2015 Autodesk AD Security Group Naming Convention
  17. 17. © 2015 Autodesk  Client posts assertion to AWS SSO endpoint  AWS validates request and matches AWS account numbers and roles  Presents list of AWS accounts to user for sign in #4/5/6 - Authorization
  18. 18. © 2015 Autodesk
  19. 19. © 2015 Autodesk
  20. 20. How (on the AWS end)
  21. 21. © 2015 Autodesk Create IAM Identity Provider
  22. 22. © 2015 Autodesk Create IAM Identity Provider
  23. 23. © 2015 Autodesk Create IAM Identity Provider
  24. 24. © 2015 Autodesk Create IAM Identity Provider
  25. 25. © 2015 Autodesk Create IAM Identity Provider
  26. 26. © 2015 Autodesk Create an IAM Role
  27. 27. © 2015 Autodesk Create IAM Role
  28. 28. © 2015 Autodesk Create IAM Role
  29. 29. © 2015 Autodesk Create IAM Role
  30. 30. © 2015 Autodesk Create IAM Role
  31. 31. © 2015 Autodesk
  32. 32. © 2015 Autodesk Role Name Example IAM Role Policy Account-Admin AdministratorAccess Policy Account-ReadOnly ReadOnlyAccess Policy Application-Admins PowerUserAccess Policy Database-Admins AmazonRDSFullAccess + AmazonRedshiftFullAccess Policies Network-Admins AmazonVPCFullAccess + AWSDirectConnectFullAccess Policies Security-Admins SecurityAudit Policy Server-Admins AmazonEC2FullAccess Policy Optional: Multiple Roles
  33. 33. © 2015 Autodesk Optional: Multiple Roles, same account
  34. 34. © 2015 Autodesk Optional: Two Factor Authentication
  35. 35. © 2015 Autodesk  Create AD Security Groups  following naming convention  Create IAM Identity Provider  Create IAM Roles On-boarding New Accounts
  36. 36. © 2015 Autodesk  AD security group membership  Role based access control Managing Access
  37. 37. Benefits
  38. 38. © 2015 Autodesk  Standardized authentication  Improved security  Convenient user experience  Flexible  Scalable to 100s+ accounts Benefits
  39. 39. What’s Next
  40. 40. © 2015 Autodesk  IAM Keys Vending Machine  Access/Secret Key self service portal  Temporary, expires in 24 hours Next Steps
  41. 41. © 2015 Autodesk  Using Identity Providers  http://goo.gl/qf7NpN  Using SAML Providers  http://goo.gl/cBMswu  IAM Federated User Access  http://goo.gl/5nIMt9 Documentation Resources
  42. 42. © 2015 Autodesk
  43. 43. Autodesk is a registered trademark of Autodesk, Inc., and/or its subsidiaries and/or affiliates in the USA and/or other countries. All other brand names, product names, or trademarks belong to their respective holders. Autodesk reserves the right to alter product and services offerings, and specifications and pricing at any time without notice, and is not responsible for typographical or graphical errors that may appear in this document. © 2015 Autodesk. All rights reserved.

×