Presentation from AWS User Groups May/June 2014

1. F O R E N T E R P R I S E A W S
ADFS + IAM Single Sign On

2. Introduction
 Cloud Architect and Engineer
 Background in Systems Administration
 Large scale E-Commerce systems
 Media scale events
 Helping companies migrate to Cloud Services
 3 Data centre design rebuilds
 4 complete migrations to AWS
 OpenSource Enthusiast
 http://dev.squarecows.com
 Yes it pains me to talk about ADFS

3. Why ADFS?
 Business Reasons
 Little entry cost
 Provides your existing business process with the ability to
control access to AWS services
 Provides an audit trial (using cloudtrail)
 Technical Reasons
 SAML integration (Security Assertion Markup Language)
 Connects with IAM seamlessly
 Uses existing infrastructure
 No need to recreate all your users in IAM and manage them by
hand
 Map IAM policies to AD Groups
Active Directory Federation Services

4. Deeper into ADFS
 My Test Setup
 Based on original RE:Invent presentation setup
 Single AD server running in AWS
 ADFS 2.0 installed on the AD controller
 MS Suggested setup
 HA AD Servers
 Dual ADFS 2.0 stand alone servers
 Load balancer for ADFS

5. How it all Works

6. How it all Works

7. Setting up IAM
 Requirements
 AD +ADFS setup
 Downloaded ADFS metadata
 AWS-Prod and AWS-Dev Groups in AD
 A User in these groups
 Create Identity Provider on IAM
 Create IAM Roles and grant SSO permissions
 Setup ADFS Trust and mappings
Identity Access management

8. Setting up IAM
Identity Access management

9. Setting up IAM
Identity Access management

10. Setting up IAM
Identity Access management

11. Setting up IAM
Identity Access management

12. Setting up IAM
Identity Access management

13. Setting up IAM
Identity Access management

14. Setting up IAM
Identity Access management

15. Setting up IAM
Identity Access management

16. Setting up IAM
Identity Access management

17. Setting up IAM
Identity Access management

18. Setting up IAM
Identity Access management

19. Setting up IAM
Identity Access management

20. Login In
 Sign into ADFS
 Pick Your Role
 Enjoy AWS

21. Useful Resources
 Original ADFS + IAM guide
 http://goo.gl/kM4V4Y
 AWS IAM Policy Generator
 http://goo.gl/vpTdBQ

22. Beyond AWS Services
 WorkSpaces
 https://aws.amazon.com/workspaces/
 AD integration

23. Questions???
Twitter: @ric_harvey
Or via Email: richard.harvey@intechnica.co.uk