This document provides step-by-step instructions for integrating AWS IAM single sign-on with OpenLDAP and Shibboleth identity provider (IdP). It describes launching an Amazon EC2 instance, installing and configuring OpenLDAP on the instance to act as the LDAP directory, and installing Tomcat and Shibboleth IdP. It then covers configuring IAM and Shibboleth IdP to enable single sign-on between AWS and the LDAP/Shibboleth identity sources.
The document provides an overview of the key AWS services needed to deploy a simple web application on AWS, including:
- Amazon EC2 for running application servers
- Elastic Load Balancing to distribute traffic across EC2 instances
- Auto Scaling to dynamically scale the number of EC2 instances based on demand
- CloudWatch to monitor application and server performance and trigger Auto Scaling if needed
- EBS for persistent storage
- Security groups and key pairs for secure access to EC2 instances
- Availability Zones for high availability across distinct locations
The document then walks through deploying a sample DotNetNuke application using these AWS services.
LAB SET-UP INSTRUCTIONS FOR EXERCISES ON AMAZON EC2Shaojun Xie
This document provides instructions for setting up a Red Hat Enterprise Linux 7 virtual machine on Amazon EC2 to use for completing exercises in a Red Hat course. It describes creating a free AWS account, launching a t2.micro instance of RHEL7 using the AWS console, and connecting to the instance securely over SSH using the private key that is downloaded during instance launch. The document stresses the importance of shutting down the instance when not in use to conserve compute hours provided by the AWS Free Tier.
This document provides an overview and introduction to Amazon Web Services (AWS) including key services like EC2, S3, VPC, RDS, and Lambda. It describes the purpose and basic functionality of each service. It also includes brief demonstrations of launching EC2 instances, creating S3 buckets, setting up VPC networking, and other core AWS services. The goal is to help readers understand the breadth of AWS offerings and how to get started using various compute, storage, database, and developer services.
AWS Elastic Beanstalk is an easy way to deploy and manage applications on AWS. It automatically provisions resources like ELB, Auto Scaling, and CloudWatch. It allows you to easily snapshot application logs and receive email notifications. You can manage configuration settings in one place for switching instance types, running in multiple availability zones, turning on HTTPS, and providing database connection strings. Elastic Beanstalk works by hosting applications on Amazon EC2 instances behind an Elastic Load Balancer. It demonstrates launching a PHP application, creating development and production environments, pushing code updates, and making the application highly available across availability zones. Key features include support for Tomcat and PHP, IAM access control, common configuration settings across instances, auto scaling UI,
Amazon Workspaces is a managed desktop as a service (DaaS) solution that allows users to access virtual desktops from multiple devices. It requires a Workspaces client, directory service like Active Directory, and a virtual private cloud (VPC) with at least two subnets. Supported regions vary by country. Workspaces can be customized with different bundles, images, and applications managed through Workspaces Application Manager (WAM). Launching a workspace involves administrator configuration and user registration and login steps.
The document discusses experiment templates for AWS Fault Injection Simulator (FIS). It explains that experiment templates define actions and targets for chaos engineering experiments using FIS. The document provides examples of JSON templates that specify actions like stopping EC2 instances, targets like instances tagged for chaos, and ordering of actions. It also describes the required and optional fields for defining actions, targets, and experiments in templates to automate chaos experiments with FIS.
This document discusses the benefits of using the .NET framework for web development. It begins by explaining that .NET compiles code to intermediate language (IL) rather than machine code. This allows the common language runtime (CLR) to manage aspects like garbage collection and exception handling. ASP.NET uses dynamic compilation for improved performance. The .NET framework also includes a large set of reusable classes. Additional benefits discussed include object-oriented architecture, caching, XML configuration, code separation, mobile support, powerful data access, language preference, and easy creation of web services.
Devops integrates developers and operations teams to improve collaboration and productivity through automating infrastructure, workflows, and continuously measuring application performance. The goal is to automate everything like code testing, workflows, and infrastructure to deploy small chunks of code frequently for testing and production using the same infrastructure. AWS supports a platform as infrastructure and provides tools like CodePipeline, CodeCommit, CodeBuild, and CodeDeploy to automate deployments from development to production.
The document provides an overview of the key AWS services needed to deploy a simple web application on AWS, including:
- Amazon EC2 for running application servers
- Elastic Load Balancing to distribute traffic across EC2 instances
- Auto Scaling to dynamically scale the number of EC2 instances based on demand
- CloudWatch to monitor application and server performance and trigger Auto Scaling if needed
- EBS for persistent storage
- Security groups and key pairs for secure access to EC2 instances
- Availability Zones for high availability across distinct locations
The document then walks through deploying a sample DotNetNuke application using these AWS services.
LAB SET-UP INSTRUCTIONS FOR EXERCISES ON AMAZON EC2Shaojun Xie
This document provides instructions for setting up a Red Hat Enterprise Linux 7 virtual machine on Amazon EC2 to use for completing exercises in a Red Hat course. It describes creating a free AWS account, launching a t2.micro instance of RHEL7 using the AWS console, and connecting to the instance securely over SSH using the private key that is downloaded during instance launch. The document stresses the importance of shutting down the instance when not in use to conserve compute hours provided by the AWS Free Tier.
This document provides an overview and introduction to Amazon Web Services (AWS) including key services like EC2, S3, VPC, RDS, and Lambda. It describes the purpose and basic functionality of each service. It also includes brief demonstrations of launching EC2 instances, creating S3 buckets, setting up VPC networking, and other core AWS services. The goal is to help readers understand the breadth of AWS offerings and how to get started using various compute, storage, database, and developer services.
AWS Elastic Beanstalk is an easy way to deploy and manage applications on AWS. It automatically provisions resources like ELB, Auto Scaling, and CloudWatch. It allows you to easily snapshot application logs and receive email notifications. You can manage configuration settings in one place for switching instance types, running in multiple availability zones, turning on HTTPS, and providing database connection strings. Elastic Beanstalk works by hosting applications on Amazon EC2 instances behind an Elastic Load Balancer. It demonstrates launching a PHP application, creating development and production environments, pushing code updates, and making the application highly available across availability zones. Key features include support for Tomcat and PHP, IAM access control, common configuration settings across instances, auto scaling UI,
Amazon Workspaces is a managed desktop as a service (DaaS) solution that allows users to access virtual desktops from multiple devices. It requires a Workspaces client, directory service like Active Directory, and a virtual private cloud (VPC) with at least two subnets. Supported regions vary by country. Workspaces can be customized with different bundles, images, and applications managed through Workspaces Application Manager (WAM). Launching a workspace involves administrator configuration and user registration and login steps.
The document discusses experiment templates for AWS Fault Injection Simulator (FIS). It explains that experiment templates define actions and targets for chaos engineering experiments using FIS. The document provides examples of JSON templates that specify actions like stopping EC2 instances, targets like instances tagged for chaos, and ordering of actions. It also describes the required and optional fields for defining actions, targets, and experiments in templates to automate chaos experiments with FIS.
This document discusses the benefits of using the .NET framework for web development. It begins by explaining that .NET compiles code to intermediate language (IL) rather than machine code. This allows the common language runtime (CLR) to manage aspects like garbage collection and exception handling. ASP.NET uses dynamic compilation for improved performance. The .NET framework also includes a large set of reusable classes. Additional benefits discussed include object-oriented architecture, caching, XML configuration, code separation, mobile support, powerful data access, language preference, and easy creation of web services.
Devops integrates developers and operations teams to improve collaboration and productivity through automating infrastructure, workflows, and continuously measuring application performance. The goal is to automate everything like code testing, workflows, and infrastructure to deploy small chunks of code frequently for testing and production using the same infrastructure. AWS supports a platform as infrastructure and provides tools like CodePipeline, CodeCommit, CodeBuild, and CodeDeploy to automate deployments from development to production.
step by step visual tutorial on how to launch an amazon aws ec2 tutorial.
this deck is part of the ramazon tutorial.
to know more about ramazon visit https://github.com/AndreaCirilloAC/ramazon
McrUmbMeetup 22 May 14: Umbraco and AmazonDan Lister
A brief introduction to Amazon AWS and it's many acronyms. Followed by an explanation of different strategies to host Umbraco applications within the cloud. Including single server instances, auto-scaling and load balanced examples. I'll also go through some of the pain and teething problems experienced with deployments, setup and maintenance.
This document introduces Amazon Web Services Elastic Beanstalk, which allows developers to easily deploy and manage applications in the AWS cloud. It discusses the key AWS services that Elastic Beanstalk utilizes like EC2, ELB, Auto Scaling and CloudWatch. It then demonstrates how to create a Beanstalk application environment and deploy a sample PHP application using Git with zero servers to manage. Developers can get started with Elastic Beanstalk for free to build and host their web applications on AWS.
Aws building fault_tolerant_applicationsSebin John
The document discusses building fault-tolerant applications on Amazon Web Services (AWS). Some key ways to achieve fault tolerance highlighted in the document include:
1) Using Amazon Machine Images (AMIs) which contain application software configurations that can be easily launched across multiple server instances for redundancy.
2) Leveraging services like Auto Scaling to automatically launch new instances when demand increases or failures occur, Elastic Load Balancing to distribute traffic across instances, and Availability Zones which provide isolated infrastructure in each zone.
3) Storing data in fault-tolerant services like Amazon S3, SimpleDB, and RDS to ensure data availability even if server instances fail.
Amazon Workspaces is a managed desktop as a service that allows users to access virtual desktops hosted on AWS. To set up Workspaces, an administrator must launch the desktops, configure directories and networking, and install the Workspaces client. Workspaces provide flexible bundles and can integrate with existing directories, applications, and networks to provide a secure desktop experience to users.
RMG206 Introduction to Amazon Elastic Beanstalk - AWS re: Invent 2012Amazon Web Services
AWS Elastic Beanstalk is a service that allows developers to quickly deploy and manage applications in the AWS cloud without worrying about the underlying infrastructure. It provisions the required resources such as load balancers, EC2 instances, Auto Scaling, and storage and deploys the application. It also handles automatic scaling and high availability of the application. Developers can focus on coding applications while Elastic Beanstalk handles the deployment and management of the infrastructure.
This document discusses the four operating systems certified by Oracle that are recommended for running Oracle workloads on Amazon EC2: Red Hat Enterprise Linux, SUSE Linux Enterprise Server, Oracle Linux, and Microsoft Windows Server. It provides details on the features, licensing, and pricing of each operating system. The best choice depends on factors like workload type, instance selection, familiarity, and cost preference.
(APP201) Going Zero to Sixty with AWS Elastic Beanstalk | AWS re:Invent 2014Amazon Web Services
"AWS Elastic Beanstalk provides an easy way for you to quickly deploy, manage, and scale applications in the AWS cloud. This session shows you how to deploy your code to AWS Elastic Beanstalk, easily enable or disable application functionality, and perform zero-downtime deployments through interactive demos and code samples for both Windows and Linux.
Are you new to AWS Elastic Beanstalk? Get up to speed for this session by first completing the 60-minute Fundamentals of AWS Elastic Beanstalk lab in the self-paced Lab Lounge."
Amazon Rekognition makes it easy to extract meaningful metadata from visual content. This workshop includes multiple exercises during which attendees will use Rekognition to build practical use cases. Each module provides best practices for integrating Rekognition with other AWS services in real-world scenarios that help developers build image analysis quickly and confidently into their own applications.
This document provides an overview of Amazon EC2 and AWS Elastic Beanstalk. It describes EC2 as a service for launching virtual servers in AWS data centers and outlines features like instance types, security groups, and storage. It then introduces Elastic Beanstalk as a service that allows developers to easily deploy and manage applications in the AWS cloud without worrying about the underlying infrastructure. Elastic Beanstalk automatically handles tasks like provisioning, load balancing, auto-scaling, and application health monitoring. The document shows how Elastic Beanstalk manages and deploys applications across EC2 instances and other AWS services.
This tutorial is an overview on elastic beanstalk. The tutorial includes an introduction to elastic beanstalk, working architecture, basic operation, console(demo) and a summary. Beginning of the tutorial is an introduction to elastic beanstalk. It includes an overview of elastic beanstalk and how it manages applications. It also includes the basic features of elastic beanstalk.
Following is a section of the working architecture. It involves the basic architecture and workflow of elastic beanstalk and explains it in detail. It also involves the benefits of using elastic beanstalk such as root access, easy configuration etc.
Moreover, it also includes the environments elastic beanstalk can work under such as docker, node.js etc. as well as the sample policies. The last section of the tutorial includes a demo of the console of elastic beanstalk and a summary as for the practices which take place "under the hood".
Cloud Computing With Amazon Web Services, Part 3: Servers on Demand With EC2white paper
This document provides an introduction to Amazon Elastic Compute Cloud (EC2) virtual servers. It discusses key EC2 concepts like Amazon Machine Images, instances, security groups, availability zones, and elastic block storage. It also provides pricing details for different EC2 instance types, data transfer, storage, and other services. The document aims to help readers understand how EC2 can provide scalable, reliable cloud computing resources and configure their applications' computing needs based on demand.
NServiceBus (NSB) is a popular framework for implementing service-oriented architectures (SOA) using C#. It can integrate with Windows Communication Foundation (WCF) web services to allow them to leverage NSB's capabilities like message encryption, retries, and sagas. NSB simplifies the coding of WCF contracts and hosting, and treats WCF endpoints like any other NSB endpoint. This allows management of WCF services through NSB tools and the use of NSB features in WCF workflows.
AWS Elastic Beanstalk is a service that allows developers to quickly deploy and manage applications in the AWS cloud without worrying about the underlying infrastructure. It provides an easy way to launch applications developed in Java or other languages and have them automatically scaled across Amazon EC2 instances. Key features include automated provisioning and deployment, easy management of settings, built-in monitoring, and troubleshooting tools. Developers retain full control over their AWS resources while taking advantage of Elastic Beanstalk's management capabilities.
Amazon Elastic Beanstalk is a PaaS offering from Amazon that allows users to deploy and manage applications in the cloud. It automatically handles tasks like capacity provisioning, load balancing, scaling and application health monitoring. The document discusses the history and services behind Elastic Beanstalk like EC2 and S3. It also provides an overview of how Elastic Beanstalk works, the programming models supported, tools available and a demo of deploying a sample news application using Elastic Beanstalk.
The document provides 10 tips for optimizing and speeding up SQL queries: 1) Only select necessary columns, 2) Use while loops instead of cursors, 3) Avoid SQL in loops, 4) Use joins instead of subqueries, 5) Use unions instead of OR, 6) Use set count settings in stored procedures, 7) Use indexing, 8) Avoid stored procedure names starting with "sp_", 9) Normalize tables, and 10) Use schema names with table names.
Scaling on EC2 in a fast-paced environment (LISA'11 - Full Paper)Nicolas Brousse
Managing a server infrastructure in a fastpaced environment like a start-up is challenging. You have little time for provisioning, testing and planning but still you need to prepare for scaling when your product reaches the tipping point. Amazon EC2 is one of the cloud providers that we experimented with while growing our infrastructure from 20 servers to 500 servers. In this paper we will go over the pros and cons of managing EC2 instances with a mix of Bind, LDAP, SimpleDB and Python scripts; how we kept a smooth working process by using NFS, auto-mount and shell-scripting; why we switched from managing our instances based on tailor-made AMI/Shell-scripting to the official Ubuntu AMI, Cloud-init and puppet; and finally, we will go over some rules we had to follow carefully to be able to handle billions of daily non-static http request across multiple Amazon EC2 regions.
HK-AWS Hands-on Lab-Series-2019-for-Enterprise:-Data-Protection-in-Enterpris...Amazon Web Services
Would you like to experience setting up a secure, durable AWS cloud platform and deploy Veeam to protect the data in it? In this hands-on workshop co-hosted by AWS and Veeam, we will explore how Veeam Availability for AWS allows businesses to holistically manage their data protection both on premises and in AWS.
Deploy, Manage, and Scale your Apps with AWS Elastic BeanstalkAmazon Web Services
AWS Elastic Beanstalk is the fastest and simplest way to deploy your application on AWS. It is ideal for developers that are new to the platform but is also used by large organizations that want to manage and scale production workloads with minimum operational overhead. This session shows you how to deploy your code to AWS Elastic Beanstalk, easily manage multiple environments (e.g. Test & Production) and perform zero-downtime deployments through interactive demos and code samples.
This document discusses setting up an Rstudio server on Amazon EC2. It begins by providing background on Amazon Web Services and EC2 instances. It then covers creating an AWS account, launching an EC2 instance, and connecting to the instance using SSH. The document concludes by explaining how to install R and Rstudio on the Ubuntu server instance.
AWS CodeDeploy is a deployment service that automates application deployments to EC2 instances, on-premises servers, or Lambda functions. There are two deployment types: in-place, where the application is updated on each instance, and blue/green, where traffic is rerouted from the original environment to a replacement environment. Blue/green deployments minimize downtime and allow easy rollbacks. Getting started with CodeDeploy involves creating IAM roles, launching an EC2 instance, installing the CodeDeploy agent, preparing the application with an AppSpec file, and configuring CodeDeploy in the AWS console.
AWS Interview Questions Part - 2 | AWS Interview Questions And Answers Part -...Simplilearn
This presentation about ‘AWS interview Questions’ will help every individual to prepare for their AWS job interviews. Also, the AWS interview questions mentioned in the presentation are the most frequently asked interview questions which have been explained with detailed answers and examples. In this presentation, you will see a list of questions related to:
1. AWS Snowball
2. AWS CloudFormation
3. AWS Elastic Beanstalk
4. Amazon Elastic Block Store
5. AWS Elastic Load Balancing
6. AWS Security
7. AWS IAM
8. Amazon Route 53
9. AWS Config
According to Robert half, AWS Certified Solutions Architect is the second highest paying IT Certifications. However, AWS Solution Architect is one of the most in-demand jobs in cloud computing today. Learn and get a deeper understanding of these important AWS interview questions, which will help you to clear your interview process with ease.
This AWS certification training is designed to help you gain in-depth understanding of Amazon Web Services (AWS) architectural principles and services. You will learn how cloud computing is redefining the rules of IT architecture and how to design, plan, and scale AWS Cloud implementations with best practices recommended by Amazon. The AWS Cloud platform powers hundreds of thousands of businesses in 190 countries, and AWS certified solution architects take home about $126,000 per year.
This AWS certification course will help you learn the key concepts, latest trends, and best practices for working with the AWS architecture – and become industry-ready aws certified solutions architect to help you qualify for a position as a high-quality AWS professional.
The course begins with an overview of the AWS platform before diving into its individual elements: IAM, VPC, EC2, EBS, ELB, CDN, S3, EIP, KMS, Route 53, RDS, Glacier, Snowball, Cloudfront, Dynamo DB, Redshift, Auto Scaling, Cloudwatch, Elastic Cache, CloudTrail, and Security. Those who complete the course will be able to:
1. Formulate solution plans and provide guidance on AWS architectural best practices
2. Design and deploy scalable, highly available, and fault tolerant systems on AWS
3. Identify the lift and shift of an existing on-premises application to AWS
4. Decipher the ingress and egress of data to and from AWS
5. Select the appropriate AWS service based on data, computer, database, or security requirements
6. Estimate AWS costs and identify cost control mechanisms
This AWS course is recommended for professionals who want to pursue a career in Cloud computing or develop Cloud applications with AWS. You’ll become an asset to any organization, helping leverage best practices around advanced cloud-based solutions and migrate existing workloads to the cloud.
Learn more at https://www.simplilearn.com/cloud-computing/aws-solution-architect-associate-training.
step by step visual tutorial on how to launch an amazon aws ec2 tutorial.
this deck is part of the ramazon tutorial.
to know more about ramazon visit https://github.com/AndreaCirilloAC/ramazon
McrUmbMeetup 22 May 14: Umbraco and AmazonDan Lister
A brief introduction to Amazon AWS and it's many acronyms. Followed by an explanation of different strategies to host Umbraco applications within the cloud. Including single server instances, auto-scaling and load balanced examples. I'll also go through some of the pain and teething problems experienced with deployments, setup and maintenance.
This document introduces Amazon Web Services Elastic Beanstalk, which allows developers to easily deploy and manage applications in the AWS cloud. It discusses the key AWS services that Elastic Beanstalk utilizes like EC2, ELB, Auto Scaling and CloudWatch. It then demonstrates how to create a Beanstalk application environment and deploy a sample PHP application using Git with zero servers to manage. Developers can get started with Elastic Beanstalk for free to build and host their web applications on AWS.
Aws building fault_tolerant_applicationsSebin John
The document discusses building fault-tolerant applications on Amazon Web Services (AWS). Some key ways to achieve fault tolerance highlighted in the document include:
1) Using Amazon Machine Images (AMIs) which contain application software configurations that can be easily launched across multiple server instances for redundancy.
2) Leveraging services like Auto Scaling to automatically launch new instances when demand increases or failures occur, Elastic Load Balancing to distribute traffic across instances, and Availability Zones which provide isolated infrastructure in each zone.
3) Storing data in fault-tolerant services like Amazon S3, SimpleDB, and RDS to ensure data availability even if server instances fail.
Amazon Workspaces is a managed desktop as a service that allows users to access virtual desktops hosted on AWS. To set up Workspaces, an administrator must launch the desktops, configure directories and networking, and install the Workspaces client. Workspaces provide flexible bundles and can integrate with existing directories, applications, and networks to provide a secure desktop experience to users.
RMG206 Introduction to Amazon Elastic Beanstalk - AWS re: Invent 2012Amazon Web Services
AWS Elastic Beanstalk is a service that allows developers to quickly deploy and manage applications in the AWS cloud without worrying about the underlying infrastructure. It provisions the required resources such as load balancers, EC2 instances, Auto Scaling, and storage and deploys the application. It also handles automatic scaling and high availability of the application. Developers can focus on coding applications while Elastic Beanstalk handles the deployment and management of the infrastructure.
This document discusses the four operating systems certified by Oracle that are recommended for running Oracle workloads on Amazon EC2: Red Hat Enterprise Linux, SUSE Linux Enterprise Server, Oracle Linux, and Microsoft Windows Server. It provides details on the features, licensing, and pricing of each operating system. The best choice depends on factors like workload type, instance selection, familiarity, and cost preference.
(APP201) Going Zero to Sixty with AWS Elastic Beanstalk | AWS re:Invent 2014Amazon Web Services
"AWS Elastic Beanstalk provides an easy way for you to quickly deploy, manage, and scale applications in the AWS cloud. This session shows you how to deploy your code to AWS Elastic Beanstalk, easily enable or disable application functionality, and perform zero-downtime deployments through interactive demos and code samples for both Windows and Linux.
Are you new to AWS Elastic Beanstalk? Get up to speed for this session by first completing the 60-minute Fundamentals of AWS Elastic Beanstalk lab in the self-paced Lab Lounge."
Amazon Rekognition makes it easy to extract meaningful metadata from visual content. This workshop includes multiple exercises during which attendees will use Rekognition to build practical use cases. Each module provides best practices for integrating Rekognition with other AWS services in real-world scenarios that help developers build image analysis quickly and confidently into their own applications.
This document provides an overview of Amazon EC2 and AWS Elastic Beanstalk. It describes EC2 as a service for launching virtual servers in AWS data centers and outlines features like instance types, security groups, and storage. It then introduces Elastic Beanstalk as a service that allows developers to easily deploy and manage applications in the AWS cloud without worrying about the underlying infrastructure. Elastic Beanstalk automatically handles tasks like provisioning, load balancing, auto-scaling, and application health monitoring. The document shows how Elastic Beanstalk manages and deploys applications across EC2 instances and other AWS services.
This tutorial is an overview on elastic beanstalk. The tutorial includes an introduction to elastic beanstalk, working architecture, basic operation, console(demo) and a summary. Beginning of the tutorial is an introduction to elastic beanstalk. It includes an overview of elastic beanstalk and how it manages applications. It also includes the basic features of elastic beanstalk.
Following is a section of the working architecture. It involves the basic architecture and workflow of elastic beanstalk and explains it in detail. It also involves the benefits of using elastic beanstalk such as root access, easy configuration etc.
Moreover, it also includes the environments elastic beanstalk can work under such as docker, node.js etc. as well as the sample policies. The last section of the tutorial includes a demo of the console of elastic beanstalk and a summary as for the practices which take place "under the hood".
Cloud Computing With Amazon Web Services, Part 3: Servers on Demand With EC2white paper
This document provides an introduction to Amazon Elastic Compute Cloud (EC2) virtual servers. It discusses key EC2 concepts like Amazon Machine Images, instances, security groups, availability zones, and elastic block storage. It also provides pricing details for different EC2 instance types, data transfer, storage, and other services. The document aims to help readers understand how EC2 can provide scalable, reliable cloud computing resources and configure their applications' computing needs based on demand.
NServiceBus (NSB) is a popular framework for implementing service-oriented architectures (SOA) using C#. It can integrate with Windows Communication Foundation (WCF) web services to allow them to leverage NSB's capabilities like message encryption, retries, and sagas. NSB simplifies the coding of WCF contracts and hosting, and treats WCF endpoints like any other NSB endpoint. This allows management of WCF services through NSB tools and the use of NSB features in WCF workflows.
AWS Elastic Beanstalk is a service that allows developers to quickly deploy and manage applications in the AWS cloud without worrying about the underlying infrastructure. It provides an easy way to launch applications developed in Java or other languages and have them automatically scaled across Amazon EC2 instances. Key features include automated provisioning and deployment, easy management of settings, built-in monitoring, and troubleshooting tools. Developers retain full control over their AWS resources while taking advantage of Elastic Beanstalk's management capabilities.
Amazon Elastic Beanstalk is a PaaS offering from Amazon that allows users to deploy and manage applications in the cloud. It automatically handles tasks like capacity provisioning, load balancing, scaling and application health monitoring. The document discusses the history and services behind Elastic Beanstalk like EC2 and S3. It also provides an overview of how Elastic Beanstalk works, the programming models supported, tools available and a demo of deploying a sample news application using Elastic Beanstalk.
The document provides 10 tips for optimizing and speeding up SQL queries: 1) Only select necessary columns, 2) Use while loops instead of cursors, 3) Avoid SQL in loops, 4) Use joins instead of subqueries, 5) Use unions instead of OR, 6) Use set count settings in stored procedures, 7) Use indexing, 8) Avoid stored procedure names starting with "sp_", 9) Normalize tables, and 10) Use schema names with table names.
Scaling on EC2 in a fast-paced environment (LISA'11 - Full Paper)Nicolas Brousse
Managing a server infrastructure in a fastpaced environment like a start-up is challenging. You have little time for provisioning, testing and planning but still you need to prepare for scaling when your product reaches the tipping point. Amazon EC2 is one of the cloud providers that we experimented with while growing our infrastructure from 20 servers to 500 servers. In this paper we will go over the pros and cons of managing EC2 instances with a mix of Bind, LDAP, SimpleDB and Python scripts; how we kept a smooth working process by using NFS, auto-mount and shell-scripting; why we switched from managing our instances based on tailor-made AMI/Shell-scripting to the official Ubuntu AMI, Cloud-init and puppet; and finally, we will go over some rules we had to follow carefully to be able to handle billions of daily non-static http request across multiple Amazon EC2 regions.
HK-AWS Hands-on Lab-Series-2019-for-Enterprise:-Data-Protection-in-Enterpris...Amazon Web Services
Would you like to experience setting up a secure, durable AWS cloud platform and deploy Veeam to protect the data in it? In this hands-on workshop co-hosted by AWS and Veeam, we will explore how Veeam Availability for AWS allows businesses to holistically manage their data protection both on premises and in AWS.
Deploy, Manage, and Scale your Apps with AWS Elastic BeanstalkAmazon Web Services
AWS Elastic Beanstalk is the fastest and simplest way to deploy your application on AWS. It is ideal for developers that are new to the platform but is also used by large organizations that want to manage and scale production workloads with minimum operational overhead. This session shows you how to deploy your code to AWS Elastic Beanstalk, easily manage multiple environments (e.g. Test & Production) and perform zero-downtime deployments through interactive demos and code samples.
This document discusses setting up an Rstudio server on Amazon EC2. It begins by providing background on Amazon Web Services and EC2 instances. It then covers creating an AWS account, launching an EC2 instance, and connecting to the instance using SSH. The document concludes by explaining how to install R and Rstudio on the Ubuntu server instance.
AWS CodeDeploy is a deployment service that automates application deployments to EC2 instances, on-premises servers, or Lambda functions. There are two deployment types: in-place, where the application is updated on each instance, and blue/green, where traffic is rerouted from the original environment to a replacement environment. Blue/green deployments minimize downtime and allow easy rollbacks. Getting started with CodeDeploy involves creating IAM roles, launching an EC2 instance, installing the CodeDeploy agent, preparing the application with an AppSpec file, and configuring CodeDeploy in the AWS console.
AWS Interview Questions Part - 2 | AWS Interview Questions And Answers Part -...Simplilearn
This presentation about ‘AWS interview Questions’ will help every individual to prepare for their AWS job interviews. Also, the AWS interview questions mentioned in the presentation are the most frequently asked interview questions which have been explained with detailed answers and examples. In this presentation, you will see a list of questions related to:
1. AWS Snowball
2. AWS CloudFormation
3. AWS Elastic Beanstalk
4. Amazon Elastic Block Store
5. AWS Elastic Load Balancing
6. AWS Security
7. AWS IAM
8. Amazon Route 53
9. AWS Config
According to Robert half, AWS Certified Solutions Architect is the second highest paying IT Certifications. However, AWS Solution Architect is one of the most in-demand jobs in cloud computing today. Learn and get a deeper understanding of these important AWS interview questions, which will help you to clear your interview process with ease.
This AWS certification training is designed to help you gain in-depth understanding of Amazon Web Services (AWS) architectural principles and services. You will learn how cloud computing is redefining the rules of IT architecture and how to design, plan, and scale AWS Cloud implementations with best practices recommended by Amazon. The AWS Cloud platform powers hundreds of thousands of businesses in 190 countries, and AWS certified solution architects take home about $126,000 per year.
This AWS certification course will help you learn the key concepts, latest trends, and best practices for working with the AWS architecture – and become industry-ready aws certified solutions architect to help you qualify for a position as a high-quality AWS professional.
The course begins with an overview of the AWS platform before diving into its individual elements: IAM, VPC, EC2, EBS, ELB, CDN, S3, EIP, KMS, Route 53, RDS, Glacier, Snowball, Cloudfront, Dynamo DB, Redshift, Auto Scaling, Cloudwatch, Elastic Cache, CloudTrail, and Security. Those who complete the course will be able to:
1. Formulate solution plans and provide guidance on AWS architectural best practices
2. Design and deploy scalable, highly available, and fault tolerant systems on AWS
3. Identify the lift and shift of an existing on-premises application to AWS
4. Decipher the ingress and egress of data to and from AWS
5. Select the appropriate AWS service based on data, computer, database, or security requirements
6. Estimate AWS costs and identify cost control mechanisms
This AWS course is recommended for professionals who want to pursue a career in Cloud computing or develop Cloud applications with AWS. You’ll become an asset to any organization, helping leverage best practices around advanced cloud-based solutions and migrate existing workloads to the cloud.
Learn more at https://www.simplilearn.com/cloud-computing/aws-solution-architect-associate-training.
Dealing with large datasets and tight security can make it difficult for a data science team to finish their work. A shared computational environment that scales for big data, and a single place to establish security protocols, make it much easier. Enter JupyterHub.
JupyterHub is as a computational environment that provides shared resources to a team of data scientists. Each team member can work on their own tasks while accessing common data sources and scaled computational resources with minimal DevOps experience.
Don't want to set this up yourself?
JupyterHub installations can be complex to set up and even more complex to manage. If you want a quicker solution for your team, consider Saturn Cloud Hosted Organizations or Saturn Cloud Enterprise at www.saturncloud.io.
Here are the steps to create a bastion host:
1. Create a security group for the bastion host that allows SSH access from your IP only.
2. Launch an EC2 instance into this security group. This will be your bastion host.
3. Create a security group for your internal instances that allows SSH access from the bastion host security group.
4. Launch your internal instances into this security group. They will now only be accessible via SSH through the bastion host.
5. Connect to the bastion host using SSH and then connect from there to your internal instances. This enforces access control and logging through a single managed instance.
Let me know if any of these
Hosting a web application using Amazon EC2 involves several steps. First, an Amazon Machine Image is selected that contains the required software configuration. Then an EC2 instance type is chosen based on the application's computing needs. The instance is launched and configured with storage, tags, and security groups. Finally, Putty is used to connect to the Linux instance and Vesta Control Panel is installed to manage the hosted website, which can then be accessed on the internet.
AWS Interview Questions Part - 1 | AWS Interview Questions And Answers Part -...Simplilearn
This presentation about "AWS interview questions" will take you through some of the most popular questions that you face in an AWS interview. Cloud computing is quickly becoming the norm among enterprises that want more flexibility, greater efficiencies, lower costs, and improved disaster recovery. AWS is by far the dominant provider, with 40% of the market share and $14 billion in revenue projected for 2017. That’s not only good news for Amazon’s bottom line. It’s also good news for yours if you’re moving into the field as an AWS Solution Architect Associate. If that’s the career move you’re making, and you’re preparing for an AWS Solution Architect job interview, then this is a video for you. Here are some of the most common AWS interview questions and answers that can help you while you prepare for Amazon web services related roles in the industry. Learn and get a deeper understanding of these questions to set you apart from the crowd in this booming cloud industry.
This AWS certification training is designed to help you gain in-depth understanding of Amazon Web Services (AWS) architectural principles and services. You will learn how cloud computing is redefining the rules of IT architecture and how to design, plan, and scale AWS Cloud implementations with best practices recommended by Amazon. The AWS Cloud platform powers hundreds of thousands of businesses in 190 countries, and AWS certified solution architects take home about $126,000 per year.
This AWS certification course will help you learn the key concepts, latest trends, and best practices for working with the AWS architecture – and become industry-ready aws certified solutions architect to help you qualify for a position as a high-quality AWS professional.
The course begins with an overview of the AWS platform before diving into its individual elements: IAM, VPC, EC2, EBS, ELB, CDN, S3, EIP, KMS, Route 53, RDS, Glacier, Snowball, Cloudfront, Dynamo DB, Redshift, Auto Scaling, Cloudwatch, Elastic Cache, CloudTrail, and Security. Those who complete the course will be able to:
1. Formulate solution plans and provide guidance on AWS architectural best practices
2. Design and deploy scalable, highly available, and fault tolerant systems on AWS
3. Identify the lift and shift of an existing on-premises application to AWS
4. Decipher the ingress and egress of data to and from AWS
5. Select the appropriate AWS service based on data, compute, database, or security requirements
6. Estimate AWS costs and identify cost control mechanisms
This AWS course is recommended for for professionals who want to pursue a career in Cloud computing or develop Cloud applications with AWS. You’ll become an asset to any organization, helping leverage best practices around advanced cloud based solutions and migrate existing workloads to the cloud.
Learn more at https://www.simplilearn.com/cloud-computing/aws-solution-architect-associate-training
The document provides answers to interview questions about AWS. It discusses what AWS is, its key components like S3, EC2, EBS, and CloudWatch. It describes what S3 and AMI are and how to send requests to S3. It also discusses how to vertically scale Amazon instances, the components involved in AWS, Lambda@Edge, scalability vs flexibility, the layers of cloud architecture, and connection issues when connecting to instances.
Introduction to running Oracle on AWS. Focuses on Oracle partnership, time line of partnership, licensing, pricing, use cases, common architectures, customer successes, and what is new.
This document summarizes a presentation given on AWS vs Azure. It begins with an overview of AWS, describing its many services like S3, EC2, VPC, IAM, ELB, RDS, DynamoDB and more. It notes AWS is an "alphabet soup" but has good documentation. The presentation then covers the goods of AWS like elasticity, programmability, variety of services and large user base. The bads include potential higher costs, complexity and service outages. The uglies include vendor lock-in risks and need to rewrite existing systems. It concludes by providing recommendations for different roles on best getting started with AWS.
This document provides guidance for implementing and operating SAP solutions on Amazon Web Services (AWS). It assumes basic AWS knowledge and is not intended to replace SAP documentation. The document describes key AWS services for compute, storage, networking, deployment and management that are relevant for running SAP systems. It also covers planning considerations, architectures, security, operating systems, databases, storage, high availability, backup and recovery when implementing SAP on AWS.
The document provides an overview of Amazon Web Services (AWS) and its computing services. It describes Amazon Elastic Compute Cloud (EC2) which allows users to launch virtual servers called instances in AWS data centers. It provides flexibility, cost effectiveness, scalability, security and reliability. EC2 reduces time to obtain servers and allows users to pay only for what they use.
Scaling drupal horizontally and in cloudVladimir Ilic
Vancouver Drupal group presentation for April 25, 2013.
How to deploy Drupal on
- multiple web servers,
- multiple web and database servers, and
- how to join all that together and make site deployed on Amazon Cloud (Virtual Private Cloud) inside
- one availability zone
- multiple availability zones deployment.
Session cover details about what you need in order to get Drupal deployed on separate servers, what are issues/concerns, and how to solve them.
This document provides an overview and introduction to Amazon Web Services (AWS). It describes the history of AWS and Amazon, the AWS global infrastructure including regions and availability zones, core AWS services like compute, storage, database and analytics offerings, and advantages of AWS like scalability, flexibility and pay-as-you-go pricing model. The objectives of the course are also outlined which cover foundational AWS services, security, databases, management tools and more.
The document outlines an AWS training course that covers various AWS services including compute, storage, databases, security, and management tools. The 10-module course introduces concepts like cloud computing and AWS architecture. It provides hands-on tutorials for services such as EC2, S3, VPC, RDS, EBS, IAM, Lambda and teaches how to set up infrastructure with CloudFormation. The final module involves a mock test to help learners prepare for AWS certifications. Supplementary resources like YouTube videos and a Udemy course are also referenced.
This document provides instructions for deploying a simple LAMP stack application using Cloud Application Manager. It defines the database and app tiers separately, connecting them with a binding. The database tier is an Amazon RDS MySQL instance. The app tier installs Apache, PHP and connects to the database using the binding. It takes under 30 minutes to complete the deployment.
This document provides an overview of Amazon Web Services (AWS) including key services like S3 storage, EC2 compute, and database services. It discusses the growth of AWS and popular services. The document then outlines how students can set up an AWS account, launch instances, and deploy example web applications using AWS resources while staying within free usage tiers or a $100 promotional credit for educational use. Best practices for cost optimization and architecture on AWS are also covered.
Integrate Your Favourite Microsoft DevOps Tools with AWS - AWS Summit SydneyAmazon Web Services
There are a great set of methods to integrate your favourite Microsoft DevOps tools like Team Foundation Server (TFS) and Azure DevOps with AWS to create CI/CD pipelines. In this session, you will learn how to do hybrid-deployments to AWS and on-premises environments by integrating those DevOps tools with AWS CodeDeploy. We will explore methods to automatically build and deploy ASP.NET/MVC applications to managed IIS environments on AWS using your current toolchain. You will also learn how to automate container deployment with the help of Amazon Elastic Container Service and the art of maintaining your infrastructure as code.
Doug Tidwell discusses the importance of portability and interoperability in cloud computing to avoid vendor lock-in. He demonstrates a sample cloud application using Apache libcloud and The Simple Cloud API, which provide common interfaces to work across multiple cloud providers. Tidwell urges developers to get involved in standards efforts and open source projects to advance cloud computing and keep it open.
Similar to Aws whitepaper-single-sign-on-integrating-aws-open-ldap-and-shibboleth (20)
Using recycled concrete aggregates (RCA) for pavements is crucial to achieving sustainability. Implementing RCA for new pavement can minimize carbon footprint, conserve natural resources, reduce harmful emissions, and lower life cycle costs. Compared to natural aggregate (NA), RCA pavement has fewer comprehensive studies and sustainability assessments.
TIME DIVISION MULTIPLEXING TECHNIQUE FOR COMMUNICATION SYSTEMHODECEDSIET
Time Division Multiplexing (TDM) is a method of transmitting multiple signals over a single communication channel by dividing the signal into many segments, each having a very short duration of time. These time slots are then allocated to different data streams, allowing multiple signals to share the same transmission medium efficiently. TDM is widely used in telecommunications and data communication systems.
### How TDM Works
1. **Time Slots Allocation**: The core principle of TDM is to assign distinct time slots to each signal. During each time slot, the respective signal is transmitted, and then the process repeats cyclically. For example, if there are four signals to be transmitted, the TDM cycle will divide time into four slots, each assigned to one signal.
2. **Synchronization**: Synchronization is crucial in TDM systems to ensure that the signals are correctly aligned with their respective time slots. Both the transmitter and receiver must be synchronized to avoid any overlap or loss of data. This synchronization is typically maintained by a clock signal that ensures time slots are accurately aligned.
3. **Frame Structure**: TDM data is organized into frames, where each frame consists of a set of time slots. Each frame is repeated at regular intervals, ensuring continuous transmission of data streams. The frame structure helps in managing the data streams and maintaining the synchronization between the transmitter and receiver.
4. **Multiplexer and Demultiplexer**: At the transmitting end, a multiplexer combines multiple input signals into a single composite signal by assigning each signal to a specific time slot. At the receiving end, a demultiplexer separates the composite signal back into individual signals based on their respective time slots.
### Types of TDM
1. **Synchronous TDM**: In synchronous TDM, time slots are pre-assigned to each signal, regardless of whether the signal has data to transmit or not. This can lead to inefficiencies if some time slots remain empty due to the absence of data.
2. **Asynchronous TDM (or Statistical TDM)**: Asynchronous TDM addresses the inefficiencies of synchronous TDM by allocating time slots dynamically based on the presence of data. Time slots are assigned only when there is data to transmit, which optimizes the use of the communication channel.
### Applications of TDM
- **Telecommunications**: TDM is extensively used in telecommunication systems, such as in T1 and E1 lines, where multiple telephone calls are transmitted over a single line by assigning each call to a specific time slot.
- **Digital Audio and Video Broadcasting**: TDM is used in broadcasting systems to transmit multiple audio or video streams over a single channel, ensuring efficient use of bandwidth.
- **Computer Networks**: TDM is used in network protocols and systems to manage the transmission of data from multiple sources over a single network medium.
### Advantages of TDM
- **Efficient Use of Bandwidth**: TDM all
Understanding Inductive Bias in Machine LearningSUTEJAS
This presentation explores the concept of inductive bias in machine learning. It explains how algorithms come with built-in assumptions and preferences that guide the learning process. You'll learn about the different types of inductive bias and how they can impact the performance and generalizability of machine learning models.
The presentation also covers the positive and negative aspects of inductive bias, along with strategies for mitigating potential drawbacks. We'll explore examples of how bias manifests in algorithms like neural networks and decision trees.
By understanding inductive bias, you can gain valuable insights into how machine learning models work and make informed decisions when building and deploying them.
ACEP Magazine edition 4th launched on 05.06.2024Rahul
This document provides information about the third edition of the magazine "Sthapatya" published by the Association of Civil Engineers (Practicing) Aurangabad. It includes messages from current and past presidents of ACEP, memories and photos from past ACEP events, information on life time achievement awards given by ACEP, and a technical article on concrete maintenance, repairs and strengthening. The document highlights activities of ACEP and provides a technical educational article for members.
Electric vehicle and photovoltaic advanced roles in enhancing the financial p...IJECEIAES
Climate change's impact on the planet forced the United Nations and governments to promote green energies and electric transportation. The deployments of photovoltaic (PV) and electric vehicle (EV) systems gained stronger momentum due to their numerous advantages over fossil fuel types. The advantages go beyond sustainability to reach financial support and stability. The work in this paper introduces the hybrid system between PV and EV to support industrial and commercial plants. This paper covers the theoretical framework of the proposed hybrid system including the required equation to complete the cost analysis when PV and EV are present. In addition, the proposed design diagram which sets the priorities and requirements of the system is presented. The proposed approach allows setup to advance their power stability, especially during power outages. The presented information supports researchers and plant owners to complete the necessary analysis while promoting the deployment of clean energy. The result of a case study that represents a dairy milk farmer supports the theoretical works and highlights its advanced benefits to existing plants. The short return on investment of the proposed approach supports the paper's novelty approach for the sustainable electrical system. In addition, the proposed system allows for an isolated power setup without the need for a transmission line which enhances the safety of the electrical network
International Conference on NLP, Artificial Intelligence, Machine Learning an...gerogepatton
International Conference on NLP, Artificial Intelligence, Machine Learning and Applications (NLAIM 2024) offers a premier global platform for exchanging insights and findings in the theory, methodology, and applications of NLP, Artificial Intelligence, Machine Learning, and their applications. The conference seeks substantial contributions across all key domains of NLP, Artificial Intelligence, Machine Learning, and their practical applications, aiming to foster both theoretical advancements and real-world implementations. With a focus on facilitating collaboration between researchers and practitioners from academia and industry, the conference serves as a nexus for sharing the latest developments in the field.
KuberTENes Birthday Bash Guadalajara - K8sGPT first impressionsVictor Morales
K8sGPT is a tool that analyzes and diagnoses Kubernetes clusters. This presentation was used to share the requirements and dependencies to deploy K8sGPT in a local environment.
Comparative analysis between traditional aquaponics and reconstructed aquapon...bijceesjournal
The aquaponic system of planting is a method that does not require soil usage. It is a method that only needs water, fish, lava rocks (a substitute for soil), and plants. Aquaponic systems are sustainable and environmentally friendly. Its use not only helps to plant in small spaces but also helps reduce artificial chemical use and minimizes excess water use, as aquaponics consumes 90% less water than soil-based gardening. The study applied a descriptive and experimental design to assess and compare conventional and reconstructed aquaponic methods for reproducing tomatoes. The researchers created an observation checklist to determine the significant factors of the study. The study aims to determine the significant difference between traditional aquaponics and reconstructed aquaponics systems propagating tomatoes in terms of height, weight, girth, and number of fruits. The reconstructed aquaponics system’s higher growth yield results in a much more nourished crop than the traditional aquaponics system. It is superior in its number of fruits, height, weight, and girth measurement. Moreover, the reconstructed aquaponics system is proven to eliminate all the hindrances present in the traditional aquaponics system, which are overcrowding of fish, algae growth, pest problems, contaminated water, and dead fish.
3. Amazon Web Services – Single Sign-On: Integrating AWS, OpenLDAP, and Shibboleth April 2015
Page 3 of 33
Contents
Abstract 3
Introduction 3
Step 1: Prepare the Operating System 5
Step 2: Install and Configure OpenLDAP 8
Step 3: Install Tomcat and Shibboleth IdP 11
Step 4: Configure IAM 15
Step 5: Configure Shibboleth IdP 19
Step 6: Test Shibboleth Federation 30
Conclusion 32
Further Reading 32
Notes 32
Abstract
AWS Identity and Access Management (IAM) is a web service from Amazon Web
Services (AWS) for managing users and user permissions in AWS. Outside the
AWS cloud, administrators of corporate systems rely on the Lightweight
Directory Access Protocol (LDAP)1 to manage identities. By using role-based
access control (RBAC) and Security Assertion Markup Language (SAML) 2.0,
corporate IT systems administrators can bridge the IAM and LDAP systems and
simplify identity and permissions management across on-premises and cloud-
based infrastructures.
Introduction
In November 2013, the IAM team expanded identity federation2 to support
SAML 2.0. Instead of recreating existing user data in AWS so that users in your
organization can access AWS, you can use AWS support for SAML to federate
user identities into AWS. For example, in many universities professors can help
students take advantage of AWS resources via the students' university accounts.
Step-by-step instructions walk you through the use of AWS SAML 2.0 support
with OpenLDAP, which is an implementation of LDAP. This walkthrough depicts
a fictitious university moving to OpenLDAP. Because the university makes heavy
use of Shibboleth identity provider (IdP) software, you will learn how to use
Shibboleth as the IdP.
You will also learn the entire process of setting up LDAP. If your organization
already has a functional LDAP implementation, you can review the schema and
4. Amazon Web Services – Single Sign-On: Integrating AWS, OpenLDAP, and Shibboleth April 2015
Page 4 of 33
then skip to the Install Tomcat3 and Install Shibboleth IdP4 sections. Likewise, if
your organization already has Shibboleth in production, you can skip to the
Configure Shibboleth IdP5 section.
Assumptions and Prerequisites
This walkthrough describes using a Linux Ubuntu operating system and makes
the following assumptions about your familiarity with Ubuntu and with services
from AWS, such as Amazon Elastic Compute Cloud (Amazon EC2):
• You know enough about Linux to move between directories, use an editor
(such as Vim), and run script commands.
• You have a Secure Shell (SSH) tool, such as OpenSSH or PuTTY, installed on
your computer, and you know how to connect to a running Amazon EC2
instance. For a list of SSH tools, see Connect to Your Linux Instance6 in the
Amazon EC2 documentation.
• You have a basic understanding of what LDAP is and what an LDAP schema
looks like.
LDAP Schema and Roles
A fictitious university called Example University is organized as shown in
Figure 1. This university assigns a unique identifier (uid) to each individual, more
commonly referred to as a user name. Each individual is also part of one or more
organizational units (OU or OrgUnit). In our fictitious university, OUs
correspond to departments, and one special OU named “People” contains
everyone.
Each individual has a primary OU. The primary OU for everyone except
managers is the People OU. The primary OU for managers is the department they
manage.
Figure 1: Schema for Example University
5. Amazon Web Services – Single Sign-On: Integrating AWS, OpenLDAP, and Shibboleth April 2015
Page 5 of 33
Software
For the example, use the following software. Although Ubuntu 14.04 Long Term
Support (LTS) is illustrated, the instructions apply to most versions of Ubuntu
and Linux (perhaps with minor modifications). In general the procedures work in
Microsoft Windows or OS X from Apple, but they require alternate installation
and configuration guides for OpenLDAP and Java virtual machine, which this
walkthrough does not address.
Function Software and version
Operating system Ubuntu 14.04 LTS
Java virtual machine OpenJDK 7u25 (IcedTea 2.3.10)
Web server Apache Tomcat 7.0.59
Identity provider Shibboleth IdP 2.4
Directory SLAPD (OpenLDAP 2.4.28)
Step 1: Prepare the Operating System
These steps begin with an Amazon EC2 instance so that you can see a completely
clean installation of all components.
The demo uses a t2.micro instance because it is free-tier eligible7 (it will not cost
you anything) and because this example installation does not serve any
production traffic. You can complete this walkthrough with a t2.micro instance
and stay in the free tier. You can use a larger instance size if you want. It makes
no difference to the illustrated functionality, and larger sizes run faster. But note
that you will be charged at standard rates if you use instances that are not in the
free tier.
If you are new to Amazon EC2, you might want to read Getting Started with
Amazon EC2 Linux Instances8 for context before you begin.
Launch a New Amazon EC2 Instance
1. Sign in to the AWS Management Console and then go to the Amazon EC2
console.
2. Click Launch Instance, find Ubuntu Server 14.04 LTS (HVM), SSD
Volume Type, and then click Select.
3. Select the t2.micro instance, which is the default.
4. Click through the Next buttons until you get to Step 6: Configure
Security Group.
Note:
Restrict
the
IP
address
range
in
this
step
to
match
your
organization’s
IP
address
prefix,
or
use
the
My
IP
option.
5. Click Add Rule and then select HTTPS. This opens up port 443 for SSL
traffic.
6. Amazon Web Services – Single Sign-On: Integrating AWS, OpenLDAP, and Shibboleth April 2015
Page 6 of 33
Note:
Restrict
the
IP
address
range
in
this
step
to
match
your
organization’s
IP
address
prefix,
or
use
the
My
IP
option.
6. When you are finished, click Review and Launch, and then click
Launch.
7. When prompted, create a new key pair for logging in to the Ubuntu
instance. Give it a name (for example, ShibbolethDemo), and then
download and save the key pair. See Figure 2. Then click Launch
Instances.
Figure 2: Select an Existing Key Pair or Create a New Key Pair
Important: Be sure to download your key pair. Otherwise, you will not be
able to access your instance. For information about how to connect to an
Amazon EC2 instance using SSH, see Connect to Your Linux Instance.9
8. Click View Instances. When the instance is running, find and copy the
following values for the instance, which you'll need later:
• The instance ID.
• The public DNS of the instance.
• The public IP address of the instance.
You can find all of these values in the Amazon EC2 console when you select
your instance, as shown in Figure 3.
7. Amazon Web Services – Single Sign-On: Integrating AWS, OpenLDAP, and Shibboleth April 2015
Page 7 of 33
Figure 3: EC2 Instance Details, Showing Instance ID, Public DNS, and IP Address
Update Local Hosts File
In this walkthrough, various configuration values reference the DNS
example.com or idp.example.com. Each Amazon EC2 instance has a unique IP
address and DNS that are assigned when the instance starts, so you must update
the hosts file on your local computer so that example.com and idp.example.com
resolve to the IP address of your Amazon EC2 instance.
1. Make sure you know the public IP address of your Amazon EC2 instance, as
explained in the previous section.
2. Open the hosts file on your local computer. Editing this file requires
administrative privileges. These are the usual locations of the hosts file:
• Windows:
%windir%System32driversetchosts
• Linux:
/etc/hosts
• Mac:
/private/etc/hosts
3. Add the following mappings to the hosts file, using the public IP address of
your own Amazon EC2 instance. When you are done, save and close the
file.
nn.nnnn.nnn.nn example.com
nn.nnnn.nnn.nn idp.example.com
8. Amazon Web Services – Single Sign-On: Integrating AWS, OpenLDAP, and Shibboleth April 2015
Page 8 of 33
Create Directories
Using your SSH tool (OpenSSH, PuTTY, etc.), connect to your Amazon EC2
instance. Create directories for Tomcat, Shibboleth, and the demo files by
running the following commands.
cd /home/ubuntu/
mkdir –p /home/ubuntu/server/tomcat/conf/Catalina/localhost
mkdir -p /home/ubuntu/server/tomcat/endorsed
mkdir /home/ubuntu/server/shibidp
mkdir -p /home/ubuntu/installers/shibidp
Step 2: Install and Configure OpenLDAP
OpenLDAP is an open-source implementation of the Lightweight Directory
Access Protocol (LDAP).10 This walkthrough assumes basic knowledge of LDAP
and explains only what is required to complete it.
About LDAP
A small set of primitives that can be combined into a complex hierarchy of objects
and attributes defines LDAP.
The core element of the LDAP system is an object, which consists of a key-value
pair. Objects can represent anything that needs an identity in the LDAP system,
such as people, printers, or buildings. Because you can reuse keys, sets of key-
value pairs are grouped into object classes. These object classes are included by
using special object class attributes, as shown in Figure 4.
Figure 4: Including Object Classes with Special Object Class Attributes
Object classes make LDAP extensible. All the people at an organization have a
core set of attributes that they share, such as name, address, phone, office,
department, and job level. You can wrap these attributes into an object class so
that the definition of a person in the directory can reference the object class and
automatically get all the common attributes defined by it. Figure 5 shows an
example of an object class.
9. Amazon Web Services – Single Sign-On: Integrating AWS, OpenLDAP, and Shibboleth April 2015
Page 9 of 33
Figure 5: An Example of an Object Class
Install OpenLDAP
For this walkthrough, you need to install OpenLDAP on the Amazon EC2
instance that you launched.
1. Log in to the Amazon EC2 instance and enter the following commands to
download and install OpenLDAP.
sudo apt-get -y update && sudo apt-get -y upgrade
This command updates the package list on the host. The second half of the
command updates all the packages on the host to the newest versions.
2. Type the following command to install OpenLDAP.
sudo apt-get -y install slapd ldap-utils
3. Type the following commands to set up shortcuts (aliases) for working with
OpenLDAP.
echo "alias ldapsearch='ldapsearch -H ldapi:/// -x -W '" >>
~/.bashrc
echo "alias ldapmodify='ldapmodify -H ldapi:/// -x -W '" >>
~/.bashrc
# Adding $LDAP_ADMIN to either of the ldap commands binds
to admin account
echo "export LDAP_ADMIN='-D cn=admin,dc=example,dc=com '"
>> ~/.bashrc
source ~/.bashrc
These commands add aliases to the
~/.bashrc file, which is a file that
contains commands that run each time the user signs in. The shortcuts add
some common parameters to
ldapsearch
and
ldapmodify, the two
10. Amazon Web Services – Single Sign-On: Integrating AWS, OpenLDAP, and Shibboleth April 2015
Page 10 of 33
most common LDAP utilities. The parameters for these commands are as
follows:
• -H ldapi:/// tells the command where the directory is located.
• -x tells the command to use simple authentication.
• -W tells the command to ask for the password (instead of listing it on
the command line).
• -D cn=admin,dc=example,dc=com is a set of parameters to
indicate that LDAP should run as an administrator.
4. Type the following command to tell the package manager to reconfigure
OpenLDAP.
sudo dpkg-reconfigure slapd
When the command runs, you see the following prompts. Respond as
noted.
• Omit OpenLDAP server configuration?
Type
No. You want to have a blank directory created.
• DNS domain name:
Type
example.com.
You use this to construct the hierarchy of the
LDAP directory. Use this domain for this walkthrough, because other
aspects of the configuration depend on this domain name.
• Organization name:
Type any name. This value is not used.
• Administrator password: (and confirmation)
This is the LDAP administrator password. For the purposes of this
walkthrough, use password. For production systems, consult your
security best practices. You will need the password when you make
changes to the LDAP configuration later.
• Database backend to use:
This lets you specify the storage back end for LDAP information. Type
HDB.
• Do you want the database to be removed when slapd
is purged?
Type
Yes. This is a safety measure in case you purge a setup and start
over. In that case, if you type
Yes, the directory is backed up rather
than deleted.
• Move old database?
Type
Yes. This is part of the safety measure from the previous prompt.
By answering
Yes, you cause OpenLDAP to make a backup of the
existing directory before wiping it.
11. Amazon Web Services – Single Sign-On: Integrating AWS, OpenLDAP, and Shibboleth April 2015
Page 11 of 33
• Allow LDAPv2 protocol?
Type
No. LDAPv2 is deprecated.
Download LDAP Sample Data
For this walkthrough you need some data in the LDAP data store. For
convenience the walkthrough provides files that contain sample data. To
download these directly to the Amazon EC2 instance, run the following script
inside your instance.
wget -O '/home/ubuntu/examples.tar.gz'
'https://s3.amazonaws.com/awsiammedia/public/sample/OpenLDA
PandShibboleth/examples.tar.gz'
tar -xf /home/ubuntu/examples.tar.gz
Configure OpenLDAP
Because LDAP is text based, it is easy to back up the directory and share attribute
definitions (called schemas). However, this paper does not focus on LDAP, so it
does not go into detail about the text format used to interact with LDAP. You just
need to know that Lightweight Directory Interchange Format (LDIF) is a text-
based export/import format for LDAP, and you can find the sample LDIFs for
populating the directory in the files that you downloaded.
After you have downloaded the sample data files as described in the previous
section, run the following script to insert information from the example files into
the LDAP database. You need the LDAP administrator password that you
specified when you installed and configured OpenLDAP.
sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f examples/eduPerson201310.ldif
# Schema installation requires root, but all other changes only require admin
ldapmodify $LDAP_ADMIN -f examples/PEOPLE.ldif
ldapmodify $LDAP_ADMIN -f examples/BIO.ldif
ldapmodify $LDAP_ADMIN -f examples/CSE.ldif
ldapmodify $LDAP_ADMIN -f examples/HR.ldif
Step 3: Install Tomcat and Shibboleth IdP
The next step is to install Shibboleth. Because Shibboleth is a construction of
Java Server Pages, it needs a container in which to run. We are using Apache
12. Amazon Web Services – Single Sign-On: Integrating AWS, OpenLDAP, and Shibboleth April 2015
Page 12 of 33
Tomcat.11 You do not have to know much about Tomcat in order to use it in this
walkthrough; we will show you the installation and configuration steps.
Install Tomcat
The Tomcat installation is simple. You just need to download and unzip a tarball.
In order to run Tomcat, a Java SE Development Kit (JDK) is required. Log in to
the Amazon EC2 instance and run the following script in order to install the JDK,
download Tomcat, and extract it.
sudo apt-get -y install openjdk-7-jre-headless
wget -O 'installers/tomcat7.tar.gz' '
http://www.us.apache.org/dist/tomcat/tomcat-
7/v7.0.59/bin/apache-tomcat-7.0.59.tar.gz'
# Tomcat installation is simply to extract the tarball
tar -xzf installers/tomcat7.tar.gz -C server/tomcat/ --
strip-components=1
Install Shibboleth IdP
You can install Shibboleth by downloading a tarball and extracting it. You then
need to set an environment variable and run the Shibboleth installer script.
In the Amazon EC2 instance, run the following script.
wget -O 'installers/shibidp2.4.tar.gz' '
http://shibboleth.net/downloads/identity-
provider/2.4.0/shibboleth-identityprovider-2.4.0-
bin.tar.gz'
tar -xzf installers/shibidp2.4.tar.gz -C installers/shibidp
--strip-components=1
# This is needed for Tomcat and Shibboleth scripts
echo "export JAVA_HOME=/usr/lib/jvm/java-7-openjdk-amd64/"
>> ~/.bashrc
source ~/.bashrc
# Installation directory: /home/ubuntu/server/shibidp
# (don't use ~)
# Domain: idp.example.com
cd installers/shibidp; ./install.sh && cd -
Use the following answers when prompted.
13. Amazon Web Services – Single Sign-On: Integrating AWS, OpenLDAP, and Shibboleth April 2015
Page 13 of 33
• Where should the Shibboleth Identity Provider
software be installed?
Type /home/ubuntu/server/shibidp
• (This question may not appear)
The directory '/home/ubuntu/server/shibidp' already
exists. Would you like to overwrite this Shibboleth
configuration? (yes, [no])
Type yes
• What is the fully qualified hostname of the
Shibboleth Identity Provider server?
[idp.example.org]
Type idp.example.com. (Use .com, not
.org, because that is what the
LDAP installation uses.) Note that this response assumes that you typed
example.com as the domain earlier.
• A keystore is about to be generated for you. Please
enter a password that will be used to protect it.
This password protects a key pair that is used to sign SAML assertions. It is
stored in a file in the Shibboleth directory. For purposes of this
walkthrough, use password everywhere you are prompted. In a
production system, be sure to consult your security best practices.
Configure Tomcat
Tomcat's default configuration does not quite suit our needs for this example IdP,
so you need to edit the server's configuration file.
1. In the Amazon EC2 instance, use an editor such as Vim to edit the following
file.
/home/ubuntu/server/tomcat/conf/server.xml
2. Comment out the block that starts with <Connector port="8080".
This stops Tomcat from listening on port 8080.
3. Find the block that begins with <Connector port="8443", and replace
it with the following block. Notice that the block you are searching for
contains the port 8443, and is being replaced with port 443.
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="/home/ubuntu/server/shibidp/credentials/idp.j
ks"
14. Amazon Web Services – Single Sign-On: Integrating AWS, OpenLDAP, and Shibboleth April 2015
Page 14 of 33
keystorePass="password" />
4. Create the following file.
/home/ubuntu/server/tomcat/conf/Catalina/localhost/idp.xml
5. Add the following to the file you just created, and then save and close the
file.
<Context docBase="/home/ubuntu/server/shibidp/war/idp.war"
privileged="true"
antiResourceLocking="false"
antiJARLocking="false"
unpackWAR="false"
swallowOutput="true" />
This tells Tomcat where Shibboleth’s files are and how to use them.
6. Run the following command.
cp ~/installers/shibidp/endorsed/* ~/server/tomcat/endorsed
This command tells Tomcat that it can run the Shibboleth library files by
copying the contents of Shibboleth's endorsed directory to Tomcat's
endorsed directory.
7. Edit the Tomcat user store file that is in the following location.
/home/ubuntu/server/tomcat/conf/tomcat-users.xml
8. Add a root user by adding the following line just before the </tomcat-
users> tag (inside the tomcat-users element).
<user username="root" password="password" roles="manager-
gui" />
This configures Tomcat as an administrative user so that Tomcat can start
and stop Shibboleth.
9. Start the server by running the following startup commands.
15. Amazon Web Services – Single Sign-On: Integrating AWS, OpenLDAP, and Shibboleth April 2015
Page 15 of 33
sudo /home/ubuntu/server/tomcat/bin/startup.sh
tail -f /home/ubuntu/server/tomcat/logs/catalina.out
10. Wait for a line that says, "INFO: Server startup in ### ms", and
then press CTRL+C.
11. To verify that Tomcat and Shibboleth started properly, from your main
computer (not the Amazon EC2 instance), navigate to
https://idp.example.com. If the server is working, Tomcat displays a
welcome page after a brief warning about certificates and host names.
12. Click Manager App and type the root credentials. Verify that the
Shibboleth software is running.
Step 4: Configure IAM
Now that you have set up Shibboleth as an IdP, configure AWS IAM so that it can
act as a SAML service provider. This involves two tasks: the first is to create an
IAM SAML provider that describes the IdP, and the second is to create an IAM
role (in our case several roles) that a federated user can assume in order to get
temporary security credentials for accessing AWS resources, such as signing in to
the AWS Management Console.
Create an IAM SAML Provider
In order to support SAML identity federation from an external IdP, IAM must
first establish a trust relationship with the provider. To do this, create an IAM
SAML provider. SAML 2.0 describes a document called a metadata document
that contains all the required information to configure communication and trust
between two entities. You can get the metadata document by asking Shibboleth
running on your instance to generate it.
1. In your Amazon EC2 instance, navigate to the following URL, download
the metadata document, and save it with the name idp.example.com.xml
(use this name, because later steps assume this name).
https://idp.example.com/idp/profile/Metadata/SAML
2. Sign in to AWS and navigate to the IAM console.12
3. In the navigation pane, click Identity Providers, and then click Create
Provider. The Create Provider wizard starts.
4. Choose SAML as the provider type.
5. Type ShibDemo as the name.
6. Upload the metadata document you saved in Step 1 of this procedure as the
Metadata Document, as shown in Figure 6.
16. Amazon Web Services – Single Sign-On: Integrating AWS, OpenLDAP, and Shibboleth April 2015
Page 16 of 33
Figure 6: The Create Provider Wizard
7. Click Next Step.
8. Review the Provider Name and Provider Type, and then click
Create.
Create IAM Roles
Next, you create IAM roles that federated users can assume. You create three
roles for Example University: one for the biology department, one for the
computer science and computer engineering departments to share, and one for
the human resources department. Shibboleth controls access to the first two
roles. The third role includes a condition so that Shibboleth and AWS manage
access control (authorization).
In the IAM console, follow these steps:
1. In the navigation pane, click Roles, and then click Create New Role.
2. Type BIO for the name of the first role, and then click Next Step.
3. For role type, select Role for Identity Provider Access.
4. Select Grant Web Single Sign-On (WebSSO) access to SAML
providers, as shown in Figure 7.
Figure 7: Grant WebSSO Access to SAML Providers
By default, the wizard selects the SAML provider that you created earlier
(see Figure 8). The wizard also shows that the Value field is set to
https://signin.aws.amazon.com/saml. This is a required value.
17. Amazon Web Services – Single Sign-On: Integrating AWS, OpenLDAP, and Shibboleth April 2015
Page 17 of 33
Figure 8: Create Role Wizard
5. Click Next Step and verify that the role trust policy matches the following
example (except that your policy includes your AWS account number,
instead of 000000000000). When you have verified the policy, click Next
Step.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRoleWithSAML",
"Principal": {
"Federated": "arn:aws:iam::000000000000:saml-
provider/ShibDemo"
},
"Condition": {
"StringEquals": {
"SAML:aud": "https://signin.aws.amazon.com/saml"
}
}
}
]
}
6. In the Attach Policy step, do not select any options. For this exercise, the
role does not actually need to have any permissions. Instead, click Next
Step. You see a summary of the role, as shown in Figure 9.
18. Amazon Web Services – Single Sign-On: Integrating AWS, OpenLDAP, and Shibboleth April 2015
Page 18 of 33
Figure 9: Summary of the Created Role
Note the role's Amazon Resource Name or ARN
(arn:aws:iam::0000000000000:role/BIO).
Later parts of this
walkthrough assume that the ARNs of the roles you create in this
procedure match the suggested names
(BIO,
CSE,
and
HR).
7. Click Create Role to finish creating this role.
8. Repeat steps 1–7 to create another role named CSE.
9. Repeat the steps again to create another role named HR. For the HR role,
you need to add a condition to check that at least one of the values of the
SAML:eduPersonPrimaryOrgUnitDN attribute is a string that is
required.
When you get to the Verify Role Trust step, copy and paste the following
policy. Remember to replace 000000000000 with your AWS account
number.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRoleWithSAML",
"Principal": {
"Federated": "arn:aws:iam::000000000000:saml-
provider/ShibDemo"
},
"Condition": {
"StringEquals": {
"SAML:aud": "https://signin.aws.amazon.com/saml"
},
"ForAnyValue:StringEquals": {
"SAML:eduPersonPrimaryOrgUnitDN":
"ou=hr,dc=example,dc=com"
}
}
19. Amazon Web Services – Single Sign-On: Integrating AWS, OpenLDAP, and Shibboleth April 2015
Page 19 of 33
}
]
}
The extra condition restricts the HR role to the manager of HR, because
Example University uses the eduPersonPrimaryOrgUnitDN attribute
to denote managers.
10. As with the BIO and CSE roles, do not select any policies to attach as the
role's access policy, because no permissions are needed for this
walkthrough.
Step 5: Configure Shibboleth IdP
Shibboleth IdP consumes data from a variety of sources and uses that data to
both authenticate a user and communicate the authenticated identity to external
entities. You can configure nearly every part of the process, and you can extend
with code the portions of the IdP that do not support configuration settings.
About Shibboleth Data Connectors
The basic flow for attribute data through Shibboleth is the same, regardless of
whether the data comes from a database, LDAP, or another source. A component
called a data connector fetches attribute data from its source. The data connector
defines a query or filter used to get the identity data. Predefined data connectors
exist for relational databases, LDAP, and configuration files.
The results returned by the data connector persist into the next step in the
process, which is the attribute definition. In this step, you can process the
identity data pulled from the store (and potentially from other attributes defined
earlier in the configuration) to produce attributes with the format you need. For
example, an attribute can pull several columns of a relational database together
with appropriate delimiters and format an email address. Like data connectors,
Shibboleth supports predefined attribute definitions. One definition passes
identity values through with no modification. With the mapped attribute
definition, you can use regular expressions to transform the format of attributes.
A number of special attribute definitions expose some of Shibboleth's internal
mechanisms, which are interesting but will not be used here.
However, these attributes are still in a Shibboleth-specific internal format. You
can attach attribute encoders to the attribute definitions so that you can serialize
the internal attributes into whatever wire format you need. This walkthrough
uses the SAML 2.0 string encoder to create the required XML for the SAML
authentication responses.
After you have fetched, transformed, and encoded data into the correct format,
you can use attribute filters to dictate which attributes to include in
communication with various relying parties. Predefined attribute filter policies
give you great flexibility in releasing attributes to relying parties. You can use
filters to write attributes to specific relying parties only, and to write only specific
20. Amazon Web Services – Single Sign-On: Integrating AWS, OpenLDAP, and Shibboleth April 2015
Page 20 of 33
values of the attributes, specific users, or specific authentication methods. You
can also string together Boolean combinations of all the above. A complete
overview of the process appears in Figure 10.
Figure 10: Attribute Pipeline in Shibboleth
Fetch Attributes from OpenLDAP
Much of the configuration for getting Shibboleth to communicate with
OpenLDAP is already in existing files and just needs to be uncommented.
1. In your Amazon EC2 instance, open this file in your text editor.
/home/ubuntu/server/shibidp/conf/attribute-resolver.xml
2. In the file, find the section with the following heading.
# <!-- Schema: eduPerson attributes -->
3. Uncomment that section. (The commented-out section ends before an
element that has the ID eduPersonTargetedID.)
4. If you are using a newer schema that includes the definitions for
eduPersonPrincipalNamePrior or eduPersonUniqueId (the
eduPerson object class specification 201310), you can optionally add the
following block after the block that you just uncommented.
<resolver:AttributeDefinition
xsi:type="ad:Simple" id="eduPersonPrincipalNamePrior"
sourceAttributeID="eduPersonPrincipalNamePrior">
<resolver:Dependency ref="myLDAP" />
<resolver:AttributeEncoder
xsi:type="enc:SAML1String"
name="urn:mace:dir:attribute-
def:eduPersonPrincipalNamePrior" />
<resolver:AttributeEncoder
21. Amazon Web Services – Single Sign-On: Integrating AWS, OpenLDAP, and Shibboleth April 2015
Page 21 of 33
xsi:type="enc:SAML2String"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.12"
friendlyName="eduPersonPrincipalNamePrior" />
</resolver:AttributeDefinition>
<resolver:AttributeDefinition
xsi:type="ad:Simple" id="eduPersonUniqueId"
sourceAttributeID="eduPersonUniqueId">
<resolver:Dependency ref="myLDAP" />
<resolver:AttributeEncoder xsi:type="enc:SAML1String"
name="urn:mace:dir:attribute-def:eduPersonUniqueId"
/>
<resolver:AttributeEncoder
xsi:type="enc:SAML2String"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.13"
friendlyName="eduPersonUniqueId" />
</resolver:AttributeDefinition>
5. Find the section that begins with the following.
<!-- Example LDAP Connector -->
This section has been commented out.
6. Replace that entire commented-out section with the following block, and
then save and close the file.
<resolver:DataConnector
id="myLDAP"
xsi:type="dc:LDAPDirectory"
ldapURL="ldap:///"
baseDN="ou=people,dc=example,dc=com"
authenticationType="ANONYMOUS" >
<dc:FilterTemplate>
<![CDATA[
(uid=$requestContext.principalName)
]]>
</dc:FilterTemplate>
</resolver:DataConnector>
22. Amazon Web Services – Single Sign-On: Integrating AWS, OpenLDAP, and Shibboleth April 2015
Page 22 of 33
About Attribute Definitions
The most relevant part of an LDAP data connector block is the filter template
near the bottom of the definition. When Shibboleth requests attributes for a user,
it runs this query on the OpenLDAP database. OpenLDAP needs to authenticate
and needs to know where to search. This is what the authenticationType
and baseDN attributes define. The reference myLDAP is used to refer to this
specific OpenLDAP query. If there are other attributes in OpenLDAP that require
a different query, you can copy this block, give it a different ID, and change the
query.
The block contains the following eduPerson attribute definition.
<resolver:AttributeDefinition
xsi:type="ad:Simple"
id="eduPersonAffiliation"
sourceAttributeID="eduPersonAffiliation">
<resolver:Dependency ref="myLDAP" />
<resolver:AttributeEncoder
xsi:type="enc:SAML1String"
name="urn:mace:dir:attribute-
def:eduPersonAffiliation" />
<resolver:AttributeEncoder
xsi:type="enc:SAML2String"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1"
friendlyName="eduPersonAffiliation" />
</resolver:AttributeDefinition>
The xsi:type="ad:Simple" attribute in these definitions indicates that
these attributes simply copy their values from the data connector as is. This is
appropriate for attributes that map directly to single columns of a database, to
single attributes from OpenLDAP, or to static configuration data.
The id="eduPersonAffiliation" portion gives this configuration section
an internal name that can be referenced elsewhere in the configuration. It is
never released to relying parties. The
sourceAttributeID="eduPersonAffiliation" portion defines the
name of the attribute released by the data connector to use as the source of data
for this attribute definition. Because this attribute definition gets data from
OpenLDAP, the configuration specifies a dependency on myLDAP, which is the
ID that you assigned to the OpenLDAP data connector.
Finally, a number of encoders are attached. In the SAML 2.0 string encoder, the
name and friendlyName are used to set the same portions of a SAML2
attribute.
23. Amazon Web Services – Single Sign-On: Integrating AWS, OpenLDAP, and Shibboleth April 2015
Page 23 of 33
Configuring AWS-specific attribute definitions
To use SAML identity federation with AWS, you must configure two AWS-specific
attributes. The first is a simple attribute that sets the name of the session granted
to users. This value is captured in logs and displayed in the console when the user
signs in. Good candidates for this value are a user's login name or email address.
Some format restrictions exist for the value:
• It must be between 2 and 32 characters in length.
• It can contain only alphanumeric characters, underscores, and the
following characters: +=,.@-.
• It is typically a user ID (bobsmith) or an email address
(bobsmith@example.com).
• It should not include blank spaces, such as often appear in a user’s display
name
(Bob Smith).
This example uses the uid of the user from OpenLDAP by setting the
sourceAttributeID to uid and adding a dependency on the OpenLDAP data
connector.
The other attribute that needs to be set is the list of roles the user can assume.
This could be as simple as a static value attached to all users in an organization or
as complex as a per-user, per-department, ACL (access control list)–based value.
This example uses a flexible option that is not difficult to implement. To
configure the attributes, follow these steps.
1. Edit the following file.
/home/ubuntu/server/shibidp/conf/attribute-resolver.xml
2. Insert the following block immediately after the heading "Attribute
Definitions", and before <!--Schema: Core schema
attributes-->.
Note: Replace
000000000000
with your AWS account number. Note also
that the block includes the ARNs of the roles that you created earlier (for
example,
arn:aws:iam::000000000000:role/BIO).
<resolver:AttributeDefinition
id="awsRoles"
xsi:type="ad:Mapped"
sourceAttributeID="eduPersonOrgUnitDN">
<resolver:Dependency ref="myLDAP"/>
<resolver:AttributeEncoder
xsi:type="enc:SAML2String"
name="https://aws.amazon.com/SAML/Attributes/Role"
friendlyName="Role" />
24. Amazon Web Services – Single Sign-On: Integrating AWS, OpenLDAP, and Shibboleth April 2015
Page 24 of 33
<ad:ValueMap>
<ad:ReturnValue>
arn:aws:iam::000000000000:role/BIO,arn:aws:iam::00000000000
0:saml-provider/ShibDemo
</ad:ReturnValue>
<ad:SourceValue>.*ou=biology.*</ad:SourceValue>
</ad:ValueMap>
<ad:ValueMap>
<ad:ReturnValue>
arn:aws:iam::000000000000:role/CSE,arn:aws:iam::00000000000
0:saml-provider/ShibDemo
</ad:ReturnValue>
<ad:SourceValue>.*ou=computersci.*</ad:SourceValue>
<ad:SourceValue>.*ou=computereng.*</ad:SourceValue>
</ad:ValueMap>
<ad:ValueMap>
<ad:ReturnValue>
arn:aws:iam::000000000000:role/HR,arn:aws:iam::000000000000
:saml-provider/ShibDemo
</ad:ReturnValue>
<ad:SourceValue>.*ou=hr.*</ad:SourceValue>
</ad:ValueMap>
</resolver:AttributeDefinition>
<resolver:AttributeDefinition
id="awsRoleSessionName"
xsi:type="ad:Simple"
sourceAttributeID="uid">
<resolver:Dependency ref="myLDAP"/>
<resolver:AttributeEncoder
xsi:type="enc:SAML2String"
name="https://aws.amazon.com/SAML/Attributes/RoleSessionNam
e"
friendlyName="RoleSessionName" />
</resolver:AttributeDefinition>
With the mapped attribute definition, you can use a regular expression to map
input values into output values. This example maps eduPersonOrgUnitDN to
25. Amazon Web Services – Single Sign-On: Integrating AWS, OpenLDAP, and Shibboleth April 2015
Page 25 of 33
an IAM role (depending on the organizational unit) in order to give entire
departments access to resources by using existing access control rules. The
attribute definition contains several value maps, each with its own pattern. Each
of the values associated with the eduPersonOrgUnitDN (because it is
multivalued) is checked against the patterns specified in the SourceValue
nodes. If the check finds a match, the ReturnValue value is added to the
attribute definition. The format of the ReturnValue is a role ARN and a
provider ARN, separated by a comma. The order of the two ARNs does not
matter. If you are using regular expressions in the SourceValue fields, you can
use back references in the ReturnValue so that you can simplify the
configuration by capturing the organizational unit and using a back reference,
although delving into further possibilities of using pattern matching is beyond
our scope.
Release Attributes to Relying Parties
Sometimes attributes can contain sensitive data that is useful for authentication
within the organization. No one should release the sensitive data outside of the
organization. The first part of an attribute filter defines to whom the filter
applies. By using an AttributeRequesterString filter policy, an
administrator can choose the relying parties to whom to release the attributes.
This example uses the entity ID of AWS "urn:amazon:webservices". This
walkthrough uses a simple directory, so all possible values of all the eduPerson
and AWS attributes are released to AWS. This allows you to write policies in IAM
that can include conditions based on attributes that represent OpenLDAP
information. You do this by including an AttributeRule element for each
eduPerson entity or AWS attribute, and setting PermitValueRule to
basic:ANY.
1. Edit the following file.
/home/ubuntu/server/shibidp/conf/attribute-filter.xml
2. Add the following block inside the element
AttributeFilterPolicyGroup (before the closing
</afp:AttributeFilterPolicyGroup> tag, and after the
comments). When you are done, save and close the file.
<afp:AttributeFilterPolicy id="releaseEduAndAWSToAWS">
<afp:PolicyRequirementRule
xsi:type="basic:AttributeRequesterString"
value="urn:amazon:webservices" />
<afp:AttributeRule attributeID="eduPersonAffiliation">
<afp:PermitValueRule xsi:type="basic:ANY"/>
27. Amazon Web Services – Single Sign-On: Integrating AWS, OpenLDAP, and Shibboleth April 2015
Page 27 of 33
Enable Login Using OpenLDAP as a User Store
Shibboleth supports several authentication methods. By default, remote user
authentication is configured, which passes through authentication from Tomcat.
To authenticate against OpenLDAP, you must disable remote user authentication
and enable user name/password authentication. User name/password
authentication via JAAS and the login.config file are already defined in the
configuration file; you just need to uncomment it. Follow these steps:
1. In the Amazon EC2 instance, edit the following file.
/home/ubuntu/server/shibidp/conf/handler.xml
2. Comment out the following block.
<ph:LoginHandler xsi:type="ph:RemoteUser">
3. Uncomment the following block, and then save and close the file.
<ph:LoginHandler xsi:type="ph:UsernamePassword ...>
4. Edit the following file in order to configure the OpenLDAP connection
parameters.
/home/ubuntu/server/shibidp/conf/login.config
5. Find the block that begins with Example LDAP authentication. Replace the
entire commented section (which begins with edu.vt.middleware)
with the following block.
edu.vt.middleware.ldap.jaas.LdapLoginModule required
ldapUrl="ldap://localhost"
baseDn="ou=People,dc=example,dc=com"
bindDn="cn=admin,dc=example,dc=com"
bindCredential="password"
userFilter="uid={0}";
Configure Shibboleth to Talk to AWS
Now you have an OpenLDAP directory and Shibboleth configured to use that
identity store, and you have created IAM entities that AWS needs to establish
28. Amazon Web Services – Single Sign-On: Integrating AWS, OpenLDAP, and Shibboleth April 2015
Page 28 of 33
trust with Shibboleth. The only thing left is to establish trust between Shibboleth
(as the IdP) and AWS (as a service provider). You do this by configuring
Shibboleth with the location of the AWS SAML 2.0 metadata document. A
metadata document contains all the information needed for two parties to
communicate such as Internet endpoints and public keys. Shibboleth can
automatically refresh AWS metadata when AWS changes it by using a
FileBackedHTTPMetadataProvider object. Alternatively, if an
administrator wants to control the relationship manually, the administrator can
manually download the metadata and use a FileSystemMetadataProvider.
1. In your Amazon EC2 instance, edit the following file.
/home/ubuntu/server/shibidp/conf/relying-party.xml
2. In the Metadata Configuration section, just below the IdPMD entry, add the
following.
<metadata:MetadataProvider
id="AWS"
xsi:type="metadata:FileBackedHTTPMetadataProvider"
metadataURL="https://signin.aws.amazon.com/static/saml-
metadata.xml"
backingFile="/home/ubuntu/server/shibidp/metadata/aws.xml"
/>
The file contains settings that cause Shibboleth to apply a set of default
configurations to AWS. You can find these settings inside the
DefaultRelyingParty
and
AnonymousRelyingParty
blocks.
3. To change the configuration for a specific relying party, insert the following
block after the DefaultRelyingParty block (after the closing
</DefaultRelyingParty> tag).
<rp:RelyingParty
id="urn:amazon:webservices"
provider="https://idp.example.com/idp/shibboleth"
defaultSigningCredentialRef="IdPCredential">
<rp:ProfileConfiguration
xsi:type="saml:SAML2SSOProfile"
includeAttributeStatement="true"
assertionLifetime="PT5M" assertionProxyCount="0"
29. Amazon Web Services – Single Sign-On: Integrating AWS, OpenLDAP, and Shibboleth April 2015
Page 29 of 33
signResponses="never" signAssertions="always"
encryptAssertions="never" encryptNameIds="never"
includeConditionsNotBefore="true"
maximumSPSessionLifetime="PT1H" />
</rp:RelyingParty>
With This configuration, you can specify the following:
• defaultSigningCredentialRef
– The keys used to sign and encrypt
requests.
• ProfileConfiguration
– Which SAML 1.x or SAML 2.0 profiles to
respond to. Keep in mind that AWS supports only SAML2SSOProfile.
• assertionLifetime
– The length of time (expiration) for the user to
provide the authentication information to AWS before it is no longer valid.
• signResponses/signAssertions
– The portions of the response to
sign.
• maximumSPSessionLifetime
–
The length of a session that AWS
should provide based on the authentication information provided.
Test Configuration Changes by Using AACLI
You have configured Shibboleth! To apply the Shibboleth configuration changes,
you must restart Tomcat. However, before you do that, it is best to test the
configuration. You can use the attribute authority command line interface
(AACLI) tool to simulate Shibboleth's attribute construction based on an
arbitrary configuration directory. This allows you to copy a working configuration
to a test directory, modify it, test it, and then copy it back. For the sake of this
example, you set up AACLI to test the live configuration.
1. Edit the following file.
~/.bashrc
2. Add the following block to the file, and then save and close the file.
echo "alias aacli='sudo -E
/home/ubuntu/server/shibidp/bin/aacli.sh --
configDir=/home/ubuntu/server/shibidp/conf'" >> ~/.bashrc
3. Run the following source command.
source ~/.bashrc
30. Amazon Web Services – Single Sign-On: Integrating AWS, OpenLDAP, and Shibboleth April 2015
Page 30 of 33
4. Run the following AACLI command.
aacli --requester "urn:amazon:webservices" --principal
bobby
The attributes that are constructed for a given principal can be tested by
filling in a principal's OpenLDAP uid. (In this case, you use the principal
bobby, which exists in the example LDAP database.)
If all goes well, the command displays XML information that could be
directly injected into a SAML 2.0 attribute statement block. If you see a
series of stack traces instead, a misconfiguration is present. Check the
settings for the OpenLDAP data connector and the syntax of all the XML
configuration files.
5. After the AACLI begins returning attributes, stop and then restart Tomcat
by using the following commands.
sudo /home/ubuntu/server/tomcat/bin/shutdown.sh
sudo /home/ubuntu/server/tomcat/bin/startup.sh
Ensure that no stack traces occur in Tomcat or in the Shibboleth logs.
Step 6: Test Shibboleth Federation
As soon as the previous testing is working, you can test federation to AWS. In the
Amazon EC2 instance, open a browser and navigate to the following URL.
https://idp.example.com/idp/profile/SAML2/Unsolicited/SSO?p
roviderId=urn:amazon:webservices
This initiates the SSO flow to AWS, and you see the page shown in Figure 11.
31. Amazon Web Services – Single Sign-On: Integrating AWS, OpenLDAP, and Shibboleth April 2015
Page 31 of 33
Figure 11: The Custom Login Page for the AWS Management Console
Type the user name bobby, and use password for the password. (In the sample
LDAP data, all the passwords are password.) You then go to the AWS
Management Console, as shown in Figure 12.
Figure 12: Console for a User Logged In as Charlie Using a Role Named CSE
To try a different user, log out by navigating to
https://idp.example.com/idp/profile/Logout. Then try logging in as user Dean.
Notice that this user is unable to federate. This is because the HR role policy
specifies that the SAML:eduPersonPrimaryOrgUnitDN must be
ou=hr,dc=example,dc=com.
The user bobby has this and can federate as a member of the HR department.
However, Dean's primary organizational unit is
ou=People,dc=example,dc=com.
As noted earlier, administrators have the flexibility to control access in two
places. The first place is on the Shibboleth side in the attribute resolver by
attaching specific AWS role attributes to specific users. The role that is associated
with a user then determines what the user can do in AWS. The second place is in
the IAM role trust policy, where you can add conditions based on SAML
32. Amazon Web Services – Single Sign-On: Integrating AWS, OpenLDAP, and Shibboleth April 2015
Page 32 of 33
attributes that limit who can assume the role. It is up to you to choose which of
these two strategies to use (or both).
For a complete list of attributes that you can use in role trust policies, see the
IAM documentation.13
Conclusion
Now that you have integrated your on-premises LDAP infrastructure into IAM,
you can spend less time on synchronizing permissions between on-premises and
the cloud. The combination of SAML attributes and RBAC means you can author
fine-grained access control policies that address your LDAP user data and your
AWS resources.
Further Reading
For more information about installing and configuring OpenLDAP and
Shibboleth, see the following:
• Installing an OpenLDAP server14
• How To Install and Configure a Basic LDAP Server on an Ubuntu 12.04
VPS15
• LDIF examples16
• Edit the Tomcat Configuration File17
• Preparing Apache Tomcat for the Shibboleth Identity Provider18
For Shibboleth attributes and authentication responses, the Shibboleth
documentation wiki provides extensive information. These topics contributed to
the creation of this tutorial:
• LDAP Data Connector19
• Shibboleth attributes:
o Define and Release a New Attribute in an IdP20
o Simple Attribute Definition21
o Mapped Attribute Definition22
o Define a New Attribute Filter23
• Shibboleth User Name/Password Handler24
• Adding Metadata providers25
• Per-Service Provider Configuration26
Notes
1 http://en.wikipedia.org/wiki/Ldap
2 http://aws.amazon.com/about-aws/whats-new/2013/11/11/aws-identity-and-
access-management-iam-adds-support-for-saml-security-assertion-markup-
language-2-0/
3 See the “Install Tomcat” section.
4 See the “Install Shibboleth IdP” section.
5 See the “Configure Shibboleth IdP” section.