aws partner webcast - get closer to the cloud with federated single sign-on

Get Closer to the Cloud with Federated Single Sign-On

Welcome

Maya Cabassi

Partner Marketing Manager

Amazon Web Services

Webinar Overview Submit Your Questions using the Q&A tool.

A copy of today’s presentation will be made available on:

AWS SlideShare Channel@ http://www.slideshare.net/AmazonWebServices/

AWS Webinar Channel on YouTube@ http://www.youtube.com/channel/UCT-

nPlVzJI-ccQXlxjSvJmw

Ben Brauer Sn. Product Manager Amazon Web Services

Introducing

Mark Diodati Technical Dir. Office of the CTO

Ping Identity

Overview of AWS Identity Access Management (IAM)

How to deploy Ping Identity Federated Single Sign-

On in AWS

Q&A

What We’ll Cover

IAM is about Access Control • One of customers’ top considerations when moving to the cloud

CONTROL

• Why do we want control?

– Appropriate access to do appropriate actions

– I want to implement security best practices

– I want to be at least as secure as on premise

– I must comply with certain industry specific security regulations

IAM Concepts in AWS

• Create and Manage Users and Groups

• Security – Multiple users, with individual permissions – Individual security credentials (access keys, password, MFA) – Secure by default

• Control – Centralized control of user access

– Fine-grained permissions

– Control Users’ access to APIs and AWS Console

– Cross-account access

• Integrated – No changes to service APIs

– Federated

Identity Management Concepts

IAM Users: administrators and

consumers of AWS services and resources

Groups: a collection of IAM users and policy that applies to all the IAM users in the group

Examples

Bob can log into the AWS Management Console to administer his company’s account

IAM users in the developers group are allowed to access EC2 instances tagged with development, but are not allowed to access instances tagged with production

Managed Entities

Identity and Access Management

Who has access? What can they do?

IAM Users/Groups Access Policies

Authentication Authorization

What is Identity Federation?

Who has access?

AWS + Partner Solutions

Within AWS

IAM Users

Identity Management Solutions

External User

Authentication

Benefits of Identity Federation

• Eliminate managing duplicate user identities

• End users do not need yet another password to remember

• Leverage your existing investment in identity management solutions

• Re-use your internal identity management processes (e.g., password length, rotation, etc…)

Identity Management Concepts in AWS

IAM Users: administrators and consumers

of AWS services and resources

Groups: a collection of IAM users and policy that applies to all the IAM users in the group

IAM Roles: grants a trusted party temporary access to your AWS account

Examples

Bob can log into the AWS Management Console to administer his company’s account

IAM users in the developers group are allowed to access EC2 instances tagged with development, but are not allowed to access instances tagged with production

Managed Entities

Grant access to an identity provider to enable federated users access to the AWS Management Console.

Identity Federation Example

Log into the AWS console without a username and password!

Active Directory

AWS AND FEDERATION

Integrating AWS with External Identity Systems

15

IaaS and PaaS need love, too

dep

loym

ents

number of users

increased IAM needs

deployments users

more administrators

more end-user services

organizational confidence

more services

17

say wha?

federation is an interoperable technology

provides single sign-on across security

domains

uses security assertion markup language

(SAML)

18

say wha?

federation identity provider (IDP) authenticates users

gives users SSO (SAML) credentials

redirects users to federation SP

19

say wha?

federation service provider (SP) accepts user’s SAML credentials

creates user credentials for the local

application

20

federation in action

hosted

on-premises

federation IDP

SaaS application

federation SP

SS

O

(SA

ML)

LDAP

21

use cases

1) AWS IAM as federation SP (new!) accepts user’s SAML credentials

creates AWS user credentials for access to services

2) federation IDP runs in EC2 instance authenticates users, gives SAML credentials

3) federation IDP runs in EC2 instance accepts SAML credentials, creates local credentials

22

federation: interfacing with AWS

default possible

23

Good Ole Days

hosted

on-premises

custom code storage of IAM user keys storage of federated user keys proprietary connection

Am

azon A

PI LDAP

(mostly) non-web interaction

24

1) AWS as federation SP

hosted

on-premises

commercial federation IDP no storage of IAM user keys no storage of federated user keys

security token service

resides in AWS

SS

O

(SA

ML)

LDAP

(mostly) web interaction

25

AWS federation SAML attributes

Name Description

SAML subject name “uid=tstark,ou=people,o=cloudidentity.com”

Role concatenation of two attributes • Amazon Resource Name (ARN) of the AWS role with the

entitlements for the federated user • ARN of the AWS role with entitlements for the identity

provider “arn:aws:iam::012323142877:role/S3-Users, arn:aws:iam::012323142877:saml-provider/PING-IDP”

Role Session Name Enables user-specific access policies for the federated user “tstark”

26

2) EC2 instance with federation IDP

hosted

on-premises

ec2 instance

IDP

application

authentication partner

27

3) EC2 instance with federation SP

hosted

on-premises

SP (with app)

federation IDP

ec2 instance

recommendations

• understand your AWS access requirements

– Non-web access may be a challenge using federation technology

• don’t use the AWS (superuser) account for the IDP user

– Otherwise, privilege and catastrophe awaits you

• carefully scope the access rights for your roles

– IAM IDP user role

– federated user role

28

29

sample integration

ec2 instance LDAP

A Look Ahead: Cloud Identity Summit

www.cloudidentitysummit.com

30

Jim Scharf: Identity Management for the Cloud Ben Brauer: Securing your AWS Environment Shon Shah: Delegating Access to your AWS Environment Conor Cahill: Federating Access to your AWS Environment

What We’ll Cover

Contacts: Ping Identity: https://www.pingidentity.com/ AWS: aws.amazon.com/contact-us

We appreciate your feedback on this presentation.

Please take a moment for a quick survey.