5/14/2016 OneLogin Streamlines AWS User Management - OneLogin

https://www.onelogin.com/blog/onelogin-streamlines-aws-user-management 1/4

OneLogin Streamlines AWS User Management - OneLogin

OneLogin’s enhanced AWS integration ensures optimized workflow forinfrastructure administrators

For the last few years, anyone working on the cloud (pretty much everyone) has to have been living under a rockto not have come across Amazon Web Services (AWS). And even folks who might choose other ways to host theircloud-based offerings often find themselves relying on the convenience of AWS for everything from file hosting todevelopment systems.

Company growth = migration to cloud-hosted IaaS and IDaaS solutions

As a company expands and broadens its need for a global infrastructure, it quickly runs into the challenge ofscaling the development and management of a growing environment of users and sites. More applications arerequired for multiple lines of business to help them be productive and efficient, and these teams need those newapps and related features yesterday. Not only must companies build out the tools, they must also roll them outquickly, seamlessly, and with security best practices in place. Attempting to manage this process in-house is notonly time consuming and inefficient, but also error prone, opening up security vulnerabilities. After all, one of themost common threats is a single malicious user who can potentially take down a company’s entire environment!This is why organizations are turning to IaaS (Infrastructure as a Service) and IDaas (Identity as a Service) - battletested and proven.

Streamlining user management with SAML helps

Migration to the cloud is a given, but how does a business efficiently manage users across its environment duringthe migration and beyond? SAML is one of the best ways to automate user management once a company’sinfrastructure has migrated. The SAML protocol allows organizations to eliminate the need for individual userpasswords attached to each AWS account.

In most cases, SAML is a pretty straightforward conversation between an identity provider (IdP) and an application(“Hi. I’m your identity provider, I say this is Bob and I’ve got a signed assertion to prove it’s Bob.”).

When AWS gets a SAML assertion, it looks for two things - a user’s name for audit purposes and a signedassertion of what Role the user is allowed to access (“Here’s what Bob’s doing”).

Any old SAML provider can create an AWS authenticator that says “assert the user’s name and the one Role inAWS they can use.”

But what if the AWS users need access rights to dozens (or more!) Roles across many accounts? Traditionally,this means adding a new application in the IdP for each new Role that gets added to AWS and then assigningaccess rights to users over that new Role/Authenticator combo.

5/14/2016 OneLogin Streamlines AWS User Management - OneLogin

https://www.onelogin.com/blog/onelogin-streamlines-aws-user-management 2/4

The end result is tons of applications for each user in their Identity Provider portal, each letting the user sign in withdifferent permissions to their environment.

We’ve seen companies get creative, attempting to address this by manually coding a bunch of mapping rules toconstruct a custom, per-user attribute in their directories that represented the assertion of all the Roles AWSneeded to give users appropriate access.

This partially solved the problem, but there was still an unaddressed challenge - there was no simple way to keeptrack of what any given user was actually getting in terms of role assignments and access (due to the fact thatthese attributes were made up of Amazon Resource Names (ARNs) e.g.

arn:aws:iam::123456789012:policy/division_abc/subdivision_xyz/UsersManageOwnCreden

tials;arn:aws:iam::123456789012:role/application_abc/component_xyz/S3Access)

OneLogin Multi-Role for AWS – with Entitlements! - gives youthe power

At OneLogin we’d already enabled a powerful tool to manage permissions in other applications: Entitlements (acatch-all term we use for “something the user can access, like a group, a role, or a license”).

We’d also already built a really nice rules engine that could let folks define easy-to-understand rules forEntitlements like “Anyone named Bob can access the Bob group” or “Anyone in the Active Directory group Adminsshould be an Admin.”

5/14/2016 OneLogin Streamlines AWS User Management - OneLogin

https://www.onelogin.com/blog/onelogin-streamlines-aws-user-management 3/4

We leveraged these same capabilities with AWS to offer a clean, elegant end-user and admin experience thatoffers the same back-end security we’ve delivered to other applications.

In a nutshell, we set up our AWS connector to retrieve all the possible Roles a user can have in AWS.

OneLogin then feeds those Roles into our rules engine, with the friendly names shown in the UI and the ARNshidden in the back-end.

With all this in place, the OneLogin admin only needs to make a single AWS application.

5/14/2016 OneLogin Streamlines AWS User Management - OneLogin

https://www.onelogin.com/blog/onelogin-streamlines-aws-user-management 4/4

They can then use the OneLogin rules engine to create simple, easy to understand rules like “Anyone in theDevelopment Team should have the Edit AWS S3 Buckets Role ” that gets tied to the corresponding SAMLARN assertion.

More importantly, these Rules and Roles can be layered on top of each other so an AWS user will be presentedwith all the Roles the admin has granted them when logging in.

The end result is a powerful administrative engine providing a seamless experience for end users.

We’re very excited to introduce this feature and can’t wait to see how you use it in your organization!

If you’re an existing OneLogin customer, please check out our new documentation.

If not, check it out here and request a demo!

About the Author

Nathan is a Solution Architect at OneLogin focusing on partnerships with global systems integrators and softwarevendors. A Berkeley graduate and a New Yorker, he is also an avid fan of the New York Yankees.