Bring the cloud closer to you and your customers by using your existing identity stores to access AWS services. Manage access to all of your cloud services and on-premises applications centrally. Join this webinar to learn how the Ping Identity platform offers federated single sign-on (SSO) to quickly and securely manage authentication of partners and customers through seamless integration with AWS Identity and Access Management service. You will also hear from Ping Identity partner and Amazon Web Services Customer, Geezeo, who will share best practices based on their experience.
What you'll learn:
• How the Ping Identity platform can be deployed simply and securely in Amazon EC2 adjacent to your offerings
• How any partner that can generate a SAML assertion can easily connect to AWS APIs while also continuing to manage its own customer identities
• How Geezeo has benefited from the Ping Identity platform’s seamless integration capabilities
Who should attend:
• Security and Identity professionals, Solution or System Architects, System Administrators, Development Leads and other Technical IT Leaders
3. Webinar Overview
Submit Your Questions using the Q&A tool.
A copy of today’s presentation will be made available on:
AWS SlideShare Channel@ http://www.slideshare.net/AmazonWebServices/
AWS Webinar Channel on YouTube@ http://www.youtube.com/channel/UCT-
nPlVzJI-ccQXlxjSvJmw
4. Ben Brauer
Sn. Product Manager
Amazon Web Services
Introducing
Mark Diodati
Technical Dir. Office of the CTO
Ping Identity
5. Overview of AWS Identity Access Management (IAM)
How to deploy Ping Identity Federated Single Sign-
On in AWS
Q&A
What We’ll Cover
6. IAM is about Access Control
• One of customers’ top considerations when moving to the cloud
CONTROL
• Why do we want control?
– Appropriate access to do appropriate actions
– I want to implement security best practices
– I want to be at least as secure as on premise
– I must comply with certain industry specific security regulations
7. IAM Concepts in AWS
• Create and Manage Users and Groups
• Security
– Multiple users, with individual permissions
– Individual security credentials (access keys, password, MFA)
– Secure by default
• Control
– Centralized control of user access
– Fine-grained permissions
– Control Users’ access to APIs and AWS Console
– Cross-account access
• Integrated
– No changes to service APIs
– Federated
8. Identity Management Concepts
IAM Users: administrators and
consumers of AWS services and
resources
Groups: a collection of IAM
users and policy that applies to
all the IAM users in the group
Examples
Bob can log into the AWS
Management Console to administer
his company’s account
IAM users in the developers group are
allowed to access EC2 instances
tagged with development, but are not
allowed to access instances tagged
with production
Managed Entities
9. Identity and Access Management
Who has access? What can they do?
IAM Users/Groups Access Policies
Authentication Authorization
10. What is Identity Federation?
Who has access?
AWS +
Partner Solutions
Within AWS
IAM Users
Identity Management
Solutions
External User
Authentication
11. Benefits of Identity Federation
• Eliminate managing duplicate user identities
• End users do not need yet another password to
remember
• Leverage your existing investment in identity
management solutions
• Re-use your internal identity management processes
(e.g., password length, rotation, etc…)
12. Identity Management Concepts in AWS
IAM Users: administrators and consumers
of AWS services and resources
Groups: a collection of IAM users and policy
that applies to all the IAM users in the group
IAM Roles: grants a trusted party
temporary access to your AWS account
Examples
Bob can log into the AWS Management
Console to administer his company’s
account
IAM users in the developers group are
allowed to access EC2 instances tagged
with development, but are not allowed
to access instances tagged with
production
Managed Entities
Grant access to an identity
provider to enable federated
users access to the AWS
Management Console.
17. 17
say wha?
federation
is an interoperable technology
provides single sign-on across security
domains
uses security assertion markup language
(SAML)
18. 18
say wha?
federation identity provider (IDP)
authenticates users
gives users SSO (SAML) credentials
redirects users to federation SP
19. 19
say wha?
federation service provider (SP)
accepts user’s SAML credentials
creates user credentials for the local
application
23. 23
Good Ole Days
hosted
on-premises
custom code
storage of IAM user keys
storage of federated user keys
proprietary connectionAmazonAPI
LDAP
(mostly) non-web interaction
24. 24
1) AWS as federation SP
hosted
on-premises
commercial federation IDP
no storage of IAM user keys
no storage of federated user keys
security token service
resides in AWS
SSO
(SAML)
LDAP
(mostly) web interaction
25. 25
AWS federation SAML attributes
Name Description
SAML subject name “uid=tstark,ou=people,o=cloudidentity.com”
Role concatenation of two attributes
• Amazon Resource Name (ARN) of the AWS role with the
entitlements for the federated user
• ARN of the AWS role with entitlements for the identity
provider
“arn:aws:iam::012323142877:role/S3-Users,
arn:aws:iam::012323142877:saml-provider/PING-IDP”
Role Session Name Enables user-specific access policies for the federated user
“tstark”
28. recommendations
• understand your AWS access requirements
– Non-web access may be a challenge using federation
technology
• don’t use the AWS (superuser) account for the IDP user
– Otherwise, privilege and catastrophe awaits you
• carefully scope the access rights for your roles
– IAM IDP user role
– federated user role
28
30. A Look Ahead: Cloud Identity Summit
www.cloudidentitysummit.com
30
Jim Scharf: Identity
Management for the Cloud
Ben Brauer: Securing your
AWS Environment
Shon Shah: Delegating
Access to your AWS
Environment
Conor Cahill: Federating
Access to your AWS
Environment