Bring the cloud closer to you and your customers by using your existing identity stores to access AWS services. Manage access to all of your cloud services and on-premises applications centrally. Join this webinar to learn how the Ping Identity platform offers federated single sign-on (SSO) to quickly and securely manage authentication of partners and customers through seamless integration with AWS Identity and Access Management service. You will also hear from Ping Identity partner and Amazon Web Services Customer, Geezeo, who will share best practices based on their experience. What you'll learn: • How the Ping Identity platform can be deployed simply and securely in Amazon EC2 adjacent to your offerings • How any partner that can generate a SAML assertion can easily connect to AWS APIs while also continuing to manage its own customer identities • How Geezeo has benefited from the Ping Identity platform’s seamless integration capabilities Who should attend: • Security and Identity professionals, Solution or System Architects, System Administrators, Development Leads and other Technical IT Leaders

1. Get Closer to the Cloud with
Federated Single Sign-On

2. Welcome
Maya Cabassi
Partner Marketing Manager
Amazon Web Services

3. Webinar Overview
 Submit Your Questions using the Q&A tool.
 A copy of today’s presentation will be made available on:
 AWS SlideShare Channel@ http://www.slideshare.net/AmazonWebServices/
 AWS Webinar Channel on YouTube@ http://www.youtube.com/channel/UCT-
nPlVzJI-ccQXlxjSvJmw

4. Ben Brauer
Sn. Product Manager
Amazon Web Services
Introducing
Mark Diodati
Technical Dir. Office of the CTO
Ping Identity

5.  Overview of AWS Identity Access Management (IAM)
 How to deploy Ping Identity Federated Single Sign-
On in AWS
 Q&A
What We’ll Cover

6. IAM is about Access Control
• One of customers’ top considerations when moving to the cloud
CONTROL
• Why do we want control?
– Appropriate access to do appropriate actions
– I want to implement security best practices
– I want to be at least as secure as on premise
– I must comply with certain industry specific security regulations

7. IAM Concepts in AWS
• Create and Manage Users and Groups
• Security
– Multiple users, with individual permissions
– Individual security credentials (access keys, password, MFA)
– Secure by default
• Control
– Centralized control of user access
– Fine-grained permissions
– Control Users’ access to APIs and AWS Console
– Cross-account access
• Integrated
– No changes to service APIs
– Federated

8. Identity Management Concepts
IAM Users: administrators and
consumers of AWS services and
resources
Groups: a collection of IAM
users and policy that applies to
all the IAM users in the group
Examples
Bob can log into the AWS
Management Console to administer
his company’s account
IAM users in the developers group are
allowed to access EC2 instances
tagged with development, but are not
allowed to access instances tagged
with production
Managed Entities

9. Identity and Access Management
Who has access? What can they do?
IAM Users/Groups Access Policies
Authentication Authorization

10. What is Identity Federation?
Who has access?
AWS +
Partner Solutions
Within AWS
IAM Users
Identity Management
Solutions
External User
Authentication

11. Benefits of Identity Federation
• Eliminate managing duplicate user identities
• End users do not need yet another password to
remember
• Leverage your existing investment in identity
management solutions
• Re-use your internal identity management processes
(e.g., password length, rotation, etc…)

12. Identity Management Concepts in AWS
IAM Users: administrators and consumers
of AWS services and resources
Groups: a collection of IAM users and policy
that applies to all the IAM users in the group
IAM Roles: grants a trusted party
temporary access to your AWS account
Examples
Bob can log into the AWS Management
Console to administer his company’s
account
IAM users in the developers group are
allowed to access EC2 instances tagged
with development, but are not allowed
to access instances tagged with
production
Managed Entities
Grant access to an identity
provider to enable federated
users access to the AWS
Management Console.

13. Identity Federation Example
Log into the AWS console without a username and password!
Active Directory

14. AWS AND FEDERATION
Integrating AWS with External Identity Systems

15. 15
IaaS and PaaS need love, too
deployments
number of users

16. increased IAM needs
deployments users
more administrators
more end-user services
organizational confidence
more services

17. 17
say wha?
federation
is an interoperable technology
provides single sign-on across security
domains
uses security assertion markup language
(SAML)

18. 18
say wha?
federation identity provider (IDP)
authenticates users
gives users SSO (SAML) credentials
redirects users to federation SP

19. 19
say wha?
federation service provider (SP)
accepts user’s SAML credentials
creates user credentials for the local
application

20. 20
federation in action
hosted
on-premises
federation IDP
SaaS application
federation SP
SSO
(SAML)
LDAP

21. 21
use cases
1) AWS IAM as federation SP (new!)
accepts user’s SAML credentials
creates AWS user credentials for access to services
2) federation IDP runs in EC2 instance
authenticates users, gives SAML credentials
3) federation IDP runs in EC2 instance
accepts SAML credentials, creates local credentials

22. 22
federation: interfacing with AWS
default possible

23. 23
Good Ole Days
hosted
on-premises
custom code
storage of IAM user keys
storage of federated user keys
proprietary connectionAmazonAPI
LDAP
(mostly) non-web interaction

24. 24
1) AWS as federation SP
hosted
on-premises
commercial federation IDP
no storage of IAM user keys
no storage of federated user keys
security token service
resides in AWS
SSO
(SAML)
LDAP
(mostly) web interaction

25. 25
AWS federation SAML attributes
Name Description
SAML subject name “uid=tstark,ou=people,o=cloudidentity.com”
Role concatenation of two attributes
• Amazon Resource Name (ARN) of the AWS role with the
entitlements for the federated user
• ARN of the AWS role with entitlements for the identity
provider
“arn:aws:iam::012323142877:role/S3-Users,
arn:aws:iam::012323142877:saml-provider/PING-IDP”
Role Session Name Enables user-specific access policies for the federated user
“tstark”

26. 26
2) EC2 instance with federation IDP
hosted
on-premises
ec2
instance
IDP
application
authentication
partner

27. 27
3) EC2 instance with federation SP
hosted
on-premises
SP
(with
app)
federation IDP
ec2
instance

28. recommendations
• understand your AWS access requirements
– Non-web access may be a challenge using federation
technology
• don’t use the AWS (superuser) account for the IDP user
– Otherwise, privilege and catastrophe awaits you
• carefully scope the access rights for your roles
– IAM IDP user role
– federated user role
28

29. 29
sample integration
ec2
instance LDAP

30. A Look Ahead: Cloud Identity Summit
www.cloudidentitysummit.com
30
Jim Scharf: Identity
Management for the Cloud
Ben Brauer: Securing your
AWS Environment
Shon Shah: Delegating
Access to your AWS
Environment
Conor Cahill: Federating
Access to your AWS
Environment

31. What We’ll Cover
Contacts:
Ping Identity:
https://www.pingidentity.com/
AWS:
aws.amazon.com/contact-us

32. We appreciate your feedback on this
presentation.
Please take a moment for a quick survey.