AWS supports identity federation using SAML (Security Assertion Markup Language) 2.0. Using SAML, you can configure your AWS accounts to integrate with your identity provider (IdP). Your federated users then are authenticated and authorized by your organization's IdP, and they can use single sign-on (SSO) to access AWS.
In this workshop, you choose your own path through the exercises to direct yourself to the technologies and use cases that matter to you. We start by guiding you through deploying an IdP and configuring SAML federation for AWS, including federated CLI access. We will then continue to walk you through a number of advanced SAML use cases, including how to:
Write S3 bucket policies for specific federated users.
Use SAML attributes to enforce additional authorization requirements.
Automate federation configurations across a large number of AWS accounts.
Implement other advanced SAML use cases for AWS.
2. What to expect from the session
SAML for AWS:
State of the Union
• Federation rationale
• Prior art & remaining
challenges
Collaborative
hands-on exercise
• Foundational →
advanced
• Non-linear progression
Ask the AWS
Federation Ninjas
• Your own challenges
• Your feedback & ideas
5. Prior art
Generally “known science”*:
• Basic federation with <insert your
favorite identity provider here>
• SSO experience for AWS
Management Console users.
• Federated access for AWS
CLI/API.
*Compiled list within session materials
6. Remaining challenges
Option overload:
• Many accounts: direct
federation or hub/spoke?
• Role mapping: groups,
attributes, or a
combination?
Solutions not yet widely
published:
• Attribute-driven
authorizations.
• Strong authentication
techniques.
• Resource permissions for
federated users.
8. Collaborative hands-on exercise
Choose your own
SAML adventure!
Initial Path:
Open source
or Microsoft?
1st hour:
Build initial
federation setup
2nd hour:
Your choice of
advanced use
cases
9. Exercise architecture
Instance with EIP
SAML IdP and
user directory
Note: The IdP architecture represented here
has been simplified to focus on the learning
objectives. Not appropriate for production use.
Amazon S3
permissions
Many AWS accounts
Custom
durations
MFA for
SAML
10. Time for teamwork!
Pair up Strangers only Open source → Stage left
Microsoft → Stage right
Find match:
8 ≤ Total ≤ 12
?
11. Ask the Experts
• Your opportunity to tap into the collective federation knowledge of
the Amazonians in the room.
• Runs parallel to hands-on exercise.
• Submissions via email (details on following slide):
• Your name.
• Your question/topic/feature request.
• Your table number.
• We will answer what we can in the room. We will follow up with an
AWS Security Blog post before the end of December in which we
address as many questions asked here as possible.
12. Lab materials
Let’s get started
Ask the Experts
federationworkshopreinvent2016
@amazon.com
(Include: name, table, question)
http://bit.ly/2dBXMUq
13. Review and recap
• This slide is a placeholder.
• We will take 2-3 of the “Ask the Experts” submissions:
• Build a slide in the room for each
• Summarize the question
• Provide our perspective on how best to tackle
• 2-3 minutes max per question
14. Reference materials
• AWS Docs: About SAML 2.0-based Federation
• AWS Docs: Configuring SAML Assertions
• AWS Docs: Integrating 3rd Party SAML Providers
• AWS Security Blog: SAML API/CLI Solution
• AWS Whitepaper: Shibboleth + OpenLDAP Walkthrough
• AWS Security Blog: ADFS How to
• AWS Security Blog: ADFS Multi-Account How to
• AWS Security Blog: AWS CloudTrail for Federated Users