Have you wondered how you can use your corporate directory for accessing AWS? Or how you can build an AWS-powered application accessible to the millions of users from social identity providers like Amazon, Google, or Facebook? If so, this session will give you the tools you need to get started. It will provide a variety of examples to make it easier for you to use other identity pools with AWS, as well as cover open standards like Security Assertion Markup Language (SAML). Anyone who deals with external identities won't want to miss this session.

9. Session
Access Key ID
Secret Access Key
Expiration
Session Token

13. Customer (Identity Provider) AWS Cloud (Relying Party)
AWS
Management
Console
Browser
interface
Corporate
directory
Federation
proxy
1Browse to URL
3
2
Redirect to
Console
10
Generate URL9
4 List RolesRequest
8
Assume Role Response
Temp Credentials
- Access Key ID
- Secret Access Key
- Session Token
7 AssumeRole Request
Create combo
box
6
Federation
proxy
• Uses a set of IAM user credentials to
make AssumeRoleRequest()
• IAM user permissions only need to be
able to call ListRoles & assume role
• Proxy needs to securely store these
credentials
5
List RolesResponse

16. Customer (Identity Provider) AWS Cloud (Relying Party)
AWS Resources
User
Application
Active
Directory
Federation Proxy
4
Get Federation
Token Request
3
2
Amazon S3
Bucket
with Objects
Amazon
DynamoDB
Amazon
EC2
Request
Session 1
Receive
Session6
5
Get Federation Token
Response
• Access Key
• Secret Key
• Session Token
APP
Federation
Proxy
• Uses a set of IAM user credentials to
make a GetFederationTokenRequest()
• IAM user permissions need to be the
union of all federated user permissions
• Proxy needs to securely store these
privileged credentials
Call AWS APIs7

20. Enterprise (Identity Provider) AWS (Service Provider)
AWS Sign-in
Browser
interface
Corporate
identity store
Identity provider
1User
browses to
Identity provider
2 Receives
AuthN response
5 Redirect client
AWS Management
Console
3
Post to Sign-In
Passing AuthN Response
4

26. AWS Cloud
US-EAST-1
EU-WEST-1
AP-SOUTHEAST-1
AWS Services
Amazon
DynamoDB
Amazon S3
Authenticate
User 1
6
7
IAM
EC2
Instances
Token
Verification
4
Web identity
Provider
3
5
Check
Policy
Id Token
2
Mobile App

29. us-east-1
App
Security Token Service
DynamoDB
OpenID Connect-
compliant
identity provider
2
4
Uses the temporary
credentials to access
AWS services
Redirect for
authentication and
receive an ID token
Exchange ID token for
Cognito token
3
End
User
1
Start using the app
Cognito
Exchange Cognito token
for temporary AWS
credentials
Developer’s AWS Account
5

34. http://bit.ly/1n1z1QL
http://amzn.to/11AFKtS
http://amzn.to/1vlBZ6N
http://bit.ly/10KUSoC
http://bit.ly/1rNzWCF
http://bit.ly/13vFehT
http://bit.ly/1p2Ip6M

35. Please give us your feedback on this session.
Complete session evaluations and earn re:Invent swag.
http://bit.ly/awsevals