AWS offers customers multiple solutions for federating identities on the AWS Cloud. In this session, we will embark on a tour of these solutions and the use cases they support. Along the way, we will dive deep with demonstrations and best practices to help you be successful managing identities on the AWS Cloud. We will cover how and when to use Security Assertion Markup Language 2.0 (SAML), OpenID Connect (OIDC), and other AWS native federation mechanisms. You will learn how these solutions enable federated access to the AWS Management Console, APIs, and CLI, AWS Infrastructure and Managed Services, your web and mobile applications running on the AWS Cloud, and much more.

1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Soup to Nuts: Identity Federation for AWS
Quint Van Deman,
Global Business Development Manager,
AWS Identity & Directory Services

2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Build consistent vernacular
& mental model
Tour the major federation
bridges across AWS
Fun & lively session with
demos
Links to key content &
patterns
What to expect
(C) Copyright Jean-Remy Duboc and licensed for reuse under
the Creative Commons Attribution-Generic2.0 License
By Adam.J.W.C. (Own work) [CC BY 3.0
(http://creativecommons.org/licenses/by/3.0], via
Wikimedia Commons

3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Building a consistent vernacular & mental model

4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
What do we mean when we say
“federation”?

5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Identity consumersIdentity providers
Definition (for today)
Stores
identities
Authentication Authorization
(Coarse)
Authorization
(Fine)
Trust
Stores
references
Protocols
No Sync

6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Rationale
Users Security Compliance
Before
After
Unique credentials
1:Many reuse
Credentials everywhere
Centrally managed
Bespoke
Unified
Result

7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Understanding planes of access
EC2
Control plane – AWS API
(e.g. ec2:StartInstance)
Data plane – VPC connection
(e.g. SSH, RDP)
Different:
• Paths
• Credentials
• Protocols

8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Understanding planes of access
DynamoDB
Control plane – AWS API
(e.g. dynamodb:CreateTable)
Data plane – AWS API
(e.g. dynamodb:GetItem)
Same:
• Path
• Credential
• Protocol

9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Mental Model
Evaluation SelectionUse cases Blueprints

10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Bridge #1: Security Markup Assertion Language (SAML)

11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
SAML Primer
Service provider
(SP)
Metadata (in advance)
Assertion
Identity provider
(IdP)
AuthN &
AuthZ
User

12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
SAML
Internal
AD
SAML IdP
Cognito Apps APIs
Console API CLI Data plane APIs
SAML Federation

13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
SAML Federation
Demonstrations

14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
SAML demo review
Amazon S3
permissions
Many AWS accounts
Custom
durations
MFA for
SAML
http://bit.ly/2dBXMUq
SAML federation for the
AWS Management Console,
APIs, and CLI
Self-paced
workshop materials
(all this & much more)

15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
SAML demo review
SAML federation for an Amazon Cognito
enabled web app & custom API (using API Gateway)
Cognito documentation
(includes sample code)
http://amzn.to/2wSH4IC
CloudFront S3 SPA
Cognito
Cognito
SAML IdP Assertion
Tokens API Gateway
(Chalice)

16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
SAML Federation
SAML
Internal
AD
SAML IdP
Cognito Apps APIs
Console API CLI Data plane APIs
Redshift Aurora MySQL
QuickSight AppStream
SaaS Apps (Outside AWS)

17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Bridge #2: Open ID Connect (OIDC)

18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
OIDC Primer
Relying Party
(RP)
Metadata & Registration (in advance)
Tokens
OpenID provider
(OP)
User
AuthN &
AuthZ

19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
OIDC Federation
SAML
OIDC
OIDCExternal
Internal
AD
OIDC OP
SAML IdP
Cognito Apps APIs
Redshift Aurora MySQL
QuickSight AppStream
Apps
Data plane APIs
SaaS Apps (Outside AWS)
Console API CLI

20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
OIDC Federation
Demonstrations

21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
OIDC demo review
OIDC federation for an Amazon Cognito
enabled web app & custom API (using API Gateway)
Cognito documentation
(includes sample code)
CloudFront S3 SPA
Cognito
Cognito
OP
Tokens API Gateway
(Chalice)
Tokens http://amzn.to/2wSH4IC

22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
OIDC demo review
OIDC federation for an Amazon Cognito
enabled backend app & external API
Cognito documentation
Cognito Tokens
SSM Param Store
External API
http://amzn.to/2grl7NV

23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Bridge #3: Active Directory Trust with Kerberos

24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
AD Trust/Kerberos Primer
On premises
Active Directory
Domain Controller
AWS Directory Service
For Microsoft Active Directory
(Enterprise Edition)
Kerberos enabled
resource
AD Forest Trust Domain Join
User Group
Add group membership

25. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
AD Trust
SAML
OIDC
OIDC
AD Trust
External
Internal
AD
OIDC OP
SAML IdP
Cognito Apps APIs
Redshift Aurora MySQL
QuickSight AppStream
Apps
Data plane APIs
Windows/EC2
Workspaces
SQL Server
WorkDocs WorkMail
SaaS Apps (Outside AWS)
Console API CLI

26. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
AD Trust details for Windows/EC2
Use on premises AD identities for
authentication & authorization in
Windows/EC2
Directory Service documentation
On premises
Active Directory
Domain Controller
AWS Directory Service
For Microsoft Active Directory
(Enterprise Edition)
Domain joined
Windows EC2
instance
AD Forest Trust Domain Join
User
Group
Add group membership
http://amzn.to/2ysq4Ns

27. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AD Trust details for Workspaces
Use on premises AD identities to
provision and access workspaces
Workspaces documentation
On premises
Active Directory
Domain Controller
AWS Directory Service
For Microsoft Active Directory
(Enterprise Edition)
AD Forest Trust
User Admin
Search &
Provision
Domain Join
Login
(AuthN & AuthZ)
http://amzn.to/2x6IcZB

28. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Bridge #4: AWS Cross Account (XA) Trust

29. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
AWS XA Trust Primer
Target AWS Account
IAM Role
Permission Policy:
Controls access to
AWS services & resources
Trust Policy:
Specifies the Principals who
can assume the role, and a
shared secret (external id)
Source AWS Account
IAM Role
IAM User
Permission Policy:
Allows sts:AssumeRole
to remote role (in
target)
sts:AssumeRole
Short-term credential
Invoke AWS APIs
Access Mgmt Console
( You ) ( External Entity )( or vice versa )
Note: AWS XA Trusts also support many other use cases

30. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Cross Account
Cross
Account
Trust
Cognito Apps APIs
Redshift Aurora MySQL
QuickSight AppStream
Data plane APIs
Windows/EC2
Workspaces
SQL Server
WorkDocs WorkMail
SaaS Apps (Outside AWS)
Console API CLI
External
Apps AWS Cred

31. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Cross account trust details
Use AWS credentials from one account
to federate into another account
IAM documentation
aws sts assume-role --role-arn arn:aws:iam::012345678912:role/RoleName
--role-session-name use_traceable_name --external-id mysharedsecret
{
"AssumedRoleUser": {
"AssumedRoleId": "XXXXXXXXXXXXXXXXXXXXX:use_traceable_name",
"Arn": “<roleARN>/use_traceable_name"
},
"Credentials": {
"SecretAccessKey": "ssssssssssssssssssssssssssssssssssssssss",
"SessionToken": "ttttttttttttttttttttttttttttttttttttttttttt",
"Expiration": "2017-10-19T00:01:38Z",
"AccessKeyId": "aaaaaaaaaaaaaaaaaaaaaaa"
}
}
http://amzn.to/2zzwE2n

32. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Bridge #5: Custom Federation Broker

33. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Custom Federation Broker Primer
Broker
Credential
User
Entitlements &
Policies
sts:AssumeRole (or)
sts:GetFederationToken
Scoping policy
Short-term credential
authN & authZ
Note: Mostly a legacy mechanism

34. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Custom Broker
Cross
Account
Trust
Custom
Cognito Apps APIs
Redshift Aurora MySQL
QuickSight AppStream
Data plane APIs
Windows/EC2
Workspaces
SQL Server
WorkDocs WorkMail
SaaS Apps (Outside AWS)
Console API CLI
External
Apps
BrokerCredential
AWS Cred

35. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Wrap Up

36. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Summary
SAML
OIDC
AD Trust
XA Trust
Custom
Many bridges, for different:
• Planes of access
• Protocols
• Source credentials
Remember our mental model:

37. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Remaining whitespace
CC0 Public Domain - Free for commercial use
http://maxpixel.freegreatpicture.com/Shadow-White-Space-Renovate-Blank-Renovated-Light-763247

38. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Other helpful links
• SAML:
• Amazon Redshift - http://amzn.to/2yxWX98
• Amazon RDS MySQL & Amazon Aurora - http://amzn.to/2gjBDvP
• Amazon AppStream 2.0 - http://amzn.to/2gkU17q
• Amazon Quicksight - http://amzn.to/2xPfyf3
• OIDC:
• Amazon Cognito Federated Identities - http://amzn.to/2gl3yvp
• sts:AssumeRoleWithWebIdentity - http://amzn.to/2yTcOCr
• AD Trust:
• Amazon RDS SQL Server - http://amzn.to/2glehop
• WorkDocs - http://amzn.to/2x6CNBz
• WorkMail - http://amzn.to/2kZFxyZ
• AWS IAM Cross account trust - http://amzn.to/2kZvRon
• Custom federation broker - http://amzn.to/2yyqzov
• Chalice (Python serverless framework for AWS) - https://github.com/aws/chalice

39. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
aws.amazon.com/activate
Everything and Anything Startups
Need to Get Started on AWS