* 발표 동영상: https://youtu.be/DJlt1v4Gya8
AWS Single Sign-On(SSO)을 사용하면 여러 AWS 계정 및 비즈니스 애플리케이션에 대한 액세스를 중앙에서 손쉽게 관리하고 사용자에게 Single Sign-On 액세스를 제공하여 할당된 모든 계정 및 애플리케이션을 한 곳에서 액세스하도록 할 수 있습니다.
11. - at
AWS
Organization
설정
• AWS SSO 활성화
AWS Directory
Service 설정
• 옵션 1 : AWS
Managed AD
• 옵션 2 : AD
Connector
• 옵션 3 : AWS
Managed AD
사용자 정의
권한 설정하기
• 직무 역할 기반
사용자 지정
• 연결된 IAM 정책
사용자 지정
사용자에게
권한 부여 하기
• AD 그룹 검색
• 정의 된 역할과
페어링
• 조직의 계정 또는
계정 집합에 대해
활성화
인증 및 권한
테스트
• AWS SSO 사용자
포털로 이동
• AWS 콘솔 접속
• 기존 연동 구성
또는 직접 IAM
인증과 동시에
테스트
12. r s OD u
• i p ( / p
p O
e
• ( / h dk
P y LL T mz
• L p dk P ,(.
y _ T mz
• h su wru s
) h ,(. y
S
• ) A C c h
Mp
AWS SSO
user portal
AuthZ
Groups
Corporate
data center
AWS Single Sign-On
AWS Cloud
SAML
AuthN
Active
Directory
Access
13. M S - eI
Master Account
AWS Directory
Service를 사용하여 온
프레미스 AD 연결
정의된 권한에 AD
그룹 매핑
각 AWS 계정, OU 또는
전체 조직에 대한 접근
권한 부여
AWS Directory
Service
AWS Cloud
AWS Single Sign-On AWS Organizations
Groups
Corporate
data center
Entitlements
Active
Directory
AD connector Microsoft
AD
Simple AD
Assignments
14. M o
AWS SSO
user portal
AuthN
AuthZ
SAML
Groups
Active
Directory
Corporate
data center
Master Account
AWS Directory
Service
AWS Cloud
Entitlements
ConfigurationAssignmentsAccess
AD connector Microsoft
AD
Simple AD
AWS Single Sign-On AWS Organizations
15. AWS SSO
user portal
AuthN
AuthZ
SAML
Groups
3P Providers
Master Account
AWS Cloud
Entitlements
ConfigurationAssignmentsAccess
Azure
AD
Identity
Provider
SCIM
SAML
Trust
External
IDP
AWS Single Sign-On AWS Organizations
16. )( x
• f M nrd
f
C C
• r t r S r
u C
• , P M l o r
AWS Single Sign-On
AWS Cloud
Apps
17. )( x
AWS SSO
user portal
AuthN
AuthZ
Groups
Active Dir
Corporate
data center
AWS Directory
Service
AWS Cloud
Entitlements
ConfigurationAssignmentsAccess
Apps
AWS Single Sign-On
18. P
Feature AWS SSO AWS Managed
Microsoft AD
AD Connector SAML 2.0 w/manual
provisioning
SAML 2.0 w/SCIM
provisioning
Create user/group O X X Provisioning only X
Remove user/group O (Delete user) X X Provisioning only Provisioning only
Reset user passwords O N/A N/A Identity Provider Identity Provider
Where to configure
MFA
AWS SSO AWS SSO or
AWS Managed AD
AWS SSO or
AD Connector
Identity Provider Identity Provider
Provisioning AWS SSO Console Just In Time Just In Time AWS SSO Console Identity Provider
Switch to AD Deletes users, groups,
entitlements
Deletes users, groups,
entitlements
Deletes users, groups,
entitlements
Deletes users, groups,
entitlements
Deletes users, groups,
entitlements
Switch to IdP Preserves entitlements
for matching users
Deletes users, groups,
entitlements
Deletes users, groups,
entitlements
Preserves entitlements
for matching users
Preserves entitlements
for matching users
Switch to AWS SSO N/A Deletes users, groups,
entitlements
Deletes users, groups,
entitlements
Preserves entitlements,
password reset?
Preserves entitlements,
password reset?
Session duration AWS SSO permission set
session duration
AWS SSO permission set
session duration
AWS SSO permission set
session duration
Lesser of IdP session or
AWS SSO permission set
session duration
Lesser of IdP session or
AWS SSO permission set
session duration
19. - a o
• v r I Oc r
• p L C i D ) Lf ) r
• r / , i y z S F
• d ) r Oc e
• tm S / ,d ) y r Cs ( M F
• W f , v C k f u
• , a l r F
• https://docs.aws.amazon.com/singlesignon/latest/userguide/limits.html
20. x
• h
• D D A A A D : D : A
• t g
D A D D A A A C D : D : A D D C:
D
• n U
• ( : : / / ou v
• ( : : / / / G CD C ACI
• ( : : / ( C ( v
• a ( / m O e W p l
• ( : : A y )-, p