SlideShare a Scribd company logo

Federation

Amazon Web Services
Amazon Web Services

This document discusses federated access to AWS resources using temporary security credentials. It describes how federation works by allowing users in other AWS accounts or identity stores to access resources in your AWS account through the use of sessions. Common use cases for federation include delegating access to other AWS accounts or teams and federating with corporate directories. The document then demonstrates how to request and use sessions to access AWS through the console and CLI using SAML and web identity federation.

1 of 25
Bring Your Own Identities – Federating Access to Your AWS Environment Zaher Dannawi Senior Product Manager Identity and Access Management
Agenda • What is delegation? • What are the scenarios? • How does it work? • Q&A
What is federation? • Delegation – Provide users in other AWS accounts access to resources in your AWS account • Federation – Provide users in other identity stores access to resources in your AWS account
Common Use Cases Delegate to other AWS accounts • To your team member • To another team • To third party software • To an AWS service • To an EC2 instance Federate with other identity stores • Users in your corporate directory – e.g. Active Directory, Google • Users authenticated by a web identity provider – e.g. Login With Amazon, Facebook
Sessions 101 • Allow temporary access to your AWS account • Are generated by the AWS Security Token Service (STS) • Include temporary security credentials that are used to make API calls to AWS services
Requesting a Session Session Access Key Id Secret Access Key Expiration Session Token Start by requesting a session from AWS STS
What’s in a Session? Use the keys to sign AWS service API requests Session Access Key Id Secret Access Key Expiration Session Token Use the token as an additional parameter for every API request Temporary Security Credentials
Multiple Ways to Get Sessions • Self-sessions (GetSessionToken) • Federated sessions (GetFederationToken) • Assumed-role sessions • AssumeRole • AssumeRoleWithSAML • AssumeRoleWithWebIdentity Session Access Key Id Secret Access Key Expiration Session Token
Sessions Expire Expiration varies based on token type [Min/Max/Default] • Self (Account) [15 min / 60 min / 60 min] • Self (IAM User) [15 min / 36 hrs / 12 hrs] • Federated [15 min / 36 hrs / 12 hrs] • Assumed-role [15 min / 60 min / 60 min] Use caching to improve your application performance Session Access Key Id Secret Access Key Expiration Session Token New in July 2016: Federated console duration now 12 hours
DEMO #1 - AWS Console Single Sign-on Active Directory Log into the console without a user name and password!
Federation
Wait… what just happened? 1. Logged into my Windows instance with AD credentials 2. Hit an intranet website 3. Chose the “role” I wanted to play in AWS 4. Auto-magically signed in to the console
AWS Console Federation Walkthrough (AssumeRole) Customer (IdP) AWS Cloud (Relying Party) AWS Management Console Browser interface Corporate directory Federation proxy 1Browse to URL 3 2 Redirect to Console 10 Generate URL9 4 List RolesRequest 8 Assume Role Response Temp Credentials • Access Key • Secret Key • Session Token 7 AssumeRole Request Create combo box 6 Federation proxy • Uses a set of IAM user credentials to make AssumeRoleRequest() • IAM user permissions only need to be able to call ListRoles & assume role • Proxy needs to securely store these credentials 5 List RolesResponse
Console Federation using SAML (AssumeRoleWithSAML) Enterprise (Identity Provider) AWS (Service Provider) AWS Sign-in Browser interface Corporate identity store Identity provider 1User browses to Identity provider 2 Receives AuthN response 5 Redirect client AWS Management Console 3 Post to Sign-In Passing AuthN Response 4
AWS API Federation Walkthrough (GetFederationToken) Customer (Identity Provider) AWS Cloud (Relying Party) AWS Resources User Application Active Directory Federation Proxy 4 Get Federation Token Request 3 2 S3 Bucket with Objects Amazon DynamoDB Amazon EC2 Request Session 1 Receive Session6 5 Get Federation Token Response • Access Key • Secret Key • Session Token APP Federation Proxy • Uses a set of IAM user credentials to make a GetFederationTokenRequest() • IAM user permissions need to be the union of all federated user permissions • Proxy needs to securely store these privileged credentials Call AWS APIs7
Partners
Web Identity Federation (AssumeRoleWithWebIdentity) AWS Cloud US-EAST-1 EU-WEST-1 AP-SOUTHEAST-1 AWS Services Amazon DynamoDB S3 Authenticate User 1 6 7 IAM EC2 Instances Token Verification 4 Web identity Provider 3 5 Check Policy Id Token 2 Mobile App Amazon Cognito: user sign-in and signup for mobile/web apps via social authentication, SAML, custom identities.
Summary • Proxy-based Federation – GetFederationToken and AssumeRole • SAML-based Federation – AssumeRoleWithSAML – ADFS – Shibboleth • Web Identity Federation - AssumeRoleWithWebIdentity – Login with Amazon, Facebook, Google – Amazon Cognito
DEMO #2 – Federated Access to AWS CLI Active Directory
Federation
What just happened? 1. Logged into my Windows desktop 2. Opened terminal 3. Utility obtained temporary security credentials 4. Accessed AWS services via CLI
What just happened? – Code Snippets # Use the assertion to get an AWS STS token using Assume Role with SAML conn = boto.sts.connect_to_region(region) token = conn.assume_role_with_saml(role_arn, principal_arn, assertion) What’s Happening: Call the standard AWS STS service to request AWS temporary security credentials # Initiate session handler session = requests.Session() # Programatically get the SAML assertion # Set up the NTLM authentication handler by using the provided credential session.auth = HttpNtlmAuth(username, password, session) # Opens the initial AD FS URL and follows all of the HTTP302 redirects response = session.get(idpentryurl, verify=sslverification) # Debug the response if needed #print (response.text) What’s Happening: Assemble the authentication information (username, password) and formulate the https request to the IdP # Parse the returned assertion and extract the authorized roles awsroles = [] root = ET.fromstring(base64.b64decode(assertion)) for saml2attribute in root.iter('{urn:oasis:names:tc:SAML:2.0:assertion}Attribute'): if (saml2attribute.get('Name') == 'https://aws.amazon.com/SAML/Attributes/Role'): for saml2attributevalue in saml2attribute.iter('{urn:oasis:names:tc:SAML:2.0:assertion}AttributeValue'): awsroles.append(saml2attributevalue.text) What’s Happening: Iterate through the IdP response tags until it finds one named SAMLResponse.
Q&A
Links • Twitter @AWSIdentity • AWS Security Blog http://bit.ly/1n1z1QL • IAM Details Page http://amzn.to/1lPyQs9 • IAM Forums http://bit.ly/1p2Ip6M • API federation sample http://amzn.to/11AFKtS • Console federation sample http://amzn.to/1vlBZ6N
aws.amazon.com/activate Everything and Anything Startups Need to Get Started on AWS

More Related Content

What's hot

Government systems
Government systemsGovernment systems
Government systems
angiematheny
 
Nation state
Nation stateNation state
Nation state
punjab university
 
Federal system in india
Federal system in india Federal system in india
Federal system in india
gagan deep
 
western concept of state
western concept of state western concept of state
western concept of state
Maryam Malik
 
Realism Theory of IR
Realism Theory of IRRealism Theory of IR
Realism Theory of IR
Tallat Satti
 
Theories of war
Theories of warTheories of war
Theories of war
mrlile
 
Marxism
MarxismMarxism
Marxism
Muhammad Syukhri Shafee
 
Deterrence Theory in International Relations
Deterrence Theory in International RelationsDeterrence Theory in International Relations
Deterrence Theory in International Relations
Balaram Pradhan
 
FOREIGN POLICY
FOREIGN POLICYFOREIGN POLICY
FOREIGN POLICY
Dr. Alok Yadav
 
introduction to politics
introduction to politics introduction to politics
introduction to politics
S.Saeed H
 
C7 - International Conflicts
C7 - International ConflictsC7 - International Conflicts
C7 - International Conflicts
Fatin Nazihah Aziz
 
soft and hard power
soft and hard powersoft and hard power
soft and hard power
IQRA SYED
 
Power and 21st century world order
Power and 21st century world orderPower and 21st century world order
Power and 21st century world order
andeedalal
 
Kenneth N. Waltz
Kenneth N. WaltzKenneth N. Waltz
Kenneth N. Waltz
University Of Gujrat
 
International Relations Conflict Theories
International Relations Conflict TheoriesInternational Relations Conflict Theories
International Relations Conflict Theories
brennanikns
 
Balance of power by md sharif hussain
Balance of power by md sharif hussainBalance of power by md sharif hussain
Balance of power by md sharif hussain
MDSharifHussain
 
Political Science 7 – International Relations - Power Point #2
Political Science 7 – International Relations - Power Point #2Political Science 7 – International Relations - Power Point #2
Political Science 7 – International Relations - Power Point #2
John Paul Tabakian
 
international relation
international relation international relation
international relation
Julien Mort
 
Liberalism in International Relations
Liberalism in International RelationsLiberalism in International Relations
Liberalism in International Relations
Thom Gibbs
 
Intro to comparative politics (10)
Intro to comparative politics (10)Intro to comparative politics (10)
Intro to comparative politics (10)
north819
 

What's hot (20)

Government systems
Government systemsGovernment systems
Government systems
 
Nation state
Nation stateNation state
Nation state
 
Federal system in india
Federal system in india Federal system in india
Federal system in india
 
western concept of state
western concept of state western concept of state
western concept of state
 
Realism Theory of IR
Realism Theory of IRRealism Theory of IR
Realism Theory of IR
 
Theories of war
Theories of warTheories of war
Theories of war
 
Marxism
MarxismMarxism
Marxism
 
Deterrence Theory in International Relations
Deterrence Theory in International RelationsDeterrence Theory in International Relations
Deterrence Theory in International Relations
 
FOREIGN POLICY
FOREIGN POLICYFOREIGN POLICY
FOREIGN POLICY
 
introduction to politics
introduction to politics introduction to politics
introduction to politics
 
C7 - International Conflicts
C7 - International ConflictsC7 - International Conflicts
C7 - International Conflicts
 
soft and hard power
soft and hard powersoft and hard power
soft and hard power
 
Power and 21st century world order
Power and 21st century world orderPower and 21st century world order
Power and 21st century world order
 
Kenneth N. Waltz
Kenneth N. WaltzKenneth N. Waltz
Kenneth N. Waltz
 
International Relations Conflict Theories
International Relations Conflict TheoriesInternational Relations Conflict Theories
International Relations Conflict Theories
 
Balance of power by md sharif hussain
Balance of power by md sharif hussainBalance of power by md sharif hussain
Balance of power by md sharif hussain
 
Political Science 7 – International Relations - Power Point #2
Political Science 7 – International Relations - Power Point #2Political Science 7 – International Relations - Power Point #2
Political Science 7 – International Relations - Power Point #2
 
international relation
international relation international relation
international relation
 
Liberalism in International Relations
Liberalism in International RelationsLiberalism in International Relations
Liberalism in International Relations
 
Intro to comparative politics (10)
Intro to comparative politics (10)Intro to comparative politics (10)
Intro to comparative politics (10)
 

Viewers also liked

Federation
FederationFederation
Federation
lukenaivasha
 
Designing Sociability: With Notes
Designing Sociability: With NotesDesigning Sociability: With Notes
Designing Sociability: With Notes
Christina Wodtke
 
Big data for a new sociability
Big data for a new sociabilityBig data for a new sociability
Big data for a new sociability
Davide Bennato
 
10 Commandments of Sociability (UX + Social Media)
10 Commandments of Sociability (UX + Social Media)10 Commandments of Sociability (UX + Social Media)
10 Commandments of Sociability (UX + Social Media)
Chris Pitre
 
Creating Pleasurable Experiences, Zach Pousman, ReMIX Atlanta
Creating Pleasurable Experiences, Zach Pousman, ReMIX AtlantaCreating Pleasurable Experiences, Zach Pousman, ReMIX Atlanta
Creating Pleasurable Experiences, Zach Pousman, ReMIX Atlanta
Zach Pousman
 
Advanced writing
Advanced writingAdvanced writing
Advanced writing
vidal_40
 
Social Heredity
Social HereditySocial Heredity
Social Heredity
Rati Soni
 
Sociology
SociologySociology
Sociology
bokernz
 
Ken Done Slideshow
Ken Done SlideshowKen Done Slideshow
Ken Done Slideshow
det914
 
Social environment by novs
Social environment by novsSocial environment by novs
Social environment by novs
James Prae Liclican
 
Australian Federation
Australian FederationAustralian Federation
Australian Federation
marg Murnane
 
Literary criticism: Classical Philosophers
Literary criticism: Classical PhilosophersLiterary criticism: Classical Philosophers
Literary criticism: Classical Philosophers
Mansa Daby
 
(SEC307) A Progressive Journey Through AWS IAM Federation Options
(SEC307) A Progressive Journey Through AWS IAM Federation Options(SEC307) A Progressive Journey Through AWS IAM Federation Options
(SEC307) A Progressive Journey Through AWS IAM Federation Options
Amazon Web Services
 
Social psychology study unit 15.1
Social psychology study unit 15.1Social psychology study unit 15.1
Social psychology study unit 15.1
Chantal Settley
 
Psychosocial assessment
Psychosocial assessmentPsychosocial assessment
Psychosocial assessment
Chantal Settley
 
Federation in Practice
Federation in PracticeFederation in Practice
Federation in Practice
ForgeRock
 
Creating Your Virtual Data Center: VPC Fundamentals and Connectivity Options
Creating Your Virtual Data Center: VPC Fundamentals and Connectivity Options Creating Your Virtual Data Center: VPC Fundamentals and Connectivity Options
Creating Your Virtual Data Center: VPC Fundamentals and Connectivity Options
Amazon Web Services
 
Hack-Proof Your Cloud: Responding to 2016 Threats
Hack-Proof Your Cloud: Responding to 2016 ThreatsHack-Proof Your Cloud: Responding to 2016 Threats
Hack-Proof Your Cloud: Responding to 2016 Threats
Amazon Web Services
 
Deep Dive: Developing, Deploying & Operating Mobile Apps with AWS
Deep Dive: Developing, Deploying & Operating Mobile Apps with AWS Deep Dive: Developing, Deploying & Operating Mobile Apps with AWS
Deep Dive: Developing, Deploying & Operating Mobile Apps with AWS
Amazon Web Services
 
Next-Generation Firewall Services VPC Integration
Next-Generation Firewall Services VPC IntegrationNext-Generation Firewall Services VPC Integration
Next-Generation Firewall Services VPC Integration
Amazon Web Services
 

Viewers also liked (20)

Federation
FederationFederation
Federation
 
Designing Sociability: With Notes
Designing Sociability: With NotesDesigning Sociability: With Notes
Designing Sociability: With Notes
 
Big data for a new sociability
Big data for a new sociabilityBig data for a new sociability
Big data for a new sociability
 
10 Commandments of Sociability (UX + Social Media)
10 Commandments of Sociability (UX + Social Media)10 Commandments of Sociability (UX + Social Media)
10 Commandments of Sociability (UX + Social Media)
 
Creating Pleasurable Experiences, Zach Pousman, ReMIX Atlanta
Creating Pleasurable Experiences, Zach Pousman, ReMIX AtlantaCreating Pleasurable Experiences, Zach Pousman, ReMIX Atlanta
Creating Pleasurable Experiences, Zach Pousman, ReMIX Atlanta
 
Advanced writing
Advanced writingAdvanced writing
Advanced writing
 
Social Heredity
Social HereditySocial Heredity
Social Heredity
 
Sociology
SociologySociology
Sociology
 
Ken Done Slideshow
Ken Done SlideshowKen Done Slideshow
Ken Done Slideshow
 
Social environment by novs
Social environment by novsSocial environment by novs
Social environment by novs
 
Australian Federation
Australian FederationAustralian Federation
Australian Federation
 
Literary criticism: Classical Philosophers
Literary criticism: Classical PhilosophersLiterary criticism: Classical Philosophers
Literary criticism: Classical Philosophers
 
(SEC307) A Progressive Journey Through AWS IAM Federation Options
(SEC307) A Progressive Journey Through AWS IAM Federation Options(SEC307) A Progressive Journey Through AWS IAM Federation Options
(SEC307) A Progressive Journey Through AWS IAM Federation Options
 
Social psychology study unit 15.1
Social psychology study unit 15.1Social psychology study unit 15.1
Social psychology study unit 15.1
 
Psychosocial assessment
Psychosocial assessmentPsychosocial assessment
Psychosocial assessment
 
Federation in Practice
Federation in PracticeFederation in Practice
Federation in Practice
 
Creating Your Virtual Data Center: VPC Fundamentals and Connectivity Options
Creating Your Virtual Data Center: VPC Fundamentals and Connectivity Options Creating Your Virtual Data Center: VPC Fundamentals and Connectivity Options
Creating Your Virtual Data Center: VPC Fundamentals and Connectivity Options
 
Hack-Proof Your Cloud: Responding to 2016 Threats
Hack-Proof Your Cloud: Responding to 2016 ThreatsHack-Proof Your Cloud: Responding to 2016 Threats
Hack-Proof Your Cloud: Responding to 2016 Threats
 
Deep Dive: Developing, Deploying & Operating Mobile Apps with AWS
Deep Dive: Developing, Deploying & Operating Mobile Apps with AWS Deep Dive: Developing, Deploying & Operating Mobile Apps with AWS
Deep Dive: Developing, Deploying & Operating Mobile Apps with AWS
 
Next-Generation Firewall Services VPC Integration
Next-Generation Firewall Services VPC IntegrationNext-Generation Firewall Services VPC Integration
Next-Generation Firewall Services VPC Integration
 

Similar to Federation

Federation
Federation Federation
Federation
Amazon Web Services
 
Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013
Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013
Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013
Amazon Web Services
 
Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...
Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...
Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...
Amazon Web Services
 
Jump Start your First Hour with AWS
Jump Start your First Hour with AWSJump Start your First Hour with AWS
Jump Start your First Hour with AWS
Amazon Web Services
 
AWS Partner Webcast - Get Closer to the Cloud with Federated Single Sign-On
AWS Partner Webcast - Get Closer to the Cloud with Federated Single Sign-OnAWS Partner Webcast - Get Closer to the Cloud with Federated Single Sign-On
AWS Partner Webcast - Get Closer to the Cloud with Federated Single Sign-On
Amazon Web Services
 
Jump Start your First Hour with AWS
Jump Start your First Hour with AWSJump Start your First Hour with AWS
Jump Start your First Hour with AWS
Amazon Web Services
 
AWS Users Authentication
AWS Users AuthenticationAWS Users Authentication
AWS Users Authentication
chandrasen Reddy
 
AWS Identity, Directory, and Access Services: An Overview
AWS Identity, Directory, and Access Services: An Overview AWS Identity, Directory, and Access Services: An Overview
AWS Identity, Directory, and Access Services: An Overview
Amazon Web Services
 
AWS Summit Auckland 2014 | Jump Start your First Hour with AWS
AWS Summit Auckland 2014 | Jump Start your First Hour with AWS AWS Summit Auckland 2014 | Jump Start your First Hour with AWS
AWS Summit Auckland 2014 | Jump Start your First Hour with AWS
Amazon Web Services
 
AWS Identity, Directory, and Access Services: An Overview - SID201 - Chicago ...
AWS Identity, Directory, and Access Services: An Overview - SID201 - Chicago ...AWS Identity, Directory, and Access Services: An Overview - SID201 - Chicago ...
AWS Identity, Directory, and Access Services: An Overview - SID201 - Chicago ...
Amazon Web Services
 
Amazon Cognito Deep Dive
Amazon Cognito Deep DiveAmazon Cognito Deep Dive
Amazon Cognito Deep Dive
Amazon Web Services
 
AWS Summit Sydney 2014 | Jump Start your First Hour with AWS
AWS Summit Sydney 2014 | Jump Start your First Hour with AWSAWS Summit Sydney 2014 | Jump Start your First Hour with AWS
AWS Summit Sydney 2014 | Jump Start your First Hour with AWS
Amazon Web Services
 
AWS IAM Introduction
AWS IAM IntroductionAWS IAM Introduction
AWS IAM Introduction
Amazon Web Services
 
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
Amazon Web Services
 
Using Windows Azure for Solving Identity Management Challenges (Visual Studio...
Using Windows Azure for Solving Identity Management Challenges (Visual Studio...Using Windows Azure for Solving Identity Management Challenges (Visual Studio...
Using Windows Azure for Solving Identity Management Challenges (Visual Studio...
Michael Collier
 
Jump Start your First Hour with AWS
Jump Start your First Hour with AWSJump Start your First Hour with AWS
Jump Start your First Hour with AWS
Amazon Web Services
 
SID201 Overview of AWS Identity, Directory, and Access Services
SID201 Overview of AWS Identity, Directory, and Access Services SID201 Overview of AWS Identity, Directory, and Access Services
SID201 Overview of AWS Identity, Directory, and Access Services
Amazon Web Services
 
Integrate Social Login Into Mobile Apps (SEC401) | AWS re:Invent 2013
Integrate Social Login Into Mobile Apps (SEC401) | AWS re:Invent 2013Integrate Social Login Into Mobile Apps (SEC401) | AWS re:Invent 2013
Integrate Social Login Into Mobile Apps (SEC401) | AWS re:Invent 2013
Amazon Web Services
 
Microsoft Azure Identity and O365
Microsoft Azure Identity and O365Microsoft Azure Identity and O365
Microsoft Azure Identity and O365
Kris Wagner
 
Cognito Customer Deep Dive
Cognito Customer Deep DiveCognito Customer Deep Dive
Cognito Customer Deep Dive
Amazon Web Services
 

Similar to Federation (20)

Federation
Federation Federation
Federation
 
Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013
Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013
Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013
 
Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...
Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...
Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...
 
Jump Start your First Hour with AWS
Jump Start your First Hour with AWSJump Start your First Hour with AWS
Jump Start your First Hour with AWS
 
AWS Partner Webcast - Get Closer to the Cloud with Federated Single Sign-On
AWS Partner Webcast - Get Closer to the Cloud with Federated Single Sign-OnAWS Partner Webcast - Get Closer to the Cloud with Federated Single Sign-On
AWS Partner Webcast - Get Closer to the Cloud with Federated Single Sign-On
 
Jump Start your First Hour with AWS
Jump Start your First Hour with AWSJump Start your First Hour with AWS
Jump Start your First Hour with AWS
 
AWS Users Authentication
AWS Users AuthenticationAWS Users Authentication
AWS Users Authentication
 
AWS Identity, Directory, and Access Services: An Overview
AWS Identity, Directory, and Access Services: An Overview AWS Identity, Directory, and Access Services: An Overview
AWS Identity, Directory, and Access Services: An Overview
 
AWS Summit Auckland 2014 | Jump Start your First Hour with AWS
AWS Summit Auckland 2014 | Jump Start your First Hour with AWS AWS Summit Auckland 2014 | Jump Start your First Hour with AWS
AWS Summit Auckland 2014 | Jump Start your First Hour with AWS
 
AWS Identity, Directory, and Access Services: An Overview - SID201 - Chicago ...
AWS Identity, Directory, and Access Services: An Overview - SID201 - Chicago ...AWS Identity, Directory, and Access Services: An Overview - SID201 - Chicago ...
AWS Identity, Directory, and Access Services: An Overview - SID201 - Chicago ...
 
Amazon Cognito Deep Dive
Amazon Cognito Deep DiveAmazon Cognito Deep Dive
Amazon Cognito Deep Dive
 
AWS Summit Sydney 2014 | Jump Start your First Hour with AWS
AWS Summit Sydney 2014 | Jump Start your First Hour with AWSAWS Summit Sydney 2014 | Jump Start your First Hour with AWS
AWS Summit Sydney 2014 | Jump Start your First Hour with AWS
 
AWS IAM Introduction
AWS IAM IntroductionAWS IAM Introduction
AWS IAM Introduction
 
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
 
Using Windows Azure for Solving Identity Management Challenges (Visual Studio...
Using Windows Azure for Solving Identity Management Challenges (Visual Studio...Using Windows Azure for Solving Identity Management Challenges (Visual Studio...
Using Windows Azure for Solving Identity Management Challenges (Visual Studio...
 
Jump Start your First Hour with AWS
Jump Start your First Hour with AWSJump Start your First Hour with AWS
Jump Start your First Hour with AWS
 
SID201 Overview of AWS Identity, Directory, and Access Services
SID201 Overview of AWS Identity, Directory, and Access Services SID201 Overview of AWS Identity, Directory, and Access Services
SID201 Overview of AWS Identity, Directory, and Access Services
 
Integrate Social Login Into Mobile Apps (SEC401) | AWS re:Invent 2013
Integrate Social Login Into Mobile Apps (SEC401) | AWS re:Invent 2013Integrate Social Login Into Mobile Apps (SEC401) | AWS re:Invent 2013
Integrate Social Login Into Mobile Apps (SEC401) | AWS re:Invent 2013
 
Microsoft Azure Identity and O365
Microsoft Azure Identity and O365Microsoft Azure Identity and O365
Microsoft Azure Identity and O365
 
Cognito Customer Deep Dive
Cognito Customer Deep DiveCognito Customer Deep Dive
Cognito Customer Deep Dive
 

More from Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
Amazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
Amazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
Amazon Web Services
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Amazon Web Services
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
Amazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
Amazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Amazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
Amazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Amazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
Amazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
Amazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
Amazon Web Services
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
Amazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
Amazon Web Services
 

More from Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Recently uploaded

HERO.pdf hero company working cap management project
HERO.pdf hero company working cap management projectHERO.pdf hero company working cap management project
HERO.pdf hero company working cap management project
SambalpurTokaSatyaji
 
Workshop Wednesday with SaaStr CEO Jason Lemkin - VC Workshop
Workshop Wednesday with SaaStr CEO Jason Lemkin - VC WorkshopWorkshop Wednesday with SaaStr CEO Jason Lemkin - VC Workshop
Workshop Wednesday with SaaStr CEO Jason Lemkin - VC Workshop
saastr
 
Recruitment articles and posts- different & effective ways of recruitment
Recruitment articles and posts- different & effective ways of recruitmentRecruitment articles and posts- different & effective ways of recruitment
Recruitment articles and posts- different & effective ways of recruitment
Rashi427200
 
stackconf 2024 | On-Prem is the new Black by AJ Jester
stackconf 2024 | On-Prem is the new Black by AJ Jesterstackconf 2024 | On-Prem is the new Black by AJ Jester
stackconf 2024 | On-Prem is the new Black by AJ Jester
NETWAYS
 
2024-07-07 Transformed 06 (shared slides).pptx
2024-07-07 Transformed 06 (shared slides).pptx2024-07-07 Transformed 06 (shared slides).pptx
2024-07-07 Transformed 06 (shared slides).pptx
Dale Wells
 
Building Digital Products & Content Leadership
Building Digital Products & Content LeadershipBuilding Digital Products & Content Leadership
Building Digital Products & Content Leadership
Rajesh Math
 
Call India - AmanTel on the App Store.ppt
Call India - AmanTel on the App Store.pptCall India - AmanTel on the App Store.ppt
Call India - AmanTel on the App Store.ppt
Best International calling app on the market
 
Risks & Business Risks Reduce - investment.pdf
Risks & Business Risks Reduce - investment.pdfRisks & Business Risks Reduce - investment.pdf
Risks & Business Risks Reduce - investment.pdf
Home
 
Biography of the late Mrs. Stella Atsupui Eddah.pdf
Biography of the late Mrs. Stella Atsupui Eddah.pdfBiography of the late Mrs. Stella Atsupui Eddah.pdf
Biography of the late Mrs. Stella Atsupui Eddah.pdf
AbdulSadickZutah
 
TEST WORTHINESS: VALIDITY, RELIABILITY, PRACTICALITY
TEST WORTHINESS: VALIDITY, RELIABILITY, PRACTICALITYTEST WORTHINESS: VALIDITY, RELIABILITY, PRACTICALITY
TEST WORTHINESS: VALIDITY, RELIABILITY, PRACTICALITY
AaSs197122
 
the sparks foundation JOB READINESS- how to be job ready. task 2
the sparks foundation JOB READINESS- how to be job ready. task 2the sparks foundation JOB READINESS- how to be job ready. task 2
the sparks foundation JOB READINESS- how to be job ready. task 2
Rashi427200
 
calcaneal fracture seminar by dr vishu.pptx
calcaneal fracture seminar by dr vishu.pptxcalcaneal fracture seminar by dr vishu.pptx
calcaneal fracture seminar by dr vishu.pptx
Skmch
 
A study on drug utilization evaluation of bronchodilators using DDD method
A study on drug utilization evaluation of bronchodilators using DDD methodA study on drug utilization evaluation of bronchodilators using DDD method
A study on drug utilization evaluation of bronchodilators using DDD method
Dr. Afreen Nasir
 
Destyney Duhon personal brand exploration
Destyney Duhon personal brand explorationDestyney Duhon personal brand exploration
Destyney Duhon personal brand exploration
minxxmaree
 
Effective-Recruitment-Strategies and leveraging linkedin
Effective-Recruitment-Strategies and leveraging linkedinEffective-Recruitment-Strategies and leveraging linkedin
Effective-Recruitment-Strategies and leveraging linkedin
DivyaMehta193660
 
stackconf 2024 | Using European Open Source to build a Sovereign Multi-Cloud ...
stackconf 2024 | Using European Open Source to build a Sovereign Multi-Cloud ...stackconf 2024 | Using European Open Source to build a Sovereign Multi-Cloud ...
stackconf 2024 | Using European Open Source to build a Sovereign Multi-Cloud ...
NETWAYS
 
Marketing Articles and ppt on how to do marketing ..Challenges faced during M...
Marketing Articles and ppt on how to do marketing ..Challenges faced during M...Marketing Articles and ppt on how to do marketing ..Challenges faced during M...
Marketing Articles and ppt on how to do marketing ..Challenges faced during M...
ankitamarik05
 
At the intersection of SEO & Product - Vanda Pokecz presentation
At the intersection of SEO & Product - Vanda Pokecz presentationAt the intersection of SEO & Product - Vanda Pokecz presentation
At the intersection of SEO & Product - Vanda Pokecz presentation
Vanda Pokecz
 
stackconf 2024 | Buzzing across the eBPF Landscape and into the Hive by Bill ...
stackconf 2024 | Buzzing across the eBPF Landscape and into the Hive by Bill ...stackconf 2024 | Buzzing across the eBPF Landscape and into the Hive by Bill ...
stackconf 2024 | Buzzing across the eBPF Landscape and into the Hive by Bill ...
NETWAYS
 
Pengukuran berat badan anak dan tinggi badan anak
Pengukuran berat badan anak dan tinggi badan anakPengukuran berat badan anak dan tinggi badan anak
Pengukuran berat badan anak dan tinggi badan anak
DeviDamayanti53
 

Recently uploaded (20)

HERO.pdf hero company working cap management project
HERO.pdf hero company working cap management projectHERO.pdf hero company working cap management project
HERO.pdf hero company working cap management project
 
Workshop Wednesday with SaaStr CEO Jason Lemkin - VC Workshop
Workshop Wednesday with SaaStr CEO Jason Lemkin - VC WorkshopWorkshop Wednesday with SaaStr CEO Jason Lemkin - VC Workshop
Workshop Wednesday with SaaStr CEO Jason Lemkin - VC Workshop
 
Recruitment articles and posts- different & effective ways of recruitment
Recruitment articles and posts- different & effective ways of recruitmentRecruitment articles and posts- different & effective ways of recruitment
Recruitment articles and posts- different & effective ways of recruitment
 
stackconf 2024 | On-Prem is the new Black by AJ Jester
stackconf 2024 | On-Prem is the new Black by AJ Jesterstackconf 2024 | On-Prem is the new Black by AJ Jester
stackconf 2024 | On-Prem is the new Black by AJ Jester
 
2024-07-07 Transformed 06 (shared slides).pptx
2024-07-07 Transformed 06 (shared slides).pptx2024-07-07 Transformed 06 (shared slides).pptx
2024-07-07 Transformed 06 (shared slides).pptx
 
Building Digital Products & Content Leadership
Building Digital Products & Content LeadershipBuilding Digital Products & Content Leadership
Building Digital Products & Content Leadership
 
Call India - AmanTel on the App Store.ppt
Call India - AmanTel on the App Store.pptCall India - AmanTel on the App Store.ppt
Call India - AmanTel on the App Store.ppt
 
Risks & Business Risks Reduce - investment.pdf
Risks & Business Risks Reduce - investment.pdfRisks & Business Risks Reduce - investment.pdf
Risks & Business Risks Reduce - investment.pdf
 
Biography of the late Mrs. Stella Atsupui Eddah.pdf
Biography of the late Mrs. Stella Atsupui Eddah.pdfBiography of the late Mrs. Stella Atsupui Eddah.pdf
Biography of the late Mrs. Stella Atsupui Eddah.pdf
 
TEST WORTHINESS: VALIDITY, RELIABILITY, PRACTICALITY
TEST WORTHINESS: VALIDITY, RELIABILITY, PRACTICALITYTEST WORTHINESS: VALIDITY, RELIABILITY, PRACTICALITY
TEST WORTHINESS: VALIDITY, RELIABILITY, PRACTICALITY
 
the sparks foundation JOB READINESS- how to be job ready. task 2
the sparks foundation JOB READINESS- how to be job ready. task 2the sparks foundation JOB READINESS- how to be job ready. task 2
the sparks foundation JOB READINESS- how to be job ready. task 2
 
calcaneal fracture seminar by dr vishu.pptx
calcaneal fracture seminar by dr vishu.pptxcalcaneal fracture seminar by dr vishu.pptx
calcaneal fracture seminar by dr vishu.pptx
 
A study on drug utilization evaluation of bronchodilators using DDD method
A study on drug utilization evaluation of bronchodilators using DDD methodA study on drug utilization evaluation of bronchodilators using DDD method
A study on drug utilization evaluation of bronchodilators using DDD method
 
Destyney Duhon personal brand exploration
Destyney Duhon personal brand explorationDestyney Duhon personal brand exploration
Destyney Duhon personal brand exploration
 
Effective-Recruitment-Strategies and leveraging linkedin
Effective-Recruitment-Strategies and leveraging linkedinEffective-Recruitment-Strategies and leveraging linkedin
Effective-Recruitment-Strategies and leveraging linkedin
 
stackconf 2024 | Using European Open Source to build a Sovereign Multi-Cloud ...
stackconf 2024 | Using European Open Source to build a Sovereign Multi-Cloud ...stackconf 2024 | Using European Open Source to build a Sovereign Multi-Cloud ...
stackconf 2024 | Using European Open Source to build a Sovereign Multi-Cloud ...
 
Marketing Articles and ppt on how to do marketing ..Challenges faced during M...
Marketing Articles and ppt on how to do marketing ..Challenges faced during M...Marketing Articles and ppt on how to do marketing ..Challenges faced during M...
Marketing Articles and ppt on how to do marketing ..Challenges faced during M...
 
At the intersection of SEO & Product - Vanda Pokecz presentation
At the intersection of SEO & Product - Vanda Pokecz presentationAt the intersection of SEO & Product - Vanda Pokecz presentation
At the intersection of SEO & Product - Vanda Pokecz presentation
 
stackconf 2024 | Buzzing across the eBPF Landscape and into the Hive by Bill ...
stackconf 2024 | Buzzing across the eBPF Landscape and into the Hive by Bill ...stackconf 2024 | Buzzing across the eBPF Landscape and into the Hive by Bill ...
stackconf 2024 | Buzzing across the eBPF Landscape and into the Hive by Bill ...
 
Pengukuran berat badan anak dan tinggi badan anak
Pengukuran berat badan anak dan tinggi badan anakPengukuran berat badan anak dan tinggi badan anak
Pengukuran berat badan anak dan tinggi badan anak
 

Federation

  • 1. Bring Your Own Identities – Federating Access to Your AWS Environment Zaher Dannawi Senior Product Manager Identity and Access Management
  • 2. Agenda • What is delegation? • What are the scenarios? • How does it work? • Q&A
  • 3. What is federation? • Delegation – Provide users in other AWS accounts access to resources in your AWS account • Federation – Provide users in other identity stores access to resources in your AWS account
  • 4. Common Use Cases Delegate to other AWS accounts • To your team member • To another team • To third party software • To an AWS service • To an EC2 instance Federate with other identity stores • Users in your corporate directory – e.g. Active Directory, Google • Users authenticated by a web identity provider – e.g. Login With Amazon, Facebook
  • 5. Sessions 101 • Allow temporary access to your AWS account • Are generated by the AWS Security Token Service (STS) • Include temporary security credentials that are used to make API calls to AWS services
  • 6. Requesting a Session Session Access Key Id Secret Access Key Expiration Session Token Start by requesting a session from AWS STS
  • 7. What’s in a Session? Use the keys to sign AWS service API requests Session Access Key Id Secret Access Key Expiration Session Token Use the token as an additional parameter for every API request Temporary Security Credentials
  • 8. Multiple Ways to Get Sessions • Self-sessions (GetSessionToken) • Federated sessions (GetFederationToken) • Assumed-role sessions • AssumeRole • AssumeRoleWithSAML • AssumeRoleWithWebIdentity Session Access Key Id Secret Access Key Expiration Session Token
  • 9. Sessions Expire Expiration varies based on token type [Min/Max/Default] • Self (Account) [15 min / 60 min / 60 min] • Self (IAM User) [15 min / 36 hrs / 12 hrs] • Federated [15 min / 36 hrs / 12 hrs] • Assumed-role [15 min / 60 min / 60 min] Use caching to improve your application performance Session Access Key Id Secret Access Key Expiration Session Token New in July 2016: Federated console duration now 12 hours
  • 10. DEMO #1 - AWS Console Single Sign-on Active Directory Log into the console without a user name and password!
  • 12. Wait… what just happened? 1. Logged into my Windows instance with AD credentials 2. Hit an intranet website 3. Chose the “role” I wanted to play in AWS 4. Auto-magically signed in to the console
  • 13. AWS Console Federation Walkthrough (AssumeRole) Customer (IdP) AWS Cloud (Relying Party) AWS Management Console Browser interface Corporate directory Federation proxy 1Browse to URL 3 2 Redirect to Console 10 Generate URL9 4 List RolesRequest 8 Assume Role Response Temp Credentials • Access Key • Secret Key • Session Token 7 AssumeRole Request Create combo box 6 Federation proxy • Uses a set of IAM user credentials to make AssumeRoleRequest() • IAM user permissions only need to be able to call ListRoles & assume role • Proxy needs to securely store these credentials 5 List RolesResponse
  • 14. Console Federation using SAML (AssumeRoleWithSAML) Enterprise (Identity Provider) AWS (Service Provider) AWS Sign-in Browser interface Corporate identity store Identity provider 1User browses to Identity provider 2 Receives AuthN response 5 Redirect client AWS Management Console 3 Post to Sign-In Passing AuthN Response 4
  • 15. AWS API Federation Walkthrough (GetFederationToken) Customer (Identity Provider) AWS Cloud (Relying Party) AWS Resources User Application Active Directory Federation Proxy 4 Get Federation Token Request 3 2 S3 Bucket with Objects Amazon DynamoDB Amazon EC2 Request Session 1 Receive Session6 5 Get Federation Token Response • Access Key • Secret Key • Session Token APP Federation Proxy • Uses a set of IAM user credentials to make a GetFederationTokenRequest() • IAM user permissions need to be the union of all federated user permissions • Proxy needs to securely store these privileged credentials Call AWS APIs7
  • 17. Web Identity Federation (AssumeRoleWithWebIdentity) AWS Cloud US-EAST-1 EU-WEST-1 AP-SOUTHEAST-1 AWS Services Amazon DynamoDB S3 Authenticate User 1 6 7 IAM EC2 Instances Token Verification 4 Web identity Provider 3 5 Check Policy Id Token 2 Mobile App Amazon Cognito: user sign-in and signup for mobile/web apps via social authentication, SAML, custom identities.
  • 18. Summary • Proxy-based Federation – GetFederationToken and AssumeRole • SAML-based Federation – AssumeRoleWithSAML – ADFS – Shibboleth • Web Identity Federation - AssumeRoleWithWebIdentity – Login with Amazon, Facebook, Google – Amazon Cognito
  • 19. DEMO #2 – Federated Access to AWS CLI Active Directory
  • 21. What just happened? 1. Logged into my Windows desktop 2. Opened terminal 3. Utility obtained temporary security credentials 4. Accessed AWS services via CLI
  • 22. What just happened? – Code Snippets # Use the assertion to get an AWS STS token using Assume Role with SAML conn = boto.sts.connect_to_region(region) token = conn.assume_role_with_saml(role_arn, principal_arn, assertion) What’s Happening: Call the standard AWS STS service to request AWS temporary security credentials # Initiate session handler session = requests.Session() # Programatically get the SAML assertion # Set up the NTLM authentication handler by using the provided credential session.auth = HttpNtlmAuth(username, password, session) # Opens the initial AD FS URL and follows all of the HTTP302 redirects response = session.get(idpentryurl, verify=sslverification) # Debug the response if needed #print (response.text) What’s Happening: Assemble the authentication information (username, password) and formulate the https request to the IdP # Parse the returned assertion and extract the authorized roles awsroles = [] root = ET.fromstring(base64.b64decode(assertion)) for saml2attribute in root.iter('{urn:oasis:names:tc:SAML:2.0:assertion}Attribute'): if (saml2attribute.get('Name') == 'https://aws.amazon.com/SAML/Attributes/Role'): for saml2attributevalue in saml2attribute.iter('{urn:oasis:names:tc:SAML:2.0:assertion}AttributeValue'): awsroles.append(saml2attributevalue.text) What’s Happening: Iterate through the IdP response tags until it finds one named SAMLResponse.
  • 23. Q&A
  • 24. Links • Twitter @AWSIdentity • AWS Security Blog http://bit.ly/1n1z1QL • IAM Details Page http://amzn.to/1lPyQs9 • IAM Forums http://bit.ly/1p2Ip6M • API federation sample http://amzn.to/11AFKtS • Console federation sample http://amzn.to/1vlBZ6N
  • 25. aws.amazon.com/activate Everything and Anything Startups Need to Get Started on AWS