(sec304) bring your own identities – federating access to your aws environment | aws re:invent...

Report

Tags:

Post on 24-Jun-2015

1.020 Views

Category:

Technology

1 Downloads

Preview:

Click to see full reader

DESCRIPTION

Have you wondered how you can use your corporate directory for accessing AWS? Or how you can build an AWS-powered application accessible to the millions of users from social identity providers like Amazon, Google, or Facebook? If so, this session will give you the tools you need to get started. It will provide a variety of examples to make it easier for you to use other identity pools with AWS, as well as cover open standards like Security Assertion Markup Language (SAML). Anyone who deals with external identities won't want to miss this session.

TRANSCRIPT

Session

Access Key ID

Secret Access Key

Expiration

Session Token

Customer (Identity Provider) AWS Cloud (Relying Party)

AWS

Management

Console

Browser

interface

Corporate

directory

Federation

proxy

1Browse to URL

3

2

Redirect to

Console

10

Generate URL9

4 List RolesRequest

8Assume Role Response

Temp Credentials- Access Key ID

- Secret Access Key

- Session Token

7 AssumeRole Request

Create combo

box

6

Federation

proxy

• Uses a set of IAM user credentials to

make AssumeRoleRequest()

• IAM user permissions only need to be

able to call ListRoles & assume role

• Proxy needs to securely store these

credentials

5List RolesResponse

Customer (Identity Provider) AWS Cloud (Relying Party)

AWS Resources

User

Application

Active

Directory

Federation Proxy

4Get Federation

Token Request

3

2

Amazon S3

Bucket

with Objects

Amazon

DynamoDB

Amazon

EC2

Request

Session 1

Receive

Session6

5Get Federation Token

Response

• Access Key

• Secret Key

• Session Token

APP

Federation

Proxy

• Uses a set of IAM user credentials to

make a GetFederationTokenRequest()

• IAM user permissions need to be the

union of all federated user permissions

• Proxy needs to securely store these

privileged credentials

Call AWS APIs7

Enterprise (Identity Provider) AWS (Service Provider)

AWS Sign-in

Browser

interface

Corporate

identity store

Identity provider

1User

browses to

Identity provider

2 Receives

AuthN response

5 Redirect client

AWS Management

Console

3

Post to Sign-In

Passing AuthN Response

4

AWS Cloud

US

-EA

ST

-1

EU

-WE

ST

-1

AP

-SO

UT

HE

AS

T-1AWS Services

Amazon

DynamoDBAmazon S3

Authenticate

User 1

6

7

IAM

EC2

Instances

Token

Verification4

Web identity

Provider

3

5

Check

Policy

Id Token

2

Mobile App

us-east-1

AppSecurity Token Service

DynamoDB

OpenID Connect-

compliant

identity provider

2

4

Uses the temporary

credentials to access

AWS services

Redirect for

authentication and

receive an ID token

Exchange ID token for

Cognito token

3End

User1

Start using the app

CognitoExchange Cognito token

for temporary AWS

credentials

Developer’s AWS Account

5

http://bit.ly/1n1z1QL

http://amzn.to/11AFKtS

http://amzn.to/1vlBZ6N

http://bit.ly/10KUSoC

http://bit.ly/1rNzWCF

http://bit.ly/13vFehT

http://bit.ly/1p2Ip6M

http://bit.ly/1n1z1QL
http://amzn.to/11AFKtS
http://amzn.to/1vlBZ6N
http://bit.ly/10KUSoC
http://bit.ly/1rNzWCF
http://bit.ly/13vFehT
http://bit.ly/1p2Ip6M

Please give us your feedback on this session.

Complete session evaluations and earn re:Invent swag.

http://bit.ly/awsevals

http://bit.ly/awsevals

top related

aws re:invent 2016: reduce your blast radius by using...
Technology
advancing technologies and federating communities ·...
Documents
federating standardized clinical brain images across...
Documents
federating essbase and relational data
Documents
federating clouds for high energy...
Documents
1 federating applications at ntnu eurocamp 17.-18.04.2007...
Documents
arca federating multimedia content - terena filearca...
Documents
federating and interoperating tactical networks.. dnd...
Documents
federating the international uas community uas atm ......
Documents
briefing paper - eosc federating core governance and
Documents
federating autonomous iot silos: fed4iot approach
Documents
federating archives in the delaman network
Documents
federating the grid
Documents
wp 203 - federating repositories of solutions and components
Documents
federating and defending: water, territory and extraction...
Documents
socialism, activity streams, & federating the social web
Technology
science-, policy-, data-driven: federating indicator...
Documents
experience federating the metadata catalogue of ign in...
Documents
a novel digital information service for federating...
Documents
federating new fiware lab nodes
Technology