EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES



Similar documents
Federated single sign-on (SSO) and identity management. Secure mobile access. Social identity integration. Automated user provisioning.

Connecting Users with Identity as a Service

MOBILITY. Transforming the mobile device from a security liability into a business asset. pingidentity.com

Flexible Identity Federation

Pick Your Identity Bridge

A Standards-based Mobile Application IdM Architecture

The Primer: Nuts and Bolts of Federated Identity Management

Identity. Provide. ...to Office 365 & Beyond

The Top 5 Federated Single Sign-On Scenarios

SAML SSO Configuration

CA Single Sign-On Migration Guide

Managing Your Microsoft Windows Server Fleet with AWS Directory Service. May 2015

Extend and Enhance AD FS

Interoperate in Cloud with Federation

How to Extend Identity Security to Your APIs

managing SSO with shared credentials

How to Provide Secure Single Sign-On and Identity-Based Access Control for Cloud Applications

AWS Directory Service. Simple AD Administration Guide Version 1.0

OpenID Connect 1.0 for Enterprise

USING FEDERATED AUTHENTICATION WITH M-FILES

JumpCloud is your Directory-as-a-Service. A fully managed directory to rule your infrastructure whether on-premise or in the cloud.

An Overview of Samsung KNOX Active Directory-based Single Sign-On

SECUREAUTH IDP AND OFFICE 365

SAML 101. Executive Overview WHITE PAPER

PROVIDING SINGLE SIGN-ON TO AMAZON EC2 APPLICATIONS FROM AN ON-PREMISES WINDOWS DOMAIN

SAML-Based SSO Solution

Introduction to SAML

Identity and Access Management (IAM) Across Cloud and On-premise Environments: Best Practices for Maintaining Security and Control

Flexible Identity Federation

How To Use Salesforce Identity Features

White Paper. McAfee Cloud Single Sign On Reviewer s Guide

Single Sign On. SSO & ID Management for Web and Mobile Applications

Configuring Single Sign-on from the VMware Identity Manager Service to Amazon Web Services

Federated Identity and Single Sign-On using CA API Gateway

Automating User Management and Single Sign-on for Salesforce.com OKTA WHITE PAPER. Okta Inc nd Street Suite 350 San Francisco CA, 94107

Getting Started with AD/LDAP SSO

NCSU SSO. Case Study

Getting Started with Clearlogin A Guide for Administrators V1.01

The increasing popularity of mobile devices is rapidly changing how and where we

How to Implement Enterprise SAML SSO

OPENIAM ACCESS MANAGER. Web Access Management made Easy

Enable Your Applications for CAC and PIV Smart Cards

identity as the new perimeter: securely embracing cloud, mobile and social media agility made possible

Cloud Security Through Threat Modeling. Robert M. Zigweid Director of Services for IOActive

Google Apps Deployment Guide

Application Security Best Practices. Matt Tavis Principal Solutions Architect

Three Ways to Integrate Active Directory with Your SaaS Applications OKTA WHITE PAPER. Okta Inc. 301 Brannan Street, Suite 300 San Francisco CA, 94107

New Single Sign-on Options for IBM Lotus Notes & Domino IBM Corporation

The Primer: Nuts and Bolts of Federated Identity Management

OpenAM All-In-One solution to securely manage access to digital enterprise and customer services, anytime and anywhere.

Identity Management in Liferay Overview and Best Practices. Liferay Portal 6.0 EE

An Overview of Samsung KNOX Active Directory and Group Policy Features

How To Manage A Plethora Of Identities In A Cloud System (Saas)

Configuring user provisioning for Amazon Web Services (Amazon Specific)

Chapter 9 PUBLIC CLOUD LABORATORY. Sucha Smanchat, PhD. Faculty of Information Technology. King Mongkut s University of Technology North Bangkok

EXECUTIVE VIEW. SecureAuth IdP. KuppingerCole Report

Allidm.com. SSO Introduction. Discovering IAM Solutions. Leading the IAM facebook/allidm

Only LDAP-synchronized users can access SAML SSO-enabled web applications. Local end users and applications users cannot access them.

PingFederate. SSO Integration Overview

White. Paper. Enterprises Need Hybrid SSO Solutions to Bridge Internal IT and SaaS. January 2013

Top 8 Identity and Access Management Challenges with Your SaaS Applications. Okta White paper

MY1LOGIN SOLUTION BRIEF: PROVISIONING. Automated Provisioning of Users Access to Apps

IBM Tivoli Federated Identity Manager

solution brief February 2012 How Can I Obtain Identity And Access Management as a Cloud Service?

ur skills.com

Google Identity Services for work

PingFederate. Windows Live Cloud Identity Connector. User Guide. Version 1.0

Copyright Pivotal Software Inc, of 10

The Essential OAuth Primer: Understanding OAuth for Securing Cloud APIs

PingFederate. Salesforce Connector. Quick Connection Guide. Version 4.1

HP Software as a Service. Federated SSO Guide

Alfresco Enterprise on AWS: Reference Architecture

White paper Contents

Simple Cloud Identity Management (SCIM)

nexus Hybrid Access Gateway

Directory Integration with Okta. An Architectural Overview. Okta Inc. 301 Brannan Street San Francisco, CA

Authentication Integration

Securing WebFOCUS A Primer. Bob Hoffman Information Builders

Masdar Institute Single Sign-On: Standards-based Identity Federation. John Mikhael ICT Department

Copyright: WhosOnLocation Limited

How to Overcome Challenges in Deploying Cloud Apps to Get the Most from your IAM Investment

QLIKVIEW AND THE CLOUD

Primex Wireless OneVue Architecture Statement

Identity Implementation Guide

Customer Identity and Access Management (CIAM) Buyer s Guide

INTEGRATION GUIDE. DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server

Secure Identity in Cloud Computing

How to create a SP and a IDP which are visible across tenant space via Config files in IS

SAML Security Option White Paper

Federation At Fermilab. Al Lilianstrom National Laboratories Information Technology Summit May 2015

WHITEPAPER. 13 Questions You Must Ask When Integrating Office 365 With Active Directory

Identity Federation: Bridging the Identity Gap. Michael Koyfman, Senior Global Security Solutions Architect

Transcription:

pingidentity.com EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES Best practices for identity federation in AWS

Table of Contents Executive Overview 3 Introduction: Identity and Access Management in Amazon Web Services 4 More Cloud Deployments Means More Access 5 Identity Federation in AWS: Four Scenarios 6 What Is a Cloud-based Federation Identity Provider 7 How We Got Here: The Good Ol Days 8 Use Case One: Federate to AWS for Security and Productivity 9 Identity Federation: Fulfilling the Contract 10 Use Case Two: Leverage OpenID Connect for AWS APIs 11 Use Case Three: EC2 As a Federated IDP 12 Use Case Four: EC2 As a Federated SP 12 Superhero Status: AWS for Enterprise Identity 13 Conclusion 14

EXECUTIVE OVERVIEW Security in the public cloud presents a unique set of challenges for enterprises today. It s imperative that users have the correct access to do what they need to do without compromising security. This ebook outlines how your organization can leverage security assertion markup language (SAML) and OpenID Connect federation capabilities to streamline user access to Amazon Web Services (AWS) resources while providing the same level of security that your on-premises environments have. We ll also share examples of incorporating the Ping Identity solution using PingFederate to provide single sign-on (SSO) into AWS from directory servers such as Microsoft Active Directory. This approach gives you the ability to re-use existing internal identity management processes, such as onboarding and offboarding, as well as policies like password length, age and complexity. With this approach, you ll also be able to provide a seamless, federated SSO experience that will get your admins, developers and users authenticated, signed on and doing what they do best, quickly. This is sure to bump you up to superhero status within your organization! BE A SUPERHERO 3

INTRODUCTION: IDENTITY AND ACCESS MANAGEMENT IN AMAZON WEB SERVICES Amazon Web Services provides a rich set of identity and access management (IAM) capabilities, including the ability to create and manage users and groups and apply specific access controls based on the user s role or group membership. Individual security credentials can be set per user, and the architecture provides security by default rather than as an afterthought. Additionally, IAM in AWS provides centralized user access control through fine-grained permissions for both APIs and the AWS console. Controlling users access to APIs and the AWS console is an ongoing consideration for today s enterprise organizations and not just from the administrator s perspective. The developers that are writing applications within AWS also need seamless access to APIs, and they don t have the time or patience to remember multiple, always-rotating AWS passwords. Identity and access management within AWS provides the answer to two critical questions: 1. Who can sign on? Authentication is used to confirm the identity of a given user. AWS users can be authenticated internally or they can be federated from an external identity provider which handles authentication. The existence of a user account defines who can authenticate into the system. 2. What can they do? Authorization and access control policies provide the answer to what users can do after they are authenticated. 4

MORE CLOUD DEPLOYMENTS MEANS MORE ACCESS AWS provides not only classic SaaS functionality, but also Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS). The explosion of public cloud usage, and AWS in particular, is being driven by two primary realities: First, SaaS application usage is increasing because employers have more confidence that they can securely deploy scalable apps in the cloud. Second, more services are being offered via IaaS and PaaS that organizations want to adopt. More cloud deployments equals more admins and more users! With increased deployments in the cloud comes the need for administrators and users with varying access rights. Managing these users and groups in multiple places quickly becomes tedious for administrators, leading to a loss of productivity as well as risky security practices. Enter Federation Technology Identity federation: Uses interoperable technology. Provides SSO across security domains. Uses SAML or OpenID Connect. With a federated architecture, you can: Eliminate managing duplicate user identities. Avoid multiple passwords and insecure password practices. Leverage existing investment in identity management solutions and policies. 5

INDENTITY FEDERATION IN AWS: FOUR SCENARIOS There are four primary use cases for single sign-on and identity federation in AWS: 1. AWS as a SAML service provider (SP): Organizations can leverage a third-party IAM system for a turnkey solution that manages identities and delivers SSO for AWS. The IAM system authenticates users and they are federated into the AWS console with the correct permissions and entitlements. 2. AWS as an OpenID Connect relying party (RP): Organizations can also use a third-party OpenID Connect authorization server (AS) to access AWS APIs. The AS authenticates users and they are given an ID token that can be traded for AWS credentials that are used to call AWS APIs. 3. Federated identity provider inside EC2: Identity provider (IdP) and authentication functionality can be provided through a federation server or identity bridge running in EC2. Users are authenticated and given a SAML assertion or token for transparent, standards-based SSO. 4. Federated service provider inside EC2: Service provider functionality can be enabled through a federation server deployed in EC2 that can consume SAML or other SSO tokens and provide a local token or session that is used to access applications. 6

Authentication WHAT IS A CLOUD-BASED FEDERATION IDENTITY PROVIDER? Console LDAP EC2 instance The Rules of the Game Have Changed In November 2013, Amazon announced support for a standard federation protocol that enables SSO to the AWS management console and application interfaces. AWS built-in federation capabilities give enterprises the ability to use their own directories as the control point for user SSO. The graphic above shows a federated service provider environment that can accept user credentials and sign users transparently into the application. What is a Cloud-based Federation IdP? An IdP is used to authenticate the user (or validate their existing session) and provide a trusted assertion to the SP describing who the user is along with personal attributes and the method of authentication. The most common format for assertions to the service provider is SAML, which is a proven, secure standard based on XML. OpenID Connect aims to provide similar functionality using more modern protocols like REST and JSON. The SP simply accepts the assertion or token in lieu of a username and password, validates that it was provided by a trusted issuer and creates a local session for the user. 57

HOW WE GOT HERE: THE GOOD OL DAYS (Mostly) non-web interaction Hosted On-premises Authentication Identity Bridge Custom code Storage of IAM user keys Storage of federated user keys Proprietary connection Active Directory LDAP Prior to native federation support in AWS, organizations typically had to write custom code to authenticate users and obtain keys. These proprietary, one-off solutions required storing multiple user keys, often insecurely, and provided limited functionality through the AWS APIs and command line interfaces. 8

USE CASE ONE: FEDERATE TO AWS FOR SECURITY AND PRODUCTIVITY Security token service resides in AWS SSO (SAML) (Mostly) web interaction Hosted On-premises Authentication (Kerberos) Identity Bridge Commercial federation IDP No storage of IAM user keys No storage of federated user keys Active Directory LDAP SAML federation in AWS allows organizations to leverage a commercial federation server as an identity bridge, providing secure single sign-on into the AWS console without storing user keys and without additional passwords or sign-ons. The IdP will typically support multiple methods of authentication, allowing users to leverage Kerberos if they are on the corporate domain, and providing other types of strong authentication to users off of the network, such as X.509 certificates or one-time passwords. Top Three Recommendations for Incorporating Federation with AWS: 1. Understand your AWS access requirements. Non-web access requires a slightly different approach. 2. Don t use the AWS superuser account for the IdP user privilege catastrophe awaits. 3. Carefully scope the access rights for your user roles. 9

IDENTITY FEDERATION: FULFILLING THE CONTRACT The IdP fulfills the contract by either dynamically retrieving the appropriate attributes from a data source or by using hard-coded values during SSO. The IdP inserts these attributes into the contract, which is then delivered to AWS. AWS wants to know two things, the role entitlement and session name attributes. The role entitlement attribute describes who is authorized to issue SAML assertions to a user and what AWS role they should be given (concatenated into a single attribute). The role session name tells AWS which user has assumed the described role (typically the username). In the AWS console, the IdP must be defined to establish trust with AWS. The SAML assertion then references the IdP s Amazon resource name (ARN). Additionally, the role that the user should assume is also defined along with specific permissions for the role. The role is then included in the assertion so that the IdP can dynamically define which privileges the user should have for a given session. These privileges, for example, may be different depending on how the user was authenticated or from where the user signed on. 10

USE CASE TWO: LEVERAGE OPENID CONNECT FOR AWS APIS Start using the app User Exchange Cognito token for tempoary AWS credentials AWS Redirect for authentication and receive an ID token Mobile or Web App Uses the temporary credentials to access AWS services Security Token Service OpenID Connect-compliant Identity Provider Exchange ID token for Cognito token Cognito DynamoDB Developer s AWS Account Amazon recently announced support for identity federation using OpenID Connect. This functionality can be used to easily access AWS resources from non-web clients, although the mechanism can be used for web applications as well. This new feature allows developers to leverage an OpenID Connect authorization server like PingFederate to provide SSO capabilities similar to those available from cloud identity providers such as Google and Facebook. For service providers who publish apps that rely on AWS APIs, this enables simple, secure access using a standards-based framework that supports both web and mobile clients. 11

USE CASE THREE: EC2 AS A FEDERATED IDP EC2 provides a supported platform for federating your identities. Authentication Regardless of whether your users are employees, contractors, partners or affiliates, a federation server deployed in EC2 allows you to authenticate users and provide assertions or EC2 instance SSO (SAML) Partner tokens for AWS, your own applications or thirdparty SaaS providers. Application USE CASE FOUR: EC2 AS A FEDERATED SP EC2 can also host a federation server to SP (with app) accept inbound assertions and tokens. If your users are being authenticated by hosted on-premises SSO (SAML) Federation IDP EC2 instance their own IdP, EC2 also provides a supported platform for a federation server to consume identity assertions and tokens and then provide a local session or token that can be used by your applications. Deploying a federation server Authentication Identity Bridge in EC2 offers instant scalability and availability for your environment. 12

SUPERHERO STATUS: AWS FOR ENTERPRISE IDENTITY Logs and backups are pushed to secure Amazon S3 buckets Inbound traffic managed by Amazon Route 53 DNS and elastic load balancers (ELBs) PingFederate engine nodes scale horizontally within auto scaling groups CONSOLE Single console node for configuration Two or more AWS availability zones within a single virtual private cloud (VPC) AMAZON RDS AMAZON RDS Amazon Relational Database Service (RDS) for provisioner database Leveraging AWS for identity federation allows scalable, highly-available SSO and token services for the AWS console and APIs, as well as for your own applications. By leveraging other AWS components such as S3, RDS, Route 53 and ELBs, you can provide a scalable, highly-available IAM infrastructure that provides a true SSO solution while leveraging your current identities, directories and policies. 13

CONCLUSION Amazon Web Services is a platform that provides many different capabilities that are enabled by built-in identity and access management systems. Controlling user access to the AWS console and APIs is an ongoing consideration for today s enterprise organizations. SAML and OpenID Connect identity federation is extraordinary technology that integrates with third-party identity management solutions to give you the power to let users sign into the AWS console and APIs without requiring additional passwords or tokens. PingFederate integrates with AWS out-of-the-box so that your users can federate from your identity management systems into your AWS environments easily and quickly. This mechanism gives you a true single sign-on solution: authenticate once, access many things including AWS. By implementing this identity federation approach, you can manage users and maintain identities within your existing directory, re-use internal identity management processes and eliminate password fatigue giving your authorized users and developers seamless access to the resources they need to get work done. AWS also provides a perfect platform for enterprise identity federation and SSO regardless of where your users are, what applications they need to access or what devices they re using. Whether you are an identity provider requiring single sign-on for your users or a service provider with applications and APIs that your customers want to access, AWS provides a scalable, highly-available platform that delivers the security your organization requires and the ease-of-use that your users have come to expect. About Ping Identity The Identity Security Company Ping Identity believes secure professional and personal identities underlie human progress in a connected world. Our identity and access management platform gives enterprise customers and employees one-click access to any application from any device. Over 1,200 companies, including 45 of the Fortune 100, rely on our award-winning products to make the digital world a better experience for hundreds of millions of people. For more information, dial U.S. toll-free 877.898.2905 or +1.303.468.2882, email sales@pingidentity.com or visit pingidentity.com. 2014 Ping Identity Corporation. All rights reserved. Ping Identity, PingFederate, PingOne, PingAccess, PingID, the respective product marks, the Ping Identity trademark logo, and Cloud Identity Summit are trademarks, or servicemarks of Ping Identity Corporation. All other product and service names mentioned are the trademarks of their respective companies. 14

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information