Federation
- trust relationship between external IdP and Identity Consumer (AWS)
- i.e. "combining users between one domain (e.g. IAM) and another (e.g. AD)"
- contrast with delegation (which grants permissions to other users to access your resources)
- federated user - user managed (authenticated) outside of AWS account
- e.g. in Active Directory
- Enterprise Identity Federation
- SAML 2.0
- Web Identity Federation
- FB
- G+
- Amazon
- OpenID 2.0
- Rationale
- You do not need to manage unique credentials (e.g. IAM users)
- You manage roles and policies (1:Many reuse)
- Credentials centrally managed (one castle do defend)
- Compliance (onboarding/offboarding)
- You do not need to manage unique credentials (e.g. IAM users)
Identity Provider
- External system
- Stores identity information
- "Speaks" federation protocol
- Authenticates (various factors)
- Authorizes
- coarse grained: does not know details of the customer system
- (AWS) Metadata about external IdP (model) is configured
- OpenID Connect
- Provider Url, Audience
- SAML
- Metadata (cryptographic details)
- OpenID Connect
Identity Consumer
- Customer application
- Stores references to identity
- aka Relying Party
- i.e. relies on Identity Provider
- Authorization (fine grained)
- Knows the details of the customer system
SAML (Security Assertion Markup Language)
- Identity Provider (IdP)
- Active Directory Federation Service (ADFS)
- Shibboleth
- G Suite (SAML)
- Service Provider (SP) - identity consumer
- Setup
- Exchange metadata in advance - establishes the contract
- XML document
- Encryption keys, signing certificates, endpoints
- XML document
- Exchange metadata in advance - establishes the contract
- Usage
- Trade SAML assertion for
- Cryptographically trusted assertion
- Uniquely identifes the user
- Describes authorization information
- Cryptographically trusted assertion
- Trade SAML assertion for
SAML federation
- Flow
- User talks to Identity Provider (IdP)
- IdP authenticates
- IdP returns "SAML authentication response"
- "This is the user in my identity store"
- "I have authenticated the user"
- "Here are some attributes about the user (assertions)"
- Browsers POSTs the SAML response to AWS "sign-in" endpoint
- AWS shows the roles available
- Call AssumeRoleWithSAML
- Constructs the Console Url
- Use cases
- AWS Console/API access
- AWS Services
- Cognito (User pool)
OpenID Connect (OIDC)
- Sucessor to SAML
- OpenID Provider (OP) - identity provider
- Social Identity Providers
- FB, G+, Login with Amazon
- Social Identity Providers
- Relying Party (RP) - identity consumer
- Setup
- Exchange metadata in advance
- where its endpoints are
- Register RP with OP
- Exchange metadata in advance
- Tokens
- ID Token - user identity
- Access Token - can be used to call-out to APIs
- Refresh Token - allows to renew "Access Token"
AD/Kerberos Federation
- Flow
- On-premises: AD
- Setup users
- AWS: Directory Service for Microsoft AD
- Setup groups
- Pre-establish trust
- i.e. Forest trust
- Kerberos-enabled resource
- Windows
- SQL Server
- Work*
- On-premises: AD
Cross-Account access (XA)
- Switch role
Custom federation broker (proxy)
- Build Custom Federation Proxy
- It uses its own AWS access keys
- Scoping policy
- restrict access (broker has wider credentials)
- AWS Console Federation using Custom Broker (CFP)
- Flow
- Browser makes request to CFP
- Proxy authenticates users with Corporate Directory (CD)
- CFP enumerates user's groups in CD (or other attributes)
- CFP lists roles in AWS account
- CFP chooses which role to assume (or asks user)
- CFP calls AssumeRole
- CFP generates Console Url and redirects the user
- Flow
- AWS API Federation using Custom Proxy
- Flow
- Uses GetFederationToken (restrict policy scope)
- Command Line App makes request to CFP
- CFP authenticates the user
- CFP gets back entitlements (i.e. IAM Policies)
- CFP user must have union of all permissions for Federated Users
- Flow
- Legacy mechanism (not recommended by AWS)
- Use SAML or OIDC
References
No comments:
Post a Comment