Migrating My.T-Mobile.com to AWS (ENT214) | AWS re:Invent 2013
AWS re:Invent 2016: Workshop: Choose Your Own SAML Adventure: A Self-Directed Journey to AWS...
-
Upload
amazon-web-services -
Category
Technology
-
view
151 -
download
0
Transcript of AWS re:Invent 2016: Workshop: Choose Your Own SAML Adventure: A Self-Directed Journey to AWS...
![Page 1: AWS re:Invent 2016: Workshop: Choose Your Own SAML Adventure: A Self-Directed Journey to AWS Identity Federation Mastery (SEC306)](https://reader034.fdocuments.in/reader034/viewer/2022052418/586f88231a28ab54768b5b5f/html5/thumbnails/1.jpg)
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Quint Van Deman, AWS Professional Services
Balaji Iyer, AWS Professional Services
Rahul Sareen, AWS Professional Services
Zaher Dannawi, AWS Identity
November 29, 2016
SEC306
Workshop: Choose Your Own SAML Adventure
A Self-Directed Journey to AWS Identity Federation Mastery
![Page 2: AWS re:Invent 2016: Workshop: Choose Your Own SAML Adventure: A Self-Directed Journey to AWS Identity Federation Mastery (SEC306)](https://reader034.fdocuments.in/reader034/viewer/2022052418/586f88231a28ab54768b5b5f/html5/thumbnails/2.jpg)
What to expect from the session
SAML for AWS:
State of the Union
• Federation rationale
• Prior art & remaining
challenges
Collaborative
hands-on exercise
• Foundational →
advanced
• Non-linear progression
Ask the AWS
Federation Ninjas
• Your own challenges
• Your feedback & ideas
![Page 3: AWS re:Invent 2016: Workshop: Choose Your Own SAML Adventure: A Self-Directed Journey to AWS Identity Federation Mastery (SEC306)](https://reader034.fdocuments.in/reader034/viewer/2022052418/586f88231a28ab54768b5b5f/html5/thumbnails/3.jpg)
SAML for AWS:
State of the Union
![Page 4: AWS re:Invent 2016: Workshop: Choose Your Own SAML Adventure: A Self-Directed Journey to AWS Identity Federation Mastery (SEC306)](https://reader034.fdocuments.in/reader034/viewer/2022052418/586f88231a28ab54768b5b5f/html5/thumbnails/4.jpg)
Federation rationale
Before:
After:
Result:
Unique credentials
Single sign-on (SSO)
Long-lived keys
Short-term tokens
One-off
Naturally aligned
Users Security Compliance
![Page 5: AWS re:Invent 2016: Workshop: Choose Your Own SAML Adventure: A Self-Directed Journey to AWS Identity Federation Mastery (SEC306)](https://reader034.fdocuments.in/reader034/viewer/2022052418/586f88231a28ab54768b5b5f/html5/thumbnails/5.jpg)
Prior art
Generally “known science”*:
• Basic federation with <insert your
favorite identity provider here>
• SSO experience for AWS
Management Console users.
• Federated access for AWS
CLI/API.
*Compiled list within session materials
![Page 6: AWS re:Invent 2016: Workshop: Choose Your Own SAML Adventure: A Self-Directed Journey to AWS Identity Federation Mastery (SEC306)](https://reader034.fdocuments.in/reader034/viewer/2022052418/586f88231a28ab54768b5b5f/html5/thumbnails/6.jpg)
Remaining challenges
Option overload:
• Many accounts: direct
federation or hub/spoke?
• Role mapping: groups,
attributes, or a
combination?
Solutions not yet widely
published:
• Attribute-driven
authorizations.
• Strong authentication
techniques.
• Resource permissions for
federated users.
![Page 7: AWS re:Invent 2016: Workshop: Choose Your Own SAML Adventure: A Self-Directed Journey to AWS Identity Federation Mastery (SEC306)](https://reader034.fdocuments.in/reader034/viewer/2022052418/586f88231a28ab54768b5b5f/html5/thumbnails/7.jpg)
Collaborative hands-on exercise
& Ask the Experts
![Page 8: AWS re:Invent 2016: Workshop: Choose Your Own SAML Adventure: A Self-Directed Journey to AWS Identity Federation Mastery (SEC306)](https://reader034.fdocuments.in/reader034/viewer/2022052418/586f88231a28ab54768b5b5f/html5/thumbnails/8.jpg)
Collaborative hands-on exercise
Choose your own
SAML adventure!
Initial Path:
Open source
or Microsoft?
1st hour:
Build initial
federation setup
2nd hour:
Your choice of
advanced use
cases
![Page 9: AWS re:Invent 2016: Workshop: Choose Your Own SAML Adventure: A Self-Directed Journey to AWS Identity Federation Mastery (SEC306)](https://reader034.fdocuments.in/reader034/viewer/2022052418/586f88231a28ab54768b5b5f/html5/thumbnails/9.jpg)
Exercise architecture
Instance with EIP
SAML IdP and
user directory
Note: The IdP architecture represented here
has been simplified to focus on the learning
objectives. Not appropriate for production use.
Amazon S3
permissions
Many AWS accounts
Custom
durations
MFA for
SAML
![Page 10: AWS re:Invent 2016: Workshop: Choose Your Own SAML Adventure: A Self-Directed Journey to AWS Identity Federation Mastery (SEC306)](https://reader034.fdocuments.in/reader034/viewer/2022052418/586f88231a28ab54768b5b5f/html5/thumbnails/10.jpg)
Time for teamwork!
Pair up Strangers only Open source → Stage left
Microsoft → Stage right
Find match:
8 ≤ Total ≤ 12
?
![Page 11: AWS re:Invent 2016: Workshop: Choose Your Own SAML Adventure: A Self-Directed Journey to AWS Identity Federation Mastery (SEC306)](https://reader034.fdocuments.in/reader034/viewer/2022052418/586f88231a28ab54768b5b5f/html5/thumbnails/11.jpg)
Ask the Experts
• Your opportunity to tap into the collective federation knowledge of
the Amazonians in the room.
• Runs parallel to hands-on exercise.
• Submissions via email (details on following slide):
• Your name.
• Your question/topic/feature request.
• Your table number.
• We will answer what we can in the room. We will follow up with an
AWS Security Blog post before the end of December in which we
address as many questions asked here as possible.
![Page 12: AWS re:Invent 2016: Workshop: Choose Your Own SAML Adventure: A Self-Directed Journey to AWS Identity Federation Mastery (SEC306)](https://reader034.fdocuments.in/reader034/viewer/2022052418/586f88231a28ab54768b5b5f/html5/thumbnails/12.jpg)
Lab materials
Let’s get started
Ask the Experts
federationworkshopreinvent2016
@amazon.com
(Include: name, table, question)
http://bit.ly/2dBXMUq
![Page 13: AWS re:Invent 2016: Workshop: Choose Your Own SAML Adventure: A Self-Directed Journey to AWS Identity Federation Mastery (SEC306)](https://reader034.fdocuments.in/reader034/viewer/2022052418/586f88231a28ab54768b5b5f/html5/thumbnails/13.jpg)
Review and recap
• This slide is a placeholder.
• We will take 2-3 of the “Ask the Experts” submissions:
• Build a slide in the room for each
• Summarize the question
• Provide our perspective on how best to tackle
• 2-3 minutes max per question
![Page 14: AWS re:Invent 2016: Workshop: Choose Your Own SAML Adventure: A Self-Directed Journey to AWS Identity Federation Mastery (SEC306)](https://reader034.fdocuments.in/reader034/viewer/2022052418/586f88231a28ab54768b5b5f/html5/thumbnails/14.jpg)
Reference materials
• AWS Docs: About SAML 2.0-based Federation
• AWS Docs: Configuring SAML Assertions
• AWS Docs: Integrating 3rd Party SAML Providers
• AWS Security Blog: SAML API/CLI Solution
• AWS Whitepaper: Shibboleth + OpenLDAP Walkthrough
• AWS Security Blog: ADFS How to
• AWS Security Blog: ADFS Multi-Account How to
• AWS Security Blog: AWS CloudTrail for Federated Users
![Page 15: AWS re:Invent 2016: Workshop: Choose Your Own SAML Adventure: A Self-Directed Journey to AWS Identity Federation Mastery (SEC306)](https://reader034.fdocuments.in/reader034/viewer/2022052418/586f88231a28ab54768b5b5f/html5/thumbnails/15.jpg)
Thank you!
![Page 16: AWS re:Invent 2016: Workshop: Choose Your Own SAML Adventure: A Self-Directed Journey to AWS Identity Federation Mastery (SEC306)](https://reader034.fdocuments.in/reader034/viewer/2022052418/586f88231a28ab54768b5b5f/html5/thumbnails/16.jpg)
Remember to complete
your evaluations!