Start preparing for your Next Exam | Use coupon – TOGETHER | Avail 30% discount

Identity Federation

  1. Home
  3. AWS Certified Security Specialty
  5. Identity Federation

Flow models in federated identity management, are of types

  • identity provider initiated model or IdP-initiated
  • service provider initiated model  or SP-initiated

IdP-initiated

  1. user access intranet using company’s authentication
  2. user goes to web page and clicks link to Connections Cloud product like Connections Cloud S2.
  3. SSO is started and SAML assertion is sent to connections Cloud endpoint via HTTP POST. If valid, access is granted.
  4. The user interacts with Connections Cloud.

SP-initiated hybrid

  1. The user visits Connections Cloud login page and clicks Use My Organization’s Login.
  2. user provides email address linked with his or her account.
  3. Connections Cloud redirects to organization’s authentication mechanism.
  4. Rest flow as last step in IdP-initiated model.

AWS SAML

  • SAML 2.0 or Security Assertion Markup Language 2.0 is supported by AWS
  • SAML is an open standard that many identity providers (IdPs) use.
  • Benefit of providing federated single sign-on (SSO)
  • SAML  validated users can log into the AWS Management Console or call AWS API even if not an IAM user

Use cases supported by IAM federation

  • Federated access allows user/application to call AWS API.
    • It uses SAML assertion to get temporary credentials.
  • Web-based single sign-on (SSO) to AWS Management Console.

Using SAML-Based Federation for API Access to AWS Example to give employees to copy data from their computers to a backup folder.

  1. User request authentication by IdP using a client app
  2. IdP authenticates the user
  3. IdP generates a SAML assertion and sends  to client app
  4. client app gives ARN of SAML provider, role to assume by calling AWS STS AssumeRoleWithSAML API
  5. If valid, API responds with temporary credentials
  6. Client app uses temporary credentials to call S3 API operations

SAML – Console – AssumeRoleWithSAML

  • Corporate user can access Active Directory Federation Services  or ADFS
  • AD FS authenticates user against Microsoft AD or Active Directory
  • SAML Token contains membership generated
  • Similar to IdP, Sigin in with SAML Token to AWS Sign-in Endpoint
  • AssumeRoleWithSAML send to STS
  • STS returns Credentials
  • AWS Sign-in endpoint returns Console URL
  • Corporate user Redirected to AWS Console
  • Benefits include
    • Federation proxy not needed
    • No IAM permission for federation proxy, needed
Menu