Amazon AWS IAM Identity Federation

AWS IAM Identify Federation enables you to use third-party identity providers to authenticate to your AWS Account.  This topic is known to be featured on the AWS Certified Solutions Architect Associate Exam and it is a good idea to know how this works.  AWS supports SAML, an open standard used by many identity providers which enable federated single sign-on (SSO). This feature is used to enable users to sign into the AWS Management Console or make programmatic calls to AWS APIs by using assertions from a SAML-compliant identity provider (IdP) like Microsoft Active Directory Federation Services (ADFS).  Once you setup ADFS in your environment, you publish a website which would have URL similar to (https://Fully.Qualified.Domain.Name/adfs/ls/IdpInitiatedSignOn.aspx).

You can use Identity Federation to login onto your AWS Management Console.  Key stages involved in accessing the  AWS Management Console using ADFS federation are:

  • You start the sign in process when a user visits the ADFS constructed website (https://Fully.Qualified.Domain.Name/adfs/ls/IdpInitiatedSignOn.aspx) inside your domain
  • This sign in page authenticates the user to the local Corporate Active Directory when the user types in his/her AD username and password.
  • The browser will then receive a SAML assertion in the form of an authenticated response from ADFS
  • The browser will then post the SAML assertion to the AWS sign-in endpoint. The sign-in process uses the AssumeRoleWithSAML API to request temporary security credentials and then constructs a sign-in URL for the AWS Management Console.
  • The browser then receives the sign-in URL and is redirected to the console.

 

saml-identity-federation

Key Points

  • The AWS implementation of SAML 2.0 federation does not support encrypted SAML assertions between the identity provider and AWS. However, the traffic between the identity provider and AWS is transmitted over an encrypted (TLS) channel.
  • You can also configure your IdP to include a SAML assertion attribute called SessionDuration that specifies how long the console session is valid.
  • You can set a session limit between 15 minutes and 36 hours (for GetFederationToken and GetSessionToken) and between 15 minutes and 12 hours (for AssumeRole* APIs), during which time the federated user can access the console. Once expired, the federated user must request a new session by returning to your identity provider, to be granted access permissions again.
  • Enabling SAML 2.0 Federated Users to Access the AWS Management Console. The important steps to enable federation using Active Directory and SAML are
    • to grant Web Single Sign-On (WebSSO) access to SAML providers
    • to use AssumeRoleWithSAML API to request temporary security credentials and then construct a sign-in URL for the AWS Management Console

 

Setting up Web Identity Federation

You can setup web identity federation to connect you to authenticate to your web applications using your accounts on Facebook or LinkedIn. Key steps involved:

  • Authenticate first with your identity providers
  • You will then be assigned an access token that expires after a short while
  • You will then be able to obtain temporary security credentials using the access token.
  • A Trust policy will then be created
  • A Role Amazon Resource Name (ARN) is specified
  • You need to then call the AssumeRoleWithWebIdentity

You are then able to access your AWS resources having authenticated with your Facebook account.

 

740 Practice Exam Questions – Get Prepared for your Exam Day!

Our Exam Simulator with 180 practice exam questions comes with comprehensive explanations that will help you prepare for one of the most sought-after IT Certifications of the year.  Register Today and start preparing for your AWS Certified Solutions Architect – Associate Exam