Overview

A Self-Directed Journey to AWS Identity Federation Mastery

The techniques demonstrated in these workshops relate to traditional SAML federation for AWS. These techniques are still valid and useful. However, AWS Single Sign-On (AWS SSO) provides analogous capabilities by way of a managed service. If you are just getting started with federating access to your AWS accounts, we recommend that you evaluate AWS SSO for this purpose.

AWS supports identity federation using SAML (Security Assertion Markup Language) 2.0. SAML allows you to configure your AWS accounts to integrate with your identity provider (IdP). Once configured, your federated users are authenticated and authorized by your organization's IdP, and then can use single sign-on (SSO) to access AWS.

In these workshops, we start by guiding you through deploying an IdP and configuring SAML federation for AWS, including federated CLI access. We then continue to walk you through how to implement some advanced SAML use cases. These include writing Amazon S3 bucket policies for specific federated users, using SAML attributes to enforce additional authorization requirements, and automating federation configurations across a large number of AWS accounts, among others. To top if off, we've assembled this workshop in such a way that you'll be able to choose your own path through the exercises, guiding your journey toward the technology and use cases that best fit your interests.

• Level: 300
• Duration: Each foundational workshop takes 2 hours and can be done separately. (The advanced use cases have varying time lengths):
  • Open Source (2 hours)
  • Microsoft (2 hours)
• CSF Functions: Protect
• CAF Components: Preventive
• Prerequisites: AWS Account, IAM User (with admin permissions)

Workshops

Foundational workshops

1. - Shibboleth 3.x IdP with an OpenLDAP backing identity store on Amazon Linux
2. - ADFS with an AD domain on Windows Server 2012 R2

Advanced use cases

After you complete the initial workshops, you are ready to take your journey into the more advanced use cases:

1. Open Source Advanced Use Cases
2. Microsoft Advanced Use Cases

Introductory presentation

Review the introductory presentation on SlideShare .

Reference materials

For your convenience, here is the list of reference materials from the introductory presentation:

• AWS Docs: About SAML 2.0-based Federation
• AWS Docs: Configuring SAML Assertions
• AWS Docs: Integrating 3rd Party SAML Providers
• AWS Security Blog: SAML API/CLI Solution
• AWS Whitepaper: Shibboleth + OpenLDAP Walkthrough
• AWS Security Blog: ADFS How to
• AWS Security Blog: ADFS Multi-account How to
• AWS Security Blog: AWS CloudTrail for Federated Users pf