EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES BEST PRACTICES FOR IDENTITY FEDERATION IN AWS E-BOOK

Transcription

1 EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES BEST PRACTICES FOR IDENTITY FEDERATION IN AWS

2 03 EXECUTIVE OVERVIEW 05 INTRODUCTION 07 MORE CLOUD DEPLOYMENTS MEANS MORE ACCESS 09 IDENTITY FEDERATION IN AWS TABLE OF CONTENTS WHAT IS A CLOUD-BASED FEDERATION IDENTITY PROVIDER HOW WE GOT HERE USE CASES USE CASE ONE IDENTITY FEDERATION USE CASE TWO USE CASE THREE USE CASE FOUR 19 SUPERHERO STATUS 21 CONCLUSION

3 EXECUTIVE OVERVIEW

4 EXECUTIVE OVERVIEW Security in the public cloud presents a unique set of challenges for enterprises today. It s imperative that users have the correct access to do what they need to do without compromising security. This ebook outlines how your organization can leverage security assertion markup language (SAML) and OpenID Connect federation capabilities to streamline user access to Amazon Web Services (AWS) resources while providing the same level of security that your on-premises environments have. We ll also share examples of incorporating the Ping Identity solution using PingFederate to provide single sign-on (SSO) into AWS from directory servers such as Microsoft Active Directory. This approach gives you the ability to re-use existing internal identity management processes, such as onboarding and offboarding, as well as policies like password length, age and complexity. With this approach, you ll also be able to provide a seamless, federated SSO experience that will get your admins, developers and users authenticated, signed on and doing what they do best, quickly. This is sure to bump you up to superhero status within your organization! AMAZON WEB SERVICES 4

5 INTRODUCTION

6 IDENTITY AND ACCESS MANAGEMENT IN AMAZON WEB SERVICES Amazon Web Services provides a rich set of identity and access management (IAM) capabilities, including the ability to create and manage users and groups and apply specific access controls based on the user s role or group membership. Individual security credentials can be set per user, and the architecture provides security by default rather than as an afterthought. Additionally, IAM in AWS provides centralized user access control through fine-grained permissions for both APIs and the AWS console. Controlling users access to APIs and the AWS console is an ongoing consideration for today s enterprise organizations and not just from the administrator s perspective. The developers that are writing applications within AWS also need seamless access to APIs, and they don t have the time or patience to remember multiple, always-rotating AWS passwords. Identity and access management within AWS provides the answer to two critical questions: 1. WHO CAN SIGN ON? Authentication is used to confirm the identity of a given user. AWS users can be authenticated internally or they can be federated from an external identity provider which handles authentication. The existence of a user account defines who can authenticate into the system. 2. WHAT CAN THEY DO? Authorization and access control policies provide the answer to what users can do after they are authenticated. AMAZON WEB SERVICES 6

7 MORE CLOUD DEPLOYMENTS MEANS MORE ACCESS

8 MORE CLOUD DEPLOYMENTS MEANS MORE ACCESS AWS provides not only classic SaaS functionality, but also Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS). The explosion of public cloud usage, and AWS in particular, is being driven by two primary realities: First, SaaS application usage is increasing because employers have more confidence that they can securely deploy scalable apps in the cloud. Second, more services are being offered via IaaS and PaaS that organizations want to adopt. MORE CLOUD DEPLOYMENTS = MORE ADMINS AND MORE USERS! With increased deployments in the cloud comes the need for administrators and users with varying access rights. Managing these users and groups in multiple places quickly becomes tedious for administrators, leading to a loss of productivity as well as risky security practices. ENTER FEDERATION TECHNOLOGY Identity federation: Uses interoperable technology. Provides SSO across security domains. Uses SAML or OpenID Connect. With a federated architecture, you can: Eliminate managing duplicate user identities. Avoid multiple passwords and insecure password practices. Leverage existing investment in identity management solutions & policies. AMAZON WEB SERVICES 8

9 IDENTITY FEDERATION IN AWS: FOUR SCENARIOS

10 INDENTITY FEDERATION IN AWS: FOUR SCENARIOS AWS AS A SAML SERVICE PROVIDER (SP): Organizations canleverage a third-party IAM system for a turnkey solution that manages identities and delivers SSO for AWS. The IAM system authenticates users and they are federated into the AWS console with the correct permissions and entitlements. FEDERATED IDENTITY PROVIDER INSIDE EC2: Identity provider (IdP) and authentication functionality can be provided through a federation server or identity bridge running in EC2. Users are authenticated and given a SAML assertion or token for transparent, standards-based SSO AWS AS AN OPENID CONNECT RELYING PARTY (RP): Organizations can also use a third-party OpenID Connect authorization server (AS) to access AWS APIs. The AS authenticates users and they are given an ID token that can be traded for AWS credentials that are used to call AWS APIs. FEDERATED SERVICE PROVIDER INSIDE EC2: Service provider functionality can be enabled through a federation server deployed in EC2 that can consume SAML or other SSO tokens and provide a local token or session that is used to access applications. AMAZON WEB SERVICES 10

11 WHAT IS A CLOUDBASED FEDERATION IDENTITY PROVIDER?

12 WHAT IS A CLOUD-BASED FEDERATION IDENTITY PROVIDER? CONSOLE SSO (SAML) EC2 instance LDAP Authentication THE RULES OF THE GAME HAVE CHANGED In November 2013, Amazon announced support for a standard federation protocol that enables SSO to the AWS management console and application interfaces. AWS built-in federation capabilities give enterprises the ability to use their own directories as the control point for user SSO. The graphic above shows a federated service provider environment that can accept user credentials and sign users transparently into the application. WHAT IS A CLOUD-BASED FEDERATION IDP? An IdP is used to authenticate the user (or validate their existing session) and provide a trusted assertion to the SP describing who the user is along with personal attributes and the method of authentication. The most common format for assertions to the service provider is SAML, which is a proven, secure standard based on XML. OpenID Connect aims to provide similar functionality using more modern protocols like REST and JSON. The SP simply accepts the assertion or token in lieu of a username and password, validates that it was provided by a trusted issuer and creates a local session for the user. AMAZON WEB SERVICES 12

13 HOW WE GOT HERE: THE GOOD OL DAYS Prior to native federation support in AWS, organizations typically had to write custom code to authenticate users and obtain keys. These proprietary, one-off solutions required storing multiple user keys, often insecurely, and provided limited functionality through the AWS APIs and command line interfaces. AMAZON API Authentication Identity Bridge LDAP ACTIVE DIRECTORY AMAZON WEB SERVICES 13

14 USE CASES

15 USE CASE ONE FEDERATE TO AWS FOR SECURITY AND PRODUCTIVITY Security token service resides in AWS SAML federation in AWS allows organizations to leverage a commercial federation server as an identity bridge, providing secure single sign-on into the AWS console without storing user keys and without additional passwords or sign-ons. SSO (SAML) (Mostly) web interaction The IdP will typically support multiple methods of authentication, allowing users to leverage Kerberos if they are on the corporate domain, and providing other types of strong authentication to users off of the network, such as X.509 certificates or one-time passwords. HOSTED ON-PREMISES TOP THREE RECOMMENDATIONS FOR INCORPORATING FEDERATION WITH AWS: 1. Understand your AWS access requirements. Non-web access requires 2. a slightly different approach. 3. Don t use the AWS superuser account for the IdP user privilege catastrophe awaits. 4. Carefully scope the access rights for your user roles. Authentication (Kerberos) Identity Bridge LDAP ACTIVE DIRECTORY AMAZON WEB SERVICES 15

16 IDENTITY FEDERATION: FULFILLING THE CONTRACT The IdP fulfills the contract by either dynamically retrieving the appropriate attributes from a data source or by using hard-coded values during SSO. The IdP inserts these attributes into the contract, which is then delivered to AWS. AWS wants to know two things, the role entitlement and session name attributes. The role entitlement attribute describes who is authorized to issue SAML assertions to a user and what AWS role they should be given (concatenated into a single attribute). The role session name tells AWS which user has assumed the described role (typically the username). In the AWS console, the IdP must be defined to establish trust with AWS. The SAML assertion then references the IdP s Amazon resource name (ARN). Additionally, the role that the user should assume is also defined along with specific permissions for the role. The role is then included in the assertion so that the IdP can dynamically define which privileges the user should have for a given session. These privileges, for example, may be different depending on how the user was authenticated or from where the user signed on. AMAZON WEB SERVICES 16

17 USE CASE TWO LEVERAGE OPENID CONNECT FOR AWS APIS Amazon recently announced support for identity federation using OpenID Connect. This functionality can be used to easily access AWS resources from non-web clients, although the mechanism can be used for web applications as well. This new feature allows developers to leverage an OpenID Connect authorization server like PingFederate to provide SSO capabilities similar to those available from cloud identity providers such as Google and Facebook. For service providers who publish apps that rely on AWS APIs, this enables simple, secure access using a standards-based framework that supports both web and mobile clients. EC2 instance IDP SSO (SAML) Authentication AMAZON WEB SERVICES 17

18 USE CASE THREE & FOUR 03 USER AWS EC2 PROVIDES A SUPPORTED PLATFORM FOR FEDERATING YOUR IDENTITIES. Mobile or Web App SECURITY TOKEN SERVICE Regardless of whether your users are employees, contractors, partners or affiliates, a federation server deployed in EC2 allows you to authenticate users and provide OpenID Connect-compliant Identity Provider COGNITO DYNAMODB assertions or tokens for AWS, your own applications or third-party SaaS providers. DEVELOPER S AWS ACCOUNT HOSTED ON-PREMISES SSO (SAML) SP (WITH APP) EC2 instance 04 EC2 CAN HOST A FEDERATION SERVER TO ACCEPT INBOUND ASSERTIONS AND TOKENS. If your users are being authenticated by their own IdP, EC2 also provides a supported platform for a federation server to consume identity assertions FEDERATION IDP and tokens and then provide a local session or token that can be used by your applications. Deploying a federation server in EC2 offers instant scalability and Authentication Identity Bridge availability for your environment. AMAZON WEB SERVICES 18

19 SUPERHERO STATUS

20 SUPERHERO STATUS: AWS FOR ENTERPRISE IDENTITY Leveraging AWS for identity federation allows scalable, highly-available SSO and token services for the AWS console and APIs, as well as for your own applications. By leveraging other AWS components such as S3, RDS, Route 53 and ELBs, you can provide a scalable, highly-available IAM infrastructure that provides a true SSO solution while leveraging your current identities, directories and policies. CONSOLE AMAZON RDS AMAZON RDS AMAZON WEB SERVICES 20

21 CONCLUSION

22 CONCLUSION Amazon Web Services is a platform that provides many different capabilities that are enabled by built-in identity and access management systems. Controlling user access to the AWS console and APIs is an ongoing consideration for today s enterprise organizations. SAML and OpenID Connect identity federation is extraordinary technology that integrates with third-party identity management solutions to give you the power to let users sign into the AWS console and APIs without requiring additional passwords or tokens. PingFederate integrates with AWS out-of-the-box so that your users can federate from your identity management systems into your AWS environments easily and quickly. This mechanism gives you a true single sign-on solution: authenticate once, access many things including AWS. By implementing this identity federation approach, you can manage users and maintain identities within your existing directory, re-use internal identity management processes and eliminate password fatigue giving your authorized users and developers seamless access to the resources they need to get work done. AWS also provides a perfect platform for enterprise identity federation and SSO regardless of where your users are, what applications they need to access or what devices they re using. Whether you are an identity provider requiring single sign-on for your users or a service provider with applications and APIs that your customers want to access, AWS provides a scalable, highly-available platform that delivers the security your organization requires and the ease-of-use that your users have come to expect. AMAZON WEB SERVICES 22 Ping Identity is the leader in Identity Defined Security for the borderless enterprise, allowing employees, customers and partners access to the applications they need. Protecting over one billion identities worldwide, the company ensures the right people access the right things, securely and seamlessly. More than half of the Fortune 100, including Boeing, Cisco, Disney, GE, Kraft Foods, TIAA-CREF and Walgreens, trust Ping Identity to solve modern enterprise security challenges created by their use of cloud, mobile, APIs and IoT. Visit pingidentity.com. Copyright 2016 Ping Identity Corporation. All rights reserved. Ping Identity, PingFederate, PingOne, PingAccess, PingID, their respective product marks, the Ping Identity trademark logo, and IDENTIFY are trademarks, or servicemarks of Ping Identity Corporation. All other product and service names mentioned are the trademarks of their respective companies v001