Amazon Web Services (AWS) and Identity Management: What’s New?

From IIW

Session Topic: Amazon Web Services (AWS) and Identity Management: What’s New?

Wednesday 4H

Convener: Shon Sham

Notes-taker: Matt Berry

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

Recap of yesterday’s AWS session, with more detail into non-OIDC federation technologies. AWS supports SAML, OIDC, and also has a hosted wire-compatible Active Directory service.

Question: When a federated session credential expires, what is the customer experience

Answer: In the event of an expired session credential a 403 error is returned. From the Application point of view, it can attempt to refresh the credential and try the request again. If that is successful then the process is transparent to the end-user. If the IDP requires re-authentication, then the user will have to comply.

Question: In AWS Identity and Access Management (IAM), do you specify which IDPs your application wants to support?

Answer: This is correct. Create an IAM Provider for each IDP you wish to support in your application. IAM Providers hold metadata about Identity Providers that allow AWS to properly authenticate claims from the IDPs. In the SAML case, it is the IDPs public keys. In the OIDC case, it is the information needed to perform Key Discovery.

Question: Is AWS Directory Service a regional service?

Answer: Yes, each region is a separate directory, which you can join into a forest if you wish.

Question: When using the “AD Connect” option in Directory Service (where AWS maintains a VPN connection to an on-premise AD Domain Controller) is the VPN mandatory?

Answer: Yes, AWS acts as a transparent proxy for the Domain Controller in your network, thus for security reasons a VPN connection is required.

Question: What is AWS Virtual Private Cloud (VPC)

Answer: VPC is an AWS service that interoperates with EC2 that allows EC2 instances to live in your network IP space via a VPN connection.

Question: Is the “AD Connect” proxy truly transparent

Answer: Yes

Question: Can each AWS account have multiple domains

Answer: Yes

Question: Does AWS support the use of SAML Enhanced Client Profile (ECP) protocol?

Answer: Yes and no. AWS accepts SAML Authentication Response objects that are Base64 encoded. This is directly compatible with the WebSSO Profile of SAML. However, the result of the ECP protocol is an Authentication Response wrapped in a SOAP/POAS envelope. So if your SAML IDP supports ECP, then you can extract and Base64 encode the response.

Question: Does AWS support SP-initiated login to the Management Console? Answer: SAML: Not at this time, OIDC: In good time

Question: Does AWS support SAML Discovery?

Answer: No

Question: Can I stand up an ADFS server in EC2 and use the Directory Service Domain Controller?

Answer: Yes.