Identity Providers and Federation
Welcome to CloudAffaire and this is Debjeet.
In the last blog post, we have discussed how to secure your root account.
In this blog post, we are going to discuss Identity Providers and Federation in AWS. We will also create our 1st IDP (Identity provider) using SAML (Azure AD).
Identity Providers and Federation:
With an identity provider (IdP), you can manage your user identities outside of AWS and give these external user identities permissions to use AWS resources in your account. This is useful if your organization already has its own identity system, such as a corporate user directory. It is also useful if you are creating a mobile app or web application that requires access to AWS resources.
When you use an IAM identity provider, you don’t have to create custom sign-in code or manage your own user identities. The IdP provides that for you. Your external users sign in through a well-known IdP, such as Login with Amazon, Facebook, or Google. You can give those external identities permissions to use AWS resources in your account. IAM identity providers help keep your AWS account secure because you don’t have to distribute or embed long-term security credentials, such as access keys, in your application.
To use an IdP, you create an IAM identity provider entity to establish a trust relationship between your AWS account and the IdP. IAM supports IdPs that are compatible with OpenID Connect (OIDC) or SAML 2.0 (Security Assertion Markup Language 2.0).
Next, we are going to create an identity provider with SAML.
You need to create an Azure AD with a user and download the XML metadata. You can follow the below link as a reference which has been followed in this blog.
We have already created the user (firstname.lastname@example.org) and AD and downloaded the XML metadata.
Step 1: Login to AWS console and navigate to IAM
Step 2: Navigate to ‘identity providers’ and click ‘Create Provider’.
Step 3: Select Provider Type and your XML metadata and provide a Name to your identity provider. Click ‘Next Step’ and then ‘Create’
Our identity provider successfully created.
Next, we are going to create a role that will be consumed by our Azure AD user.
Step 4: Navigate to ‘Roles’ and click ‘Create role’.
Select SAML 2.0 federation as a type of trusted entity and your SAML provider and click ‘Next: Permissions’.
Select the policy to attach with this role and click ‘Next: Tags’.
Note: In this demo, we are providing admin access to the role. Hence the Azure AD user ‘email@example.com’ will have full access to AWS resources under this account.
Provide a tag and click ‘Next: Review’
Provide a name and description of the role and click ‘Create role’.
And we are done
You can now test using your Azure AD user and AWS app.
Hope you have enjoyed this article. In the next blog post, we will discuss cross-account ownership.
To get more details on IAM, please refer below AWS documentation.