Identity Providers And Federation

Identity Providers And Federation

Identity Providers and Federation

Hello Everyone

Welcome to CloudAffaire and this is Debjeet.

In the last blog post, we have discussed how to secure your root account.

https://cloudaffaire.com/secure-aws-root-account/

In this blog post, we are going to discuss Identity Providers and Federation in AWS. We will also create our 1st IDP (Identity provider) using SAML (Azure AD).

Identity Providers and Federation:

With an identity provider (IdP), you can manage your user identities outside of AWS and give these external user identities permissions to use AWS resources in your account. This is useful if your organization already has its own identity system, such as a corporate user directory. It is also useful if you are creating a mobile app or web application that requires access to AWS resources.

When you use an IAM identity provider, you don’t have to create custom sign-in code or manage your own user identities. The IdP provides that for you. Your external users sign in through a well-known IdP, such as Login with Amazon, Facebook, or Google. You can give those external identities permissions to use AWS resources in your account. IAM identity providers help keep your AWS account secure because you don’t have to distribute or embed long-term security credentials, such as access keys, in your application.

To use an IdP, you create an IAM identity provider entity to establish a trust relationship between your AWS account and the IdP. IAM supports IdPs that are compatible with OpenID Connect (OIDC) or SAML 2.0 (Security Assertion Markup Language 2.0).

Next, we are going to create an identity provider with SAML.

Prerequisite:

You need to create an Azure AD with a user and download the XML metadata. You can follow the below link as a reference which has been followed in this blog.

https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/amazon-web-service-tutorial

We have already created the user (debjeet@cloudaffaire.com) and AD and downloaded the XML metadata.

Identity Providers and Federation

Step 1: Login to AWS console and navigate to IAM

Identity Providers and Federation

Step 2: Navigate to ‘identity providers’ and click ‘Create Provider’.

Identity Providers and Federation

Step 3: Select Provider Type and your XML metadata and provide a Name to your identity provider. Click ‘Next Step’ and then ‘Create’

Identity Providers and Federation

Our identity provider successfully created.

Identity Providers and Federation

Next, we are going to create a role that will be consumed by our Azure AD user.

Step 4: Navigate to ‘Roles’ and click ‘Create role’.

Identity Providers and Federation

Select SAML 2.0 federation as a type of trusted entity and your SAML provider and click ‘Next: Permissions’.

Identity Providers and Federation

Select the policy to attach with this role and click ‘Next: Tags’.

Identity Providers and Federation

Note: In this demo, we are providing admin access to the role. Hence the Azure AD user ‘debjeet@cloudaffaire.com’ will have full access to AWS resources under this account.

Provide a tag and click ‘Next: Review’

Identity Providers and Federation

Provide a name and description of the role and click ‘Create role’.

Identity Providers and Federation

And we are done

You can now test using your Azure AD user and AWS app.

Identity Providers and Federation

Identity Providers and Federation

Hope you have enjoyed this article. In the next blog post, we will discuss cross-account ownership.

To get more details on IAM, please refer below AWS documentation.

https://docs.aws.amazon.com/iam/index.html

 

Leave a Reply

Close Menu