Data
Reader small image

You're reading from  Implementing Identity Management on AWS

Product typeBook
Published inOct 2021
PublisherPackt
ISBN-139781800562288
Edition1st Edition
Tools
AWS
Concepts
Identity Management
Right arrow
Author (1)
Jon Lehtinen
Jon Lehtinen
author image
Jon Lehtinen

Jon Lehtinen has 16 years of enterprise identity and access management experience and specializes in both the strategy and execution of IAM transformation in global-scale organizations such as Thomson Reuters, General Electric, and Apollo Education Group. In addition to his work in the enterprise space, he has held positions on Ping Identity's Customer Advisory Board and as an advisor to identity verification start-up EvidentID. He currently owns the workforce and customer identity implementations at Okta. Jon is dedicated to the growth and maturity of IAM as a profession and serves on the Board of Directors for IDPro org. He is also a member of the Kantara Initiative, ISC2, OpenID Foundation, and Women in Identity. Jon has presented his work at several conferences, including RSA, Identiverse, and KuppingerCole's European Identity and Cloud Conference. Currently, he owns Okta's workforce and customer IAM implementations as their Director of Okta on Okta.
Read more about Jon Lehtinen

Right arrow

Chapter 12: AWS-Hosted Application Single Sign-On Using an Existing Identity Provider

In the previous chapter, we looked at several solution architectures for non-administrative identity use cases. We defined our non-administrative use case as wanting to expose our organization's identity information to applications hosted on Amazon Web Services (AWS), regardless of whether the account owner had access to the AWS backplane. Most organizations make a distinction between their administrative accounts and their standard user accounts, and often have distinct architectures for each of these use cases. Typically, standard application identity needs are satisfied through the use of standard user accounts. This chapter will focus on addressing the identity needs of AWS-hosted applications.

Whereas we can use native AWS services such as Amazon Cognito to solve application identity challenges on AWS, organizations often have policy or regulatory requirements that require them to demonstrate...

Technical requirements

To get the most out of this chapter, you will need the following:

  • An AWS account
  • A SAML2- and System for Cross-domain Identity Management (SCIM)-compliant IdP such as Okta Identity Cloud, PingOne, or Azure Active Directory (Azure AD)
  • A populated user directory to act as the user store for that IdP

Defining the use case and solution architecture

Before we begin connecting applications, user pools, and external IdPs, let's take a moment and visualize the solution we intend to build for the use case we want to solve. Once again, we have some familiar components in play for the Redbeard Identity organization, as shown in the following diagram:

Figure 12.1 – Application references Cognito, which looks to the external IdP

In this design, the application will look to an Amazon Cognito user pool for its user information. The user pool will act as the application's user store, and detailed attributes will be provided at authentication time through the Amazon Cognito identity token. Since Amazon Cognito user pools provide a standards-compliant OIDC IdP, additional attributes can be accessed through the /userinfo endpoint as needed, if the application is sufficiently entitled and scoped to have that access. In order to ensure that the Redbeard...

Creating a user pool

We will begin by creating a user pool that we intend to use for all of our users. This will be a repeat of the process we went through in Chapter 5, Introducing Amazon Cognito, so we will not be as fastidious in documenting the process, aside from the specifics of the configuration we require to fulfill our use case. Proceed as follows:

  1. From the AWS Management Console, go to Amazon Cognito and select the Manage User Pools option.
  2. Select Create a user pool. This takes us through to the wizard. We name our pool and select the option to step through the settings, to make the changes we will need to configure this user pool instance as we want. The process is illustrated in the following screenshot:

    Figure 12.2 – Creating a new user pool

  3. We will make several adjustments to the Attributes section. If we want our external IdP to be the authoritative source of user information for this user pool, we will need to ensure we include all of the attributes...

Connecting Amazon Cognito to an external IdP – SAML

Now that we have a user pool configured with attributes that match those found in our external IdP, we need to put some users inside it. We do not want users created directly inside the user pool as that would bypass the external IdP as the authoritative source of identity information for our users. To connect the external IdP with the user pool, we will need to configure our external IdP as an IdP for the user pool, as follows:

  1. From the user pool, we can select the type of federated provider we want to add under the Federation menu. We will select the SAML option, as illustrated in the following screenshot:

    Figure 12.7 – Selecting a new IdP for the user pool

  2. The configuration options are very sparse since it wants to import a metadata file. We will come back to the form shown in the following screenshot since we will need to build this connection on the external IdP side in order to create that metadata file...

Connecting Amazon Cognito to an external IdP – OIDC

Amazon Cognito user pools support the use of multiple external IdPs. It would be unusual, though not necessarily ill-advised, to connect the same external IdP to an Amazon Cognito user pool using both SAML and OIDC. We will connect our external IdP to OIDC in the interest of demonstrating how both protocols operate when used with an external IdP with a user pool. We'll proceed as follows:

  1. From the user pool, we can select the type of federated provider we want to add under the Federations menu. We will select the OpenID Connect option. We can see a marker on the SAML option indicating an existing connection, as illustrated in the following screenshot:

    Figure 12.21 – Selecting a new IdP for the user pool

  2. In the following screenshot, we see the required fields for configuring the new OIDC IdP. As we do not have all of these values yet, this means that we will need to create a client that the Amazon Cognito...

Assuming roles with identity pools

We have addressed our need for AWS-hosted apps to have baseline user authentication services available using Amazon Cognito user pools. This model allows us to continue to use our existing identity systems as the ultimate authoritative source for the users in those applications, even when those applications take advantage of services such as Amazon Cognito for their identity use cases. For applications with architectures that have deep integration into AWS services, Amazon Cognito identity pools can provide authorization to AWS resources such as Amazon Simple Storage Service (S3) buckets and Amazon Relational Database Service (RDS) databases. This allows the application users to indirectly interact with these services when using the application that is built to leverage them.

Let's consider a use case where the Redbeard Identity Sales team manages its sales reports through an application that is hosted on AWS. The reports are published to...

Summary

In this chapter, we explored the authentication and authorization options available to applications hosted in AWS. We were able to provide identity information to those applications leveraging AWS identity services, particularly Amazon Cognito, while continuing to respect our organization's existing IAM infrastructure as the authoritative source for access control. We showed how to delegate authentication to an external provider using both SAML and OIDC when using an Amazon Cognito identity pool, and then explored how we could apply authorization controls to an AWS-hosted application by assigning distinct AWS IAM roles to Amazon Cognito identities based upon claims from that external IdP.

And with that, we have reached the end of the book. Congratulations on making it through! You now have a solid foundation of AWS identity knowledge that will make you better prepared to address your cloud identity challenges moving forward.

Questions

  1. Why would an organization choose to federate their managed identities into an Amazon Cognito user pool for application identity?

    a. Allows the app team to use native AWS services for identity.

    b. Allows the organization to continue to enforce their compliance controls centrally, even though applications may not look directly to their identity systems for user information.

    c. They shouldn't; they should only connect apps directly to their organization's official IdP.

    d. A and B.

  2. Why would we apply a trust policy that validates a principal was authenticated by the identity pool that is requesting temporary credentials for an Amazon Cognito user?

    Otherwise, non-authenticated users could be granted access to AWS resources within the account.

Further reading

Here are some resources for making applications SAML2- and OIDC-compliant through relying parties:

Why subscribe?

  • Spend less time learning and more time coding with practical eBooks and Videos from over 4,000 industry professionals
  • Improve your learning with Skill Plans built especially for you
  • Get a free eBook or video every month
  • Fully searchable for easy access to vital information
  • Copy and paste, print, and bookmark content

Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at packt.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at customercare@packtpub.com for more details.

At www.packt.com, you can also read a collection of free technical articles, sign up for a range of free newsletters, and receive exclusive discounts and offers on Packt books and eBooks.

lock icon
The rest of the chapter is locked
Previous Chapter
Chapter 16 of 17
Next Chapter
You have been reading a chapter from
Implementing Identity Management on AWS
Published in: Oct 2021Publisher: PacktISBN-13: 9781800562288
© 2021 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
undefined
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at $15.99/month. Cancel anytime

Author (1)

author image
Jon Lehtinen

Jon Lehtinen has 16 years of enterprise identity and access management experience and specializes in both the strategy and execution of IAM transformation in global-scale organizations such as Thomson Reuters, General Electric, and Apollo Education Group. In addition to his work in the enterprise space, he has held positions on Ping Identity's Customer Advisory Board and as an advisor to identity verification start-up EvidentID. He currently owns the workforce and customer identity implementations at Okta. Jon is dedicated to the growth and maturity of IAM as a profession and serves on the Board of Directors for IDPro org. He is also a member of the Kantara Initiative, ISC2, OpenID Foundation, and Women in Identity. Jon has presented his work at several conferences, including RSA, Identiverse, and KuppingerCole's European Identity and Cloud Conference. Currently, he owns Okta's workforce and customer IAM implementations as their Director of Okta on Okta.
Read more about Jon Lehtinen

Other recommended products

Related to this chapter

AWS Security Cookbook

AWS Security Cookbook

AWS Security Cookbook lists all the practical solutions to the common problems faced by individuals or organizations in securing their instances. Here readers will learn to troubleshoot security concerns and understand additional patterns and services for securing AWS infrastructure.

BookFeb 2020440 pages
Amazon Web Services Bootcamp

Amazon Web Services Bootcamp

AWS Bootcamp is designed to teach you how to build and manage AWS resources using different ways. This highly practical guide leverages the reliability, versatility, and flexible design of the AWS Cloud. It enables you to perform tasks such as hosting multi-tier websites, running large-scale applications, data storage and archival, and a lot more with ease.

BookMar 2018338 pages
AWS for System Administrators

AWS for System Administrators

AWS for System Administrators covers a variety of tools, techniques, tips, and tricks for building highly available and fault-tolerant infrastructure. You’ll get to grips with AWS fundamentals and concepts with the help of step-by-step explanations and practical code examples.

BookFeb 2021388 pages
Serverless Programming Cookbook

Serverless Programming Cookbook

The serverless architecture allows you to build and run applications and services without having to manage the infrastructure which saves cost and improves scalability. In this book, you will learn to harness serverless technology to reduce production time, minimize cost and have the freedom to customize your code, without hindering functionality.

BookJan 2019490 pages
Mastering AWS Security

Mastering AWS Security

Security is a key ingredient when it comes to workloads deployed in cloud. Security is highest priority for any organization and it is considered job zero at AWS. Our book will dig deep into the achieving end to end automated security for all workloads deployed, running and stored in AWS cloud.

BookOct 2017252 pages
Hands-On AWS Penetration Testing with Kali Linux

Hands-On AWS Penetration Testing with Kali Linux

The cloud is gaining more popularity than ever, and every organization is looking to shift its infrastructure to it. AWS particularly rules the roost with its market share. This book gets pentesters and sysadmins hands-on with pentesting AWS services using Kali Linux, covering detailed screenshots and custom scripts for automating the process.

BookApr 2019508 pages
AWS Certified Security – Specialty Exam Guide

AWS Certified Security – Specialty Exam Guide

Amazon has come up with Specialty certifications which validates a particular user's expertise that he/she would want to build a career in. This Guide will be a companion to getting skilled with complex and creative security solutions.

BookSep 2020558 pages
AWS Administration Cookbook

AWS Administration Cookbook

Organisations today are harnessing the power of AWS cloud products and solutions to scale and grow. Amazon web services provide a cloud computing infrastructure with storage, bandwidth, security and more over the internet. This book will begin with AWS fundamentals and will go further to help you build and administer your own cloud environment.

BookApr 2017394 pages
AWS SysOps Cookbook

AWS SysOps Cookbook

The AWS cloud provides on-demand computing resources that organizations of all types and sizes harness to create products and business solutions. This book will take you from the fundamentals to advanced features and services to help you administer your own AWS cloud environment.

BookSep 2019490 pages
Okta Administration: Up and Running

Okta Administration: Up and Running

Okta is one of the leading IAM platforms that consolidate identities for company tools. Okta Administration: Up and Running is a comprehensive introduction for those who are new to Okta’s products and will help you to understand and implement Okta’s features for enhanced security in your applications.

BookDec 2020268 pages
AWS Certified Developer - Associate Guide

AWS Certified Developer - Associate Guide

With rapid adaptation of the cloud platform, the need for cloud certification has also increased. This is your one stop solution and will help you transform yourself from zero to certified. This guide will help you gain technical expertise in the AWS platform and help you start working with various AWS Services.

BookJun 2019812 pages5
Expert AWS Development

Expert AWS Development

Continuous deployment and Agile methodology have enabled huge advances in modern applications. This book will enable the reader to make use of this rapidly evolving technology to build highly scalable applications within AWS using different architectures.

BookMar 2018408 pages

Personalised recommendations for you

Based on your interests and search pattern

Et al.

Et al.

Ever wonder why speech recognition systems don't understand the Scottish accent, or what would happen if an astronaut only ate mac 'n' cheese, or other spurious reflections you'd have at a bar? We did, then collated those deliberations into absurd research articles with fake figures and methodologies inspired by even more fictionally absurd studies.

BookAug 2023230 pages5
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages4
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages5
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages1
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages5
Mastering Tableau 2023

Mastering Tableau 2023

This book is a comprehensive resource to mastering your Tableau skills and becoming a BI expert. As you progress, you will learn how to build advanced dashboards and improve your storytelling to derive key business insight, as well as make you well-versed with advanced functionalities of Tableau in the business intelligence domain.

BookAug 2023684 pages
Building AI Applications with ChatGPT APIs

Building AI Applications with ChatGPT APIs

This guide covers all ChatGPT API features for effortless creation of robust AI powered apps. With its help, you’ll be able to leverage ChatGPT’s cutting-edge NLP models to take your app development skills to the next level. You’ll also work on ten exciting projects that will give you the practical know-how that you can apply to your existing applications.

BookSep 2023258 pages5
Building AI Applications with ChatGPT APIs

Building AI Applications with ChatGPT APIs

This guide covers all ChatGPT API features for effortless creation of robust AI powered apps. With its help, you’ll be able to leverage ChatGPT’s cutting-edge NLP models to take your app development skills to the next level. You’ll also work on ten exciting projects that will give you the practical know-how that you can apply to your existing applications.

BookSep 2023258 pages2
Data Engineering with AWS

Data Engineering with AWS

Embark on a journey to master data engineering pipelines on AWS! Our book offers a hands-on experience of AWS services for ingesting, transforming, and consuming data. Whether you're an absolute beginner or someone with basic data engineering experience, this guide is an indispensable resource.

BookOct 2023636 pages5
Modern Data Architecture on AWS

Modern Data Architecture on AWS

Every organization wants an agile, performant, and cost-effective data platform that meets all their current and future business needs. Purpose-built AWS analytics services and their features play a big part in building such a modern data platform. This book brings to you all the design and architectural patterns that’ll help you achieve this goal.

BookAug 2023420 pages5
Practical Guide to Applied Conformal Prediction in Python

Practical Guide to Applied Conformal Prediction in Python

Discover the power of Conformal Prediction with the "Practical Guide to Applied Conformal Prediction in Python." Master the latest techniques to quantify uncertainty in machine learning and computer vision models, and seamlessly apply them to your industry applications.

BookDec 2023240 pages
TinyML Cookbook

TinyML Cookbook

With over 70 project-based recipes, the TinyML Cookbook is a practical guide that will help you to get the most out of your microcontrollers. It provides a comprehensive understanding of the theoretical foundations while giving you hands-on experience training ML models for deployment on Arduino Nano 33 BLE Sense, Raspberry Pi Pico, and SparkFun RedBoard Artemis Nano microcontrollers.

BookNov 2023664 pages