[AWS] IDF, Cognito, and SSO

IDF (Identity Federation) is an architecture where the identities of an external identity provider (IDP) are recognized.

Types of IDF

  • Cross-account roles: A remote account is allowed to assume a role and access your account’s resources,
  • SAML 2.0 IDF: It allows users of SAMAL compatible system such as Active Directory (AD) to log in to the AWS services.
  • Web Identity Federation: External web-based IDPs (Google, Facebook) are allowed to assume roles.

When to use IDF

  • Enterprise Access to AWS
    • Enterprise users with existing identities such as Active Directory.
    • Users can access to AWS using SSO (Single Sign-On).
    • With a lot of potential users that IAM cannot easily handle.
  • Web & Mobile Users
    • Users can use existing web identities.
    • You do not need to store user credentials within the application.
    • There might be a lot of users (millions or more).

Cognito and STS

Cognito and STS (Secure Token Service) are used for IDF in AWS.

  • When a federated identity is verified by an external IDP, the identity is swapped with the temporary AWS credentials by assuming a proper role.
  • AWS Cognito is a superset of the functionality of web identity federation (sign-in directly or through 3rd parties).
    • Sign-up and sign-in, Guest access, and Synchronize user data
    • Recommended for mobile applications

User Pool

  • acts as an Identity Provider (IdP) and authenticates a user (user id, password)
    • It supports the IdP standards, such as Oauth 2, SAML 2, and OpenID Connect.
    • You can use social media IdPs such as Google or Amazon.
  • issues three JWTs(JSON Web Tokens) that can be used for authorizations
    • Identity Token
      • authorizes API calls
      • contains claims of the user (name or email)
      • signed but not encrypted
    • Access Token
      • specifies access-protected resources
      • signed but not encrypted
      • 5 minutes ~ 24 hours
    • Refresh Token
      • contains the information necessary to obtain a new ID or Access token
      • encrypted
      • 1 hour ~ 10 years

Identity Pool

https://docs.aws.amazon.com/cognito/latest/developerguide/authentication-flow.html

  • creates unique identity as an authentication
  • issues a temporary AWS credentials and grant permissions to AWS resources (authorization)

Scenarios

You can use the User Pool and the Identity Pool to common authentication/authorization scenarios. Check the following documentation.

Common Amazon Cognito scenarios – Amazon Cognito

User Pool with Lambda Triggers

You can customize user pool workflows with Lambda triggers.

  • Pre sign-up
  • Post confirmation
  • Pre authentication
  • Post authentication
  • Migrate user

Amazon Cognito Sync

Amazon Cognito Sync is an AWS service and client library that enable cross-device syncing of application-related user data.

  • You can use it to synchronize user profile data across mobile devices and web applications.

Use Case: Allow temporary access to S3 for AD users

You can use STS to generate a temporary token and allow users to access with IAM roles.

  1. A user makes request to IDP (Identity Provider)
  2. IDP authenticates a user
  3. IDP sends a user SAML assertion
  4. A user calls “assumeRole” with SAML
  5. STS returns temporary security tokens
  6. A user uses tokens to access AWS resources such as S3

Tracking Devices

You can track and remember user devices using Cognito.

  • You can see the remembered devices and associated metadata through the console.
  • You can build custom functionality such as limiting the number of devices from a single end-user.

AWS IAM Identity Center

AWS AM Identity Center is where the credentials of an external identity are used to allow access to a local system (e.g., AWS).

  • formerly known as AWS Single Sign-On (SSO)
  • Offers pre-configured SAML 2.0 (Security Assertion Markup Language) integration
  • One login for
    • AWS services of all your accounts in AWS Organization
    • Business cloud applications (Office 365, Salesforce …)
    • SAML enabled applications
    • EC2 Windows instances
    • On-premise Microsoft Active Directory through AD trust
  • Identity Providers
    • Built-in identity store in the IAM Identity Center
    • Active Directory (AD)
    • Other 3rd Party Providers: Okta, OneLogin …

Using SAML Identity Providers (IDPs)

  • Users sign into AWS access portal using their corporate identities
  • In the IAM Identity Center, you need to create matched users and groups that are identical to those in the external IDPs.
  • Sync
    • You can automatically sync external IDP users to Identity Center via SCIM (System for Cross-domain Identity Management).

Permission Sets

  •  A permission set is a template that defines a collection of one or more IAM policies. 
  • When a permission set is created, Identity Center creates corresponding Identity Center-controlled IAM roles in each account.
    • The policies specified in the permission set are attached to those roles.

Attribute-Based Access Control (ABAC)

  • Fine-grained permissions based on user’s attributes in the IAM Identity Center’s identity store.
  • User attributes are used in
    • IAM Identity Center Permission Sets
    • Resource-based policies
  • You need to enable the setting “Attributes for access control” and then add attributes as key/value pairs.
    • You are mapping the attribute coming from your identity source to an attribute that IAM Identity Center passes as a session tag.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:StartInstances",
        "ec2:StopInstances"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "ec2:ResourceTag/CostCenter": "${aws:PrincipalTag/CostCenter}"
        }
     }
   }
 ]
}

Multi-Factor Authentication (MFA)

  • Always-on: every time users sign in
  • Context-aware: only when user’s sign-in context changes
Unknown's avatar

Published by Pyongwon Lee

IT (Cloud, Web) Development, Philosophy, Economics.

Leave a Comment