Category: Federation

Enable Single Sign-On to the AWS Management Console via Shibboleth

<Repost from AWS Blog, here in its entirety>

One of the most powerful features of AWS Identity and Access Management (IAM) is its ability to issue temporary security credentials and grant controlled access to people in a network without having to define individual identities for each user (i.e., identity federation). This enables customers to extend their existing authentication systems and allow users to Single Sign-On (SSO) to the AWS Management Console.

Last November, we released sample code that will allow customers to create a federation proxy server that uses IAM roles to create temporary security credentials which can be used by Windows Active Directory users to Single Sign-On (SSO) to the AWS Management Console. Thousands of universities and government institutions currently use Shibboleth as their SSO authentication system across many disparate systems. We’ve received feedback from these customers who want a sample demonstrating how to leverage existing Shibboleth systems to easily enable SSO to the AWS Management Console.

Today, we are excited to release additional sample code that extends the functionality of the federation proxy to support Shibboleth using the Security Assertion Markup Language (SAML). The sample code empowers system architects and admins to configure Shibboleth and IAM so users can leverage AWS services while still managing the user’s credentials in their local directory. The sample allows federated users to log into the AWS Management Console without having to create individual IAM users. This approach of federating the use of AWS is a great way to expand and extend your organization’s ability to securely access AWS resources.  (more…)

Jeff Barr Talks with Symplified About Identity Federation and SSO

Jeff Barr, AWS’s chief evangelist, recently did an AWS Report interview with Symplified’s CTO and co-founder Darren Plat covering identity federation and single sign-on to cloud-based apps.  The interview goes into depth about the need for identity federation services in the cloud and how Symplified implemented their offering for AWS services. You can watch the interview.

– Ben

New Playground App to Explore Web Identity Federation with Amazon, Facebook, and Google

In May 2013, we announced support for federation using identities Amazon, Facebook, and Google (a.k.a. web identity federation), which allows your apps to authenticate users via Amazon, Facebook, or Google and then access AWS resources managed under your account.

To help you understand how web identity federation works, today we’re releasing the Web Identity Federation Playground. This is an interactive web page that lets you explore the three key steps of web identity federation.  First, you sign in with Amazon, Facebook, or Google.  Next, you make an AWS request to obtain temporary security credentials.  Lastly, you use those temporary security credentials to access an AWS resource (AWS S3 in this case). In addition, the Playground is entirely self-contained (no need to use the AWS CLI, SDKs, or Management Console) so you can try it out without writing any code!

In this blog post, we’ll walk through the steps of using the Web Identity Federation Playground. (more…)

New AWS Web Identity Federation Supports, Facebook, and Google identities

Log into Facebook or Google, then access AWS resources? Impossible (well, perhaps difficult…) you say – until now. On 5/28 the AWS Identity and Access Management (IAM) team launched web identity federation. This new feature expands existing AWS identity federation capabilities to include support for public identity providers such as Facebook, Google, or the newly launched Login with Amazon service.  Wait, you’ve never heard of Login with Amazon?  It’s a new service you can use to securely connect your websites and apps with millions of customers!

A number of folks have already written about our web identity federation functionality so I won’t repeat everything here.  If you want to learn the basics head over and read this post in the AWS blog.  If you’re looking for some sample code, the AWS mobile team has you covered – see what Bob Kinney said here.  Want more you say?  Get started by digging into the web identity federation documentation.

Jeff Wierer
Principal Product Manager, AWS Identity and Access Management

Understanding the API Options for Securely Delegating Access to Your AWS Account

Thinking about building a secure delegation solution to grant temporary access to your AWS account?  This week’s guest blogger Kai Zhao, Product Manager on our AWS Identity and Access Management (IAM) team, will discuss some considerations when deciding on an approach:


Using temporary security credentials (“sessions”) enables you to securely delegate access to your AWS environment to one or more users or applications, without having to share your long-term credentials (i.e. password or secret access key).  Use cases include cross-account access (enabling users from one AWS account to access resources in another) and single sign-on to AWS (enabling users authenticated within your enterprise to access AWS without re-authentication).

Many customers have asked for guidance on how to build delegation solutions that grant temporary access to their AWS environment.  This blog post will cover two AWS APIs that you can use for this purpose (sts:GetFederationToken and sts:AssumeRole), how to call each API, and the benefits of using one versus the other.

Please be aware that this blog post will dive deep into some technical details.  It’s helpful to first have a basic understanding of IAM and how to make programmatic AWS API calls with IAM users.  You may want to brush up first by reviewing the Using IAM and Temporary Security Credentials documentation. (more…)