Identities and Federation

Question 1

What critera exists (5 things) to point you to use SAML 2.0 Federation?

Answer 1

You have an enterprise identity provider

That provider is SAML 2.0 compatible

You have an enterprise IAM team

You want a single source of truth

You have 5000 or more identities

Question 2

What AWS security constructs does SAML use?

Answer 2

IAM roles

Temporary Credentials (STS), usually 12 hour validity

Question 3

What two types of use cases uses SAML assertion?

Answer 3

in house developed app access AWS resources

Console access

Question 4

What is the key API call used in conjunction with SAML 2.0 assertion?

Answer 4

STS:AssumeRoleWithSAML

Question 5

What must be done before an in house developed application can use SAML Identity federation?

Answer 5

A two way trust must be establisd between the IDP and AWS IAM:

1. The internal IDP must trust AWS IAM
2. you must confgiure/register the SAML IDP in IAM

Question 6

SAML IN house app Diagram

Answer 6

Question 7

What must be configured before you can use SAML to grant access to the console?

Answer 7

Trust established between IDP and AWS using SAML/SSO Endpoint

Question 8

What is the main difference between the SAML process for an in house developed app and console access?

Answer 8

For console acces, the AWS SAML/SSO endpoint is generating a console URL in addition to the STS creds for the user to use to access AWS

Question 9

SAML Console Diagram

Answer 9

Question 10

Does AWS prefer AWS SSO or the traditional SAML based federation for workloads going forward?

Answer 10

AWS SSO

Question 11

Name the four options for identity stores in AWS SSO

Answer 11

Built In

AWS Managed Microsoft AD

On premsis AD (two trust or AD connector)

External Idendity Provider (SAML 2.0)

Question 12

Three main benefits of AWS SSO

Answer 12

Single sign on to all accounts in an organization

Centralized permissions config and management across AWS accounts in an org

SSO to busines apps (o365, slack, salesforce) and custom SAML apps