Identity Federation

Question 1

Federated Access Roles

Types of federated accesses?

Answer 1

SAML 2.0,

Question 2

Federated Access Roles

Special names for the two acting systems in federation?

Answer 2

Identity Provider (like AD), Service Provider (controls access to resources)

Question 3

Federated Access Roles

Examples of Identity Provicders

Answer 3

Facebook, Google, Amazon.com

Question 4

Federated Access Roles

Two steps to use federated login?

Answer 4

Go to IdP, get a Token. Give token to AssumeRoleWithWebIdentity, get AWS keys

Question 5

Federated Access Roles

AWS system that manages this federation for mobile apps?

Answer 5

Amazon Cognito

Question 6

Federated Access Roles

Federated method for large scale, unknown users?

Answer 6

Web identity federation (Facebook, etc.)

Question 7

Federated Access Roles

Federated method for enterprise use case with employees?

Answer 7

SAML (uses an existing directory of users)

Question 8

SAML

What is SAML Federation?

Answer 8

Legacy! Use SSO instead. Use on-prem system to auth, swap for aws creds

Question 9

SAML

What version of SAML does AWS support?

Answer 9

2.0

Question 10

SAML

What Microsoft product uses SAML?

Answer 10

Microsoft Active Directory Federated Services (ADFS)

Question 11

SAML

Use SAML with Google or Facebook?

Answer 11

Nope, there’s other federation for that. SAML is only about your ON-PREM auth system.

Question 12

SAML

When do you switch from using AWS to manage identities and using SAML?

Answer 12

One example is when you hit the 5,000 IAM User limit per account.

Question 13

SAML

How long (in general) are creds good for when you use SAML 2.0?

Answer 13

<= 12 hours

Question 14

SAML

Setting up trust between on-prem and AWS for SAML. One-way or two-way trust?

Answer 14

Set up two way trust

Question 15

SAML

What does a SAML enterprise system give you?

Answer 15

SAML Assertion (bearer token), exchange this with AWS for temp creds.

Question 16

SAML

Two-step process to use SAML federation?

Answer 16

Go to SAML provider, login, get token. Give token to AssumeRoleWithSAML, get AWS creds

Question 17

SSO

What are you required to have in place before using SSO?

Answer 17

AWS Organizations

Question 18

SSO

New workload. Should you use SAML or SSO?

Answer 18

SSO. SAML is legacy.

Question 19

SSO

Why SSO instead of SAML federation?

Answer 19

Other things can use SSO like DropBox and Slack.

Question 20

SSO

What does SSO look like for a user?

Answer 20

Login, get a custom screen with all the apps they can login to with this portal. One is “AWS Account”.

Question 21

SSO

What internal AWS thing is SSO most like?

Answer 21

Kinda like Midway and/or Isengard: login once to the thing, can use this to login to a bunch of AWS accounts.

Question 22

SSO

What Identitiy Stores are available in SSO?

Answer 22

SSO’s internal Id Store, Microsoft AD (managed or on-prem), or SAML 2.0

Question 23

SSO

When do you choose between Cognito and SSO?

Answer 23

Cognito when users have their own web identities, SSO when users have enterprise/corporate identities.

Question 24

SSO

What are Permission Sets?

Answer 24

User-friendly names that show up for humans in the SSO portal. These become IAM Roles in all accounts you choose.

Question 25

SSO

OK, can use SSO Portal to get to the AWS conosle, how do you use the CLI?

Answer 25

Just like Isengard. Use SSO Portal, login, select account & role, btn to get temp creds for cli.

Question 26

SSO

How to SSO Group and IAM Groups relate?

Answer 26

Not at all. SSO Groups are only for the built-in identity provider just to group users.

Question 27

SSO

What is “Assign” all about for the built-in SSO IdP?

Answer 27

Have groups, users, PermSets. Assign combines them on specific AWS accounts to actually login to the AWS accounts.

Question 28

SSO

How do you do MFA with SSO users?

Answer 28

Easy, same as normal IAM Users: U2F devices like Yubikey, apps like Google Authenticator, etc.