Identity Federation Flashcards

1
Q

Federated Access Roles

Types of federated accesses?

A

SAML 2.0,

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Federated Access Roles

Special names for the two acting systems in federation?

A

Identity Provider (like AD), Service Provider (controls access to resources)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Federated Access Roles

Examples of Identity Provicders

A

Facebook, Google, Amazon.com

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Federated Access Roles

Two steps to use federated login?

A

Go to IdP, get a Token. Give token to AssumeRoleWithWebIdentity, get AWS keys

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Federated Access Roles

AWS system that manages this federation for mobile apps?

A

Amazon Cognito

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Federated Access Roles

Federated method for large scale, unknown users?

A

Web identity federation (Facebook, etc.)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Federated Access Roles

Federated method for enterprise use case with employees?

A

SAML (uses an existing directory of users)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

SAML

What is SAML Federation?

A

Legacy! Use SSO instead. Use on-prem system to auth, swap for aws creds

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

SAML

What version of SAML does AWS support?

A

2.0

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

SAML

What Microsoft product uses SAML?

A

Microsoft Active Directory Federated Services (ADFS)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

SAML

Use SAML with Google or Facebook?

A

Nope, there’s other federation for that. SAML is only about your ON-PREM auth system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

SAML

When do you switch from using AWS to manage identities and using SAML?

A

One example is when you hit the 5,000 IAM User limit per account.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

SAML

How long (in general) are creds good for when you use SAML 2.0?

A

<= 12 hours

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

SAML

Setting up trust between on-prem and AWS for SAML. One-way or two-way trust?

A

Set up two way trust

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

SAML

What does a SAML enterprise system give you?

A

SAML Assertion (bearer token), exchange this with AWS for temp creds.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

SAML

Two-step process to use SAML federation?

A

Go to SAML provider, login, get token. Give token to AssumeRoleWithSAML, get AWS creds

17
Q

SSO

What are you required to have in place before using SSO?

A

AWS Organizations

18
Q

SSO

New workload. Should you use SAML or SSO?

A

SSO. SAML is legacy.

19
Q

SSO

Why SSO instead of SAML federation?

A

Other things can use SSO like DropBox and Slack.

20
Q

SSO

What does SSO look like for a user?

A

Login, get a custom screen with all the apps they can login to with this portal. One is “AWS Account”.

21
Q

SSO

What internal AWS thing is SSO most like?

A

Kinda like Midway and/or Isengard: login once to the thing, can use this to login to a bunch of AWS accounts.

22
Q

SSO

What Identitiy Stores are available in SSO?

A

SSO’s internal Id Store, Microsoft AD (managed or on-prem), or SAML 2.0

23
Q

SSO

When do you choose between Cognito and SSO?

A

Cognito when users have their own web identities, SSO when users have enterprise/corporate identities.

24
Q

SSO

What are Permission Sets?

A

User-friendly names that show up for humans in the SSO portal. These become IAM Roles in all accounts you choose.

25
Q

SSO

OK, can use SSO Portal to get to the AWS conosle, how do you use the CLI?

A

Just like Isengard. Use SSO Portal, login, select account & role, btn to get temp creds for cli.

26
Q

SSO

How to SSO Group and IAM Groups relate?

A

Not at all. SSO Groups are only for the built-in identity provider just to group users.

27
Q

SSO

What is “Assign” all about for the built-in SSO IdP?

A

Have groups, users, PermSets. Assign combines them on specific AWS accounts to actually login to the AWS accounts.

28
Q

SSO

How do you do MFA with SSO users?

A

Easy, same as normal IAM Users: U2F devices like Yubikey, apps like Google Authenticator, etc.