Amazon cloud’s Identity fabric–interworking with AAD


We started reading a book on amazon’s cloud in the course of which we started playing with the cloud console (and some of its identity management features). By change, our eye was drawn to the security credentials menu option ; off of which hangs the ability to specify identity providers.

image

https://login.windows.net/bcbf53cf-af9a-4584-b4c9-6d8b01b3781d/federationmetadata/2007-06/federationmetadata.xml

Amazon’s help  system describes how to use identity providers, thus:

image

http://docs.aws.amazon.com/IAM/latest/UserGuide/idp-managing-identityproviders.html

 

We first configured the SAML provider, learning to do some special edits – as noted.

Since our SAML-@P provider is AAD, at https://login.windows.net/bcbf53cf-af9a-4584-b4c9-6d8b01b3781d/federationmetadata/2007-06/federationmetadata.xml, we saved the stream to a file and edited away the xml header.

image

getting us to some success

image

image

Since AAD, as IDP, will requires an SP record, we note the amazon console’s audience name: https://signin.aws.amazon.com/saml.

The resulting “trust policy” is a set of conditions on what claims must be asserted by the IDP to be “trusted” as a source of identity. These are not access control rules!

{
  “Version”: “2012-10-17”,
  “Statement”: [
    {
      “Effect”: “Allow”,
      “Action”: “sts:AssumeRoleWithSAML”,
      “Principal”: {
        “Federated”: “arn:aws:iam::385727861301:saml-provider/faa”
      },
      “Condition”: {
        “StringEquals”: {
          “SAML:aud”: “https://signin.aws.amazon.com/saml”
        }
      }
    }
  ]
}

back on the IDP, our netmagic.onmicrosoft.com tenant of course, we configure the SP record:

image

image

image

back on the SP ,we set the access control policy for this now-trusted source of identities:

image

image

where we note our final review information:

Role Name

saml

Edit Role Name

Role ARN

arn:aws:iam::385727861301:role/saml

Trusted Entities

The identity provider arn:aws:iam::385727861301:saml-provider/faa

Permissions

Administrator Access

To test, we guess a little and learn from https://console.aws.amazon.com/iam/#home

image

that our LOCAL signin url is https://385727861301.signin.aws.amazon.com/console

image

which we customize to https://rapmlsqa.signin.aws.amazon.com/console.

we then add a user (similarly to how one adds pseudo-users to AAD):

image

image

It seems that the amazon flow only supports idp-initiated websso. Which stumps us.

Turning our attention to the openid connect integration alternative, we see that

image

image

image

which seems to read the openid connect metadata

To configure the SP sides “roles”, we do as follows:

image

 

image

image

 

{
  “Version”: “2012-10-17”,
  “Statement”: [
    {
      “Effect”: “Allow”,
      “Action”: “sts:AssumeRoleWithWebIdentity”,
      “Principal”: {
        “Federated”: “arn:aws:iam::385727861301:oidc-provider/login.windows.net/bcbf53cf-af9a-4584-b4c9-6d8b01b3781d/”
      },
      “Condition”: {
        “StringEquals”: {
          “login.windows.net/bcbf53cf-af9a-4584-b4c9-6d8b01b3781d/:aud”: “3865f1d6-4e21-4468-a300-6093f8256c80”
        }
      }
    }
  ]
}

For the now-federated user’s permissions on the SP, we configure

image

 

{
  “Version”: “2012-10-17”,
  “Statement”: [
    {
      “Sid”: “Stmt1414516823000”,
      “Effect”: “Allow”,
      “Action”: [
        “aws-portal:*”
      ],
      “Resource”: [
        “*”
      ]
    }
  ]
}

Giving

image

 

With this we end our exploration – unable so far to invoke the process of landing on the amazon console using a federated-user!

 

But we learned a lot – about amazons policy-based RP-STS service, for hosted webapps/mobile-apps

Advertisements

About home_pw@msn.com

Computer Programmer who often does network administration with focus on security servers. Very strong in Microsoft Azure cloud!
This entry was posted in openid connect. Bookmark the permalink.