Navigating the Identity Landscape: IAM Identity Center, AWS SSO and SAML2.0

Β·

8 min read

Navigating the Identity Landscape: IAM Identity Center, AWS SSO and SAML2.0

In today's cloud-centric world, organizations face an ever-increasing challenge in managing and securing user identities across multiple applications and the solutions need to be secure and at the same time seamlessly connect the global workforce of the enterprise. Here then, IAM Identity Center, SSO and SAML2.0 came into existence, which are powerful tools that can help organizations address these challenges and achieve a secure and centralized identity management system.

In the last section of the blog, we will see the process flow of how the IAM Identity Center works along with the organization to set up multiple account configurations with ease.

Let's start with the legacy service as per AWS, which is AWS SSO and later we will move along with IAM Identity Center and SAML2.0

AWS Single Sign-On (SSO)

AWS Single Sign-On (SSO) is a legacy service that primarily focuses on providing a single sign-on experience for users accessing AWS applications and resources. It allows users to authenticate once and then access multiple resources without having to enter the credentials repeatedly.

In a typical SSO scenario, the user authenticates at the IdP (Identity Provider), which then issues a SAML assertion containing information about the user. The user is then redirected to the Service Provider(SP) with the SAML assertion, and the SP uses this information to grant access.

AWS Identity Center (Successor to AWS SSO)

AWS Identity Center provides administrators with a unified experience for defining, customizing, assigning fine-grained access, cross-account access management, application integration and SSO capabilities. In short, It is built on top of IAM to simplify access management to multiple AWS accounts, AWS applications, and other SAML-enabled cloud applications.

Here are key features for administrators :

  • Connect specific workforce users to AWS resources.

  • Manage access to your AWS accounts, cloud applications, or both.

  • Create users in the IAM Identity Center or bring users from an existing workforce directory.

Two services are related to the IAM Identity Center -

  1. AWS IAM - securely manage access to AWS services and resources per AWS account.

  2. AWS Organizations - centrally manage and govern your environment as you scale your AWS resources.

To begin using Identity Centre, you will also need to be using AWS Organizations, and tie IAM Identity Center to your AWS Organization management account, and this is to help manage your multi-account access strategy. For those unfamiliar with AWS Organizations, it provides a means of centrally managing and categorizing multiple AWS accounts that you own, bringing them together into a single organization, helping to maintain your AWS environment from a security, compliance, and account management perspective.

It is recommended to use centralized user repositories such as AWS Directory Services (Active Directory/SimpleAD), Okta, Auth0, PingIdentity, OneLogin, Azure Active Directory etc. ideally integrated into AWS IAM Identity Center (successor to AWS Single Sign-On) to provide temporary credentials to users accessing AWS.

IAM Identity Center Features

Let's now look at some of the core features that this service provides.

Workforce Identities: Workforce identities are essentially your employees, they are identities that relate to specific individuals, and they can sometimes be referred to as workforce users. As I explained previously, these can be created within the IAM identity center itself, or synchronized to the IAM Identity Center from an existing identity source.

AWS access portal: This provides a customizable entry portal into your AWS environment for all of your accounts and cloud-enabled applications that are available for your Workforce identities. This front end makes it easy for your workforce users to quickly gain access to their most used applications or accounts by using the associated app icons, or by selecting the required AWS account.

Application assignments used for SAML Apps: It enables you to grant workforce users single sign-on (SSO) access to various SAML 2.0 applications, such as Microsoft 365 and Salesforce. You can also leverage Identity Center-enabled applications to allow supported applications to automatically receive sign-in and user directory services to provide a consistent SSO experience.

Multi-account permissions: With multi-account permissions, you can control permissions centrally across more than one account without having to create the same permissions within each account using IAM. These permissions can then be associated with your users from your identity source allowing you to control access across your entire AWS Organization and all the associated accounts.

So to quickly summarize, we now understand that the IAM Identity Center is a centralized hub access management system, allowing workforce identities to be able to seamlessly authenticate to multiple AWS accounts and cloud-based applications using an identity store, creating a single sign-on approach to access.

SAML2.0

This is an XML-based open standard used for exchanging authentication and authorization data between different entities, between Identity providers (IDPs) and service providers (SPs). It facilitates secure federated authentication, allowing users to sign in to service providers using their credentials from IDPs.

Integral parts of SAML2.0-based systems

  • Identity Provider (IdPs) –An identity provider is a trusted provider that is responsible for the authentication of the user and maintaining the user and group related information. Eg: Okta, PingIdentity, OneLogin, Auth0.

  • Service Provider (SPs) β€” A service provider is a website that hosts apps or services. Eg: AWS, custom applications.

  • SAML Assertion - XML documents that contain statements about a subject, typically a user.

To summarize, these 3 components work together in a SAML 2.0-based system. The IdP authenticates users, generates SAML assertions, and provides identity-related information. The SP consumes these assertions to make access decisions, and the SAML assertion itself is the vehicle for securely conveying user information between the IdP and SP. These components collectively form the basis of SAML-based authentication and authorization systems, facilitating secure and interoperable identity federation between different systems and services.

In the context of AWS IAM Identity Center and AWS SSO, SAML2.0 plays a crucial role in enabling federated authentication. AWS IAM Identity Center supports SAML2.0 integration with external IDPs, allowing users to authenticate with their IDPs credentials and access AWS resources without having to create separate AWS account credentials. This simplifies user management and enhances security by leveraging existing identity and access control mechanisms.

Here's a summary of how SAML2.0 is related to AWS IAM Identity Center and AWS Single Sign-On:

  • SAML2.0 enables federated authentication: Users can authenticate with their IDP credentials and access AWS resources or applications without managing separate AWS credentials.

  • AWS IAM Identity Center supports SAML2.0 integration: Integrate with external IDPs to leverage existing user identities and authentication mechanisms.

  • AWS Single Sign-On (SSO) supports SAML2.0 integration: Provide SSO for AWS applications and resources using SAML2.0-based IdPs.

This is the complete architecture of the AWS IAM Identity Center and its related services and let's understand the process flow.

There are many components involved here so, let's discuss the above architecture by dividing each part separately.

Architecture Overview: Okta SAML Authentication to AWS and IAM Identity Center to manage the users centrally within the Management account

  1. Okta SAML Authentication to AWS:

    • Okta (Identity Provider - IdP): Okta is configured as the identity provider using SAML 2.0.

    • AWS Service Integration: Okta is integrated with AWS through SAML, acting as the trusted IDP for user authentication.

  2. IAM Identity Center:

    • Purpose: AWS IAM Identity Center acts as a central hub for managing identities and permissions within the AWS environment.

    • Users and Groups: Within AWS IAM Identity Center, you create and manage users and groups. Users and groups are logical entities representing individuals and collections of users, respectively.

  3. Permission Sets and Entitlements:

    • Permission Sets: AWS IAM Identity Center allows you to define permissions known as permission sets. These sets encapsulate a group of permissions that users or groups can be granted.

    • Entitlements: Users and groups are assigned entitlements, which represent specific permissions or access rights within the AWS environment.

  4. Connection to AWS Management Account:

    • Organizational Structure: AWS IAM Identity Center is connected to the AWS Management Account, which serves as the root of your AWS Organization.

    • Organizational Units (OUs): The Management Account contains organizational units (OUs), allowing you to structure and organize your AWS accounts hierarchically.

  5. Account Hierarchy in the AWS Organization:

    • Multiple AWS Accounts: Within the AWS Organization, there are multiple AWS accounts, each serving a specific purpose or function.

    • Account Organization: These accounts are organized within OUs, providing a hierarchical structure for better management.

  6. Flow of Permissions:

    • IAM Identity Center to AWS Resources: The permissions assigned in AWS IAM Identity Center flow down to the AWS accounts and resources based on the defined organizational structure and this hierarchical approach provides granular control, allowing you to tailor access rights at different levels within the organization.

This comprehensive architecture ensures a seamless & secure integration between Okta for user authentication, AWS IAM Identity Center for centralized identity management and the AWS Organization for structuring multiple AWS accounts within a hierarchical framework. The flow of permissions down the organizational hierarchy allows for effective access control and security management.

It is important to note that AWS is gradually migrating existing AWS SSO customers to the AWS IAM Identity Center. If you're currently using AWS SSO, it's recommended to start planning your migration to AWS IAM Identity Center to take advantage of its enhanced features and capabilities.

Conclusion

On a closing note, AWS IAM serves as the central hub for managing user identities and access to AWS resources. Through IAM, organizations can enforce security policies, control access to AWS services, and streamline user management. Single Sign-On (SSO) enhances user experience by providing seamless access to multiple applications with a single set of credentials. Integration with SAML2.0 further extends IAM capabilities, enabling federated identity management and secure access to AWS services. By adopting these IAM features, organizations can achieve a robust and scalable security framework in their AWS environments.

Reference Links:

Getting started with IAM Identity Center - https://docs.aws.amazon.com/singlesignon/latest/userguide/getting-started.html

Understanding Federation, AWS Identity Center and AWS Organizations - https://blog.awsfundamentals.com/aws-iam-users

Okta AWS IAM Identity Center Integration Workshop - https://okta.awsworkshop.io/introduction/why-okta.html

AWS Organization's cheatsheet -

https://digitalcloud.training/aws-organizations/

About SAML2.0 Federation - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html

Thank you so much for reading my blog! 😊 I hope you found it helpful and informative. If you did, please πŸ‘ give it a like and πŸ’Œ subscribe to my newsletter for more of this type of content. πŸ’Œ

I'm always looking for ways to improve my blog, so please feel free to leave me a comment or suggestion. πŸ’¬

Thanks again for your support!

Connect with me -

LinkedIn - https://www.linkedin.com/in/rachitmishra1997/

Twitter - https://twitter.com/racs1997

#aws #awscommunity #cloudcomputing #cloud

Did you find this article valuable?

Support Cloud & Devops with Rachit by becoming a sponsor. Any amount is appreciated!

Β