SAML refers to Security Assertion Markup Language, which is an open standard used to exchange identity and security information with regards to applications and service providers. The applications and service providers that provide support to SAML allow the user to sign-in with their corporate directory credentials, which include a username and password which belong to Microsoft Active Directory.
SAML can be used to sign in to all SAML-enabled application with the help of single sign-on (SSO), which involves a single set of credentials. SSO feature can be used to sign into the AWS Management Console, Amazon API, and Amazon CLI (Command Line Interface) with the user’s corporate credentials. The SSO can be managed centrally for multiple AWS accounts and business applications with the help of Amazon service SSO.
When SAML authentication is enabled, users gain the ability to manage and access their application centrally. SAML-enabled application can be used to delegate authentication requests to the user’s corporate directory, if the user is no longer able to sign into their account.
SAML authentication can be enabled for the user’s AWS account with the help of AWS IAM (Identity and Access Management) and Identity Provider (IdP). SAML support can be added to web applications as well as mobile applications that run on the AWS cloud with the help of Amazon Cognito, which is a mobile service. Cognito can be used to authenticate users via social identity partners such as Facebook, Twitter, and Amazon or with the help of the user’s own identity system.
Identity store can be configured inside the user’s organization (network) so that it can work with SAML based IdP (such as Windows Active Directory Federation Services, Shibboleth). With the help of this IdP, a metadata document can be generated by the user which describes their organization as an Idp, that includes authentication keys as well. The organization’s portal can be used to route user’s request for AWS Management Console to the AWS SAML endpoint which helps provide authentication using SAML assertions.
The user can sign into the AWS Management Console and go to the IAM console. A new SAML provider can be created, which can be understood as an entity in IAM that houses information regarding the user’s organization IdP. Metadata document which was generated in the previous step with the help of IdP software should be uploaded.
Create an IAM role that helps establish a trust relation between the IAM and the user’s organization IdP. This can be useful in identifying user’s IdP as a trusted identity (principal) which are required for the purposes of federation. This role can also be used to understand which users have been authenticated by the user’s organization IdP to take what actions in the AWS. The trust policy which is created indicates the role which the user can take and specifies the SAML provider that an IAM was created previously, which can be used with one or more SAML attributes only when the user matches the role.
In this post, we understood how SAML can be used to assign roles to different users to perform targeted operations.