Manage Learn to apply best practices and optimize your operations.

'Federated' identity and access management tools

Federated identity management has clear security advantages. Learn ways to use Microsoft's AD FS and AWS AD Connector as identity and access management tools in the cloud.

Given that the advantages of federated identity management are well established, cloud security professionals can...

expect to address the need to integrate Active Directory (AD) services with their cloud provider's identity management service. Microsoft's Active Directory Federation Services (ADFS) can be used to make on-premises identities and roles available in cloud environments. In addition, Amazon Web Services (AWS) provides AD Connector, a proxy that provides single sign-on without federation. Here are some points to keep in mind when getting started with using identity federation in Amazon AWS and Microsoft Azure clouds as identity and access management tools.

ADFS as an Identity and Access Management tool

Federated AD identities and security groups enable Active Directory users to work with AWS resources without creating separate identities using AWS' Identity Access Management (IAM) tool. This is implemented with a combination of Active Directory, ADFS, the Security Assertion Markup Language (SAML 2.0), and AWS resource level permissions.

ADFS provides SAML assertions about an identity to the AWS authentication and authorization system. This allows users with identities in an Active Directory to log into the AWS console or invoke AWS API calls using the identities managed in Active Directory. Instead of creating an AWS IAM account for each user, one creates roles in AWS IAM that map to corresponding security groups in AD. For example, roles may be created for infrastructure administrators, application administrators, developers, and application tester. When a user is added to one of the federated security groups associated with an IAM role, that user will have the same access privileges as an IAM user assigned to the corresponding IAM role.

An IAM policy is associated with each role. The policy specifies the actions that a user with that role can perform on particular resources. It is important to note that the IAM roles control access to AWS resources, such as Amazon Elastic Cloud Compute (EC2) instance. Amazon Simple Storage Service (S3)

buckets, and Elastic MapReduce (EMR) clusters. AD federation with AWS roles does not change how users interact with application. Application level access controls are outside the scope of AD-IAM federation.

Alternative Identity and Access Management tools

An alternative method of single sign-on in AWS is the AD Connector. This is a proxy service that forwards sign on requests to on-premises Active Directory domain controllers. With this configuration, users can access AWS end user services, such as Workspaces, WorkDocs and WorkMail. AD Connector can also be configured to allow access to the AWS console and AWS API for those working directly with the AWS IaaS and PaaS services.

Microsoft Azure, of course, supports AD identity federation as well. Azure Active Directory services supports a number of use cases, including connecting an on-premises Active Directory with Azure Active Directory. This is especially useful when using software as a service (SaaS) application, such as Office 365 or SharePoint Online. A user accessing a SaaS service would login using an on-premises AD. When the user needs to access a SaaS application, Azure Active Directory issues a signed token with information about the user. The token is sent to the application, which validates the token before granting access.

ADFS is the foundation for identity federation based on Active Directory and works across clouds. But providers, such as Amazon, are also delivering identity and access management tools to act as alternatives to single sign-on with services such as AD Connector.

Next Steps

Learn more about security data in cloud with AWS IAM

Why IAM security is a top investment for Europe now

Read more advice about cloud governance

This was last published in March 2016

PRO+

Content

Find more PRO+ content and other member only offers, here.

Essential Guide

How to deal with Identity and access management systems

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What has been your experience using AD FS or AD Connector as identity and access management tools?
Cancel

-ADS BY GOOGLE

SearchSecurity

  • Passive Python Network Mapping

    In this excerpt from chapter two of Passive Python Network Mapping, author Chet Hosmer discusses securing your devices against ...

  • Protecting Patient Information

    In this excerpt from chapter two of Protecting Patient Information, author Paul Cerrato discusses the consequences of data ...

  • Mobile Security and Privacy

    In this excerpt from chapter 11 of Mobile Security and Privacy, authors Raymond Choo and Man Ho Au discuss privacy and anonymity ...

SearchCloudComputing

SearchAWS

SearchCloudApplications

SearchServerVirtualization

SearchVMware

ComputerWeekly

Close