BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
Given that the advantages of federated identity management are well established, cloud security professionals can expect to address the need to integrate Active Directory (AD) services with their cloud provider's identity management service. Microsoft's Active Directory Federation Services (ADFS) can be used to make on-premises identities and roles available in cloud environments. In addition, Amazon Web Services (AWS) provides AD Connector, a proxy that provides single sign-on without federation. Here are some points to keep in mind when getting started with using identity federation in Amazon AWS and Microsoft Azure clouds as identity and access management tools.
ADFS as an Identity and Access Management tool
Federated AD identities and security groups enable Active Directory users to work with AWS resources without creating separate identities using AWS' Identity Access Management (IAM) tool. This is implemented with a combination of Active Directory, ADFS, the Security Assertion Markup Language (SAML 2.0), and AWS resource level permissions.
ADFS provides SAML assertions about an identity to the AWS authentication and authorization system. This allows users with identities in an Active Directory to log into the AWS console or invoke AWS API calls using the identities managed in Active Directory. Instead of creating an AWS IAM account for each user, one creates roles in AWS IAM that map to corresponding security groups in AD. For example, roles may be created for infrastructure administrators, application administrators, developers, and application tester. When a user is added to one of the federated security groups associated with an IAM role, that user will have the same access privileges as an IAM user assigned to the corresponding IAM role.
An IAM policy is associated with each role. The policy specifies the actions that a user with that role can perform on particular resources. It is important to note that the IAM roles control access to AWS resources, such as Amazon Elastic Cloud Compute (EC2) instance. Amazon Simple Storage Service (S3)
buckets, and Elastic MapReduce (EMR) clusters. AD federation with AWS roles does not change how users interact with application. Application level access controls are outside the scope of AD-IAM federation.
Alternative Identity and Access Management tools
An alternative method of single sign-on in AWS is the AD Connector. This is a proxy service that forwards sign on requests to on-premises Active Directory domain controllers. With this configuration, users can access AWS end user services, such as Workspaces, WorkDocs and WorkMail. AD Connector can also be configured to allow access to the AWS console and AWS API for those working directly with the AWS IaaS and PaaS services.
Microsoft Azure, of course, supports AD identity federation as well. Azure Active Directory services supports a number of use cases, including connecting an on-premises Active Directory with Azure Active Directory. This is especially useful when using software as a service (SaaS) application, such as Office 365 or SharePoint Online. A user accessing a SaaS service would login using an on-premises AD. When the user needs to access a SaaS application, Azure Active Directory issues a signed token with information about the user. The token is sent to the application, which validates the token before granting access.
ADFS is the foundation for identity federation based on Active Directory and works across clouds. But providers, such as Amazon, are also delivering identity and access management tools to act as alternatives to single sign-on with services such as AD Connector.
Learn more about security data in cloud with AWS IAM
Why IAM security is a top investment for Europe now
Read more advice about cloud governance