Lessons Learned – SAML & OIDC @AWS
From IIW
Lesson Learned: SAML and OIDC at AWS
Tuesday 2H
Convener: Shon Notes-taker(s): Nick S.
Tags for the session - technology discussed/ideas considered: AWS, OIDC, SAML
Background
- At AWS, Shon worked on IAM, Cognito, Directory Service
- User for IAM is AWS admin.
- Cognito targets mobile app developers.
- Manages data storage, sync, as well as identity layer.
- Built-in support for features like guest sign-in.
- Supports social IdP’s like Facebook, Google.
- Directory service targets AD admins, OS and app admins.
- Directory service supports both cloud and connected (on-prem, VPN-based) installation modes.
- Directory service is not AD on the backend (actually Samba 4).
- Requests coming in for directory service to offer SAML/OIDC endpoints (not currently available).
AWS IAM
- Early on, AWS IAM offered federation through custom code (to allow customer’s AD users to access AWS services).
- Limited adoption.
- Nov 2013, added SAML support.
- Can associate a trusted SAML IdP with your AWS account.
- Good adoption with addition of SAML support.
Cognito
- Started with custom solution that supported Google, FB, IWA
- In Oct 2014, added OIDC support
- As of now, customers are using 42 unique IdP’s. Big win for adding standards support.
Lessons Learned
- Standards matter.
- Self-confirmation certification for OIDC compliance is a big win -- not scalable for implementer to verify compatibility with different providers themselves.
- Problem -- long-lived tokens on SP side in AWS IAM (e.g. what if user is fired).
- As a result, set the lifetime on the SP side to 1 hour
- Usability problem -- hard to make this work in a way that is very transparent to the user.
- Need a revocation mechanism (currently under development at AWS).
- Spec work underway to offer this in OIDC.
- Granularity of revocation is important -- at role level or principal level?
- As a result, set the lifetime on the SP side to 1 hour
- Can start small, iterate only if needed.
- IAM supports IdP-init only.
- What about CLI access to AWS IAM?
- Looked at enhanced client profile.
- Few IdP’s support it.
- Looked at enhanced client profile.
- API and CLI access almost as important as console access.
Comments
- OIDC in production at MIT, to allow access to apps built by students.