Lessons Learned – SAML & OIDC @AWS

From IIW

Lesson Learned: SAML and OIDC at AWS

Tuesday 2H

Convener: Shon Notes-taker(s): Nick S.

Tags for the session - technology discussed/ideas considered: AWS, OIDC, SAML


Background

  • At AWS, Shon worked on IAM, Cognito, Directory Service
  • User for IAM is AWS admin.
  • Cognito targets mobile app developers.
    • Manages data storage, sync, as well as identity layer.
    • Built-in support for features like guest sign-in.
    • Supports social IdP’s like Facebook, Google.
  • Directory service targets AD admins, OS and app admins.
    • Directory service supports both cloud and connected (on-prem, VPN-based) installation modes.
    • Directory service is not AD on the backend (actually Samba 4).
    • Requests coming in for directory service to offer SAML/OIDC endpoints (not currently available).


AWS IAM

  • Early on, AWS IAM offered federation through custom code (to allow customer’s AD users to access AWS services).
    • Limited adoption.
  • Nov 2013, added SAML support.
    • Can associate a trusted SAML IdP with your AWS account.
  • Good adoption with addition of SAML support.


Cognito

  • Started with custom solution that supported Google, FB, IWA
  • In Oct 2014, added OIDC support
    • As of now, customers are using 42 unique IdP’s. Big win for adding standards support.


Lessons Learned

  • Standards matter.
  • Self-confirmation certification for OIDC compliance is a big win -- not scalable for implementer to verify compatibility with different providers themselves.
  • Problem -- long-lived tokens on SP side in AWS IAM (e.g. what if user is fired).
    • As a result, set the lifetime on the SP side to 1 hour
      • Usability problem -- hard to make this work in a way that is very transparent to the user.
    • Need a revocation mechanism (currently under development at AWS).
    • Spec work underway to offer this in OIDC.
    • Granularity of revocation is important -- at role level or principal level?
  • Can start small, iterate only if needed.
    • IAM supports IdP-init only.
  • What about CLI access to AWS IAM?
    • Looked at enhanced client profile.
      • Few IdP’s support it.
  • API and CLI access almost as important as console access.


Comments

  • OIDC in production at MIT, to allow access to apps built by students.