Amazon answers enterprise call, adds SAML to AWS

AWS customers get single sign-on to Management Console, APIs

With a tip of the hat toward existing enterprise identity management deployments, announced it would finally support a standard federation protocol that will enable single sign-on to the AWS management console and application interfaces.

AWS, re:invent, SAML, SSO, authentication, single sign-on

Support for version 2.0 of the Security Assertion Markup Language (SAML) satisfies demands from customers who have been asking for the federation protocol so they could leverage their existing investment in SAML-based identity management software.

One aspect of identity federation gives enterprises the ability to use their own directories as the control point for user single sign-on (SSO) to cloud services. In this case, users authenticated in corporate directories can move right into AWS without signing in again.

AWS customers now can use SAML to obtain temporary security credentials for SSO access to the AWS Management Console or for programmatic calls to AWS APIs.

The SAML 2.0 support builds on AWS's May update to its Security Token Service (STS), which introduced new identity federation capabilities.

"This further reinforces that SAML is the basis of the fabric of trust between enterprises and their service providers — regardless of the kind of service provider," said Ian Glazer, research vice president for Gartner's Identity and Privacy Strategies team.

He said enterprise customers have been pushing on Amazon for this support for some time. "This is another announcement that shows me that the real challenge isn’t the plumbing and the protocols in the identity world – the looming challenge is how do we orchestrate our identity services and use those services to enable the business to achieve its mission," he said.

But Glazer noted Amazon is only going so far. SSO is not getting enterprise users into resources hosted on top of the AWS platform.

"The question I have is will the STS be available for use to people hosting things within AWS. It’s all fine, well and good to SAML [authenticate] to APIs, but it is of more use to provide a massively scalable STS for the customers to use."

Monday's announcement included a new SAML-based sign-in end point that uses a new AWS API — AssumeRoleWithSAML — to request temporary security credentials. Those credentials then are used to re-direct the user to AWS resources, namely the management console.

"Using federation, if a user leaves your company, you can simply delete the user's corporate identity in one place, which then also revokes access to AWS. Your users also benefits because they only need to remember one username and password. Have I got your attention yet?" Ben Brauer, senior product manager on the AWS Identity and Access Management (IAM) team, wrote on the AWS blog.