Workforce Identity Integration 单点登录
轻松管理 AWS Account 和 Role 访问 - AWS Identity Center 是目前唯一的权限管理工具,可通过您选择的身份源进行登录,并对 AWS 组织账户进行集中权限管理。 利用 AWS Identity Center,您可以在一个地方创建基于角色的权限。然后,您就可以在用户和组需要访问的账户中为他们分配角色。这大大减少了您需要在所有账户中创建的角色数量。
使用您已有的身份或者云原生创建 - AWS Identity Center 可让您选择 AWS Identity Center、Windows Active Directory、Azure AD 或其他 SAML 2.0 身份提供商 (IdP) 作为登录的身份来源。如果您刚刚开始使用,您可以在 AWS Identity Center 内创建用户和组。如果您使用 AWS Directory Service 支持 AWS 云中的 Windows 工作负载,AWS Identity Center 可让您使用 Active Directory 凭据登录,而无需设置额外的基础架构。如果您使用 Azure AD,AWS Identity Center 会自动在 AWS 账户和 AWS Identity Center 集成应用中使用您的用户和组。最重要的是,您只需将身份源连接到 AWS Identity Center 一次,就可以在所有 AWS 组织账户中使用这些用户和组。
从 Command Line Interface CLI 访问Identity Center - 您的开发人员现在可以直接登录 CLI,并获得自动短期凭证管理。开发人员可以配置 1 到 12 小时的会话时间和自动短期凭证,登录并留在 CLI 中,而无需生成、复制或粘贴令牌在不同账户之间切换。 这提高了开发人员的工作效率,并消除了长期工作中的干扰。
集成应用程序的单一登录体验 - 由于 AWS Identity Center 可为众多用例提供身份验证服务,因此您的用户可通过熟悉的登录体验,使用已有的凭证进行无缝访问。
参考资料
1# 本地IDC与AWS云上环境打通
本地环境通过代入角色的方式访问AWS资源。
[workshop]Deep dive on AWS IAM Roles Anywhere
[youtube] AWS re:Inforce 2023 - Managing hybrid workloads with IAM Roles Anywhere, featuring Hertz (IAM306)
2# 将第三方 SAML 解决方案提供商与 Amazon 集成
如果已经使用了第三方的单点登录解决方案,可以将AWS控制台作为其中一个SP接入到已有的单点登录中。
[blog] AWS Federated Authentication with Active Directory Federation Services (AD FS)
[blog] Enabling Federation to AWS Using Windows Active Directory, ADFS, and SAML 2.0
[docs] Integrating third-party SAML solution providers with AWS
[Auth0]Auth0 Announces Partnership with AWS for IAM Session Tags.
[Azure AD]Tutorial: Azure AD SSO integration with AWS Single-Account Access
[Centrify]Configure Centrify and Use SAML for SSO to AWS
[CyberArk]Configure CyberArk to provide Amazon Web Services (AWS) access to users logging in through SAML single sign-on (SSO) from the CyberArk User Portal.
[ForgeRock]The ForgeRock Identity Platform integrates with AWS. You can configure ForgeRock to pass session tags. For more information, see Attribute Based Access Control for Amazon Web Services.
[Google Workspace] Amazon Web Services cloud application – This article on the Google Workspace Admin Help site describes how to configure Google Workspace as a SAML 2.0 IdP with AWS as the service provider.
[IBM] You can configure IBM to pass session tags. For more information, see IBM Cloud Identity IDaaS one of first to support AWS session tags.
[JumpCloud] Granting Access via IAM Roles for Single Sign On (SSO) with Amazon AWS – This article on the JumpCloud website describes how to set up and enable SSO based on IAM roles for AWS.
[Matrix42] MyWorkspace Getting Started Guide – This guide describes how to integrate AWS identity services with Matrix42 MyWorkspace.
[Microsoft Active Directory Federation Services (AD FS)] Field Notes: Integrating Active Directory Federation Service with AWS IAM Identity Center – You can also configure AD FS to pass session tags. For more information, see Use attribute-based access control with AD FS to simplify IAM permissions management.
PowerShell Automation to Give AWS Console Access – This post on Sivaprasad Padisetty's blog describes how to use Windows PowerShell to automate the process of setting up Active Directory and AD FS. It also covers enabling SAML federation with AWS.
[miniOrange] SSO for AWS – This page on the miniOrange website describes how to establish secure access to AWS for enterprises and full control over access of AWS applications.
[Okta] Integrating the Amazon Web Services Command Line Interface Using Okta – From this page on the Okta support site you can learn how to configure Okta for use with AWS. You can configure Okta to pass session tags. For more information, see Okta and AWS Partner to Simplify Access Via Session Tags.
[Okta] AWS Account Federation – This section on the Okta website describes how to set up and enable IAM Identity Center for AWS.
[OneLogin] From the OneLogin Knowledgebase, search for SAML AWS for a list of articles that explain how to set up IAM Identity Center functionality between OneLogin and AWS for a single-role and multi-role scenarios. You can configure OneLogin to pass session tags. For more information, see OneLogin and Session Tags: Attribute-Based Access Control for AWS Resources.
[Ping] PingFederate AWS Connector – View details about the PingFederate AWS Connector, a quick connection template to easily set up a single sign-on (SSO) and provisioning connection. Read documentation and download the latest PingFederate AWS Connector for integrations with AWS. You can configure Ping Identity to pass session tags. For more information, see Announcing Ping Identity Support for Attribute-Based Access Control in AWS.
[Radiant] Radiant Logic Technology Partners – Radiant Logic's RadiantOne Federated Identity Service integrates with AWS to provide an identity hub for SAML-based SSO.
[RSA] RSA Link is on online community that facilitates information sharing and discussion. You can configure RSA to pass session tags. For more information, see Simplify Identity Access and Assurance Decisions on AWS with RSA SecurID and Session Tags.
[Salesforce] How to configure SSO from Salesforce to AWS – This how-to article on the Salesforce.com developer site describes how to set up an identity provider (IdP) in Salesforce and configure AWS as a service provider.
[SecureAuth] AWS - SecureAuth SAML SSO – This article on the SecureAuth website describes how to set up SAML integration with AWS for a SecureAuth appliance.
[Shibbloleth] How to Use Shibboleth for SSO to the AWS Management Console – This entry on the AWS Security Blog provides a step-by-step tutorial on how to set up Shibboleth and configure it as an identity provider for AWS. You can configure Shibboleth to pass session tags.
3# AWS跨账号单点登录
将AWS Identity Center作为单点登录的IdP集中管理身份和权限,实现跨账号单点登录。
[workshop] Using IAM Identity Center (successor to AWS Single Sign-On) to achieve strong identity management
最后更新于