What Is SAML In AWS ?

Are you looking to enhance the security of your AWS Environment? If it is so, SAML can be a good choice. This article covers all the information about the SAML including its working and advantages. By the time you reach the end of this blog, you will gain a clear understanding of the SAML in your Cloud Environment.

When organizations provide multiple services, the users face difficulties in managing too many credentials for the different services. But what if they can access all the services or applications with a single credential? Wouldn’t it be efficient? It is a time-saving and efficient approach to provide services to the feature. This approach is termed a Single-Sign-On (SSO) feature and SAML is one of the most popular frameworks for this. In this article, we will learn how the SAML provides authentication features in the cloud environment.

Security Assertion Markup Language (SAML) is a framework that allows the exchange of authentication and authorization data between Identity providers (IdPs) and AWS service providers. For example, the IdPs such as Active Directory Federation Services (AD FS), Okta, or OneLogin verify the users and generate a digitally signed SAML assertion that includes the user identity and permissions. We can say that:

• SAML is an XML-based standard that the system experts use for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP).

• Its main focus is on the SSO feature so that the users do not need to remember multiple sets of credentials to access the services. Therefore, it improves security without compromising the user experience.

Now let us study these two parties- the identity provider and service provider in a detailed way.

Identity Providers (IdP)

• They are responsible for user authentication and the assertion of user identities to service providers (SPs) like AWS. In simple words, the IdPs verify user credentials and generate SAML assertions containing user information and permissions.

• Then, it digitally signs these assertions to ensure their integrity. Thus, the entire identity management becomes centralized due to which the security is improved. Examples of the IdPs include Active Directory Federation Services (ADFS), Okta, and OneLogin.

Service Providers (SP)

• Service Providers (SPs) are the SAML entities that host and provide access to specific resources or services. For example, AWS itself is a service provider that is based on relying on SAML assertions. It receives these assertions from identity providers (IdPs) to grant users appropriate access.

• Then, it signs the SAML assertions, extracts user information, and uses this data to authorize access to the requested resources. Examples of Service Provider-induced AWS services, such as Amazon S3 or EC2 instances.

SAML assertion is a digital statement that the identity provider sends to the service provider upon successful authentication. This assertion contains information about the user and the permissions granted. This digital assertion of SAML is based on the XML format that highlights the user identification, timestamp, and a set of attributes or permissions granted to the user. Hence, it ensures high integrity and authenticity.

• Simply put, the SAML Assertion is a digital proof of the authenticity of the users and it prevents the tampering of information when it goes from identity provider and service provider.

• It is the core part of the SAML SSO System that allows us to exchange information between the service provider and identity provider.

The following image shows the main components of the SAML Assertions.

• Conditions: To make the SAML assertions secure, we have to specify various restrictions under which Assertions remain valid. Hence, this component describes the conditions, rules, and constraints that validate the SAML Assertions. For example, restrictions such as time-based restrictions and security-based restrictions prevent unauthorized access, due to which the security is enhanced.

• Attribute Statement: The Attribute tells us about the user attributes like roles, group memberships, or custom user-related details. It allows us to implement access control based on the user’s attributes which helps in the access-control-based decisions.

• Authentication Statement: This component specifies the details about the user’s authentication process like the method used, timestamp, and other information. This makes the entire process reliable and trustworthy.

The process of the SAML is simple and easy. The following sequence of steps shows how the SAML works in AWS.

Step 1: User Visits The Portal

• The user visits the organization’s portal and chooses to access the AWS Management Console.
• The portal is a function of the Identity Provider (IdP) and manages trust exchange between the organization and AWS.

Step 2: The Portal Performs Verification

• It verifies the user’s identity within the organization and authenticates the user.
• Hence, the user can get access only upon successful authentication.

Step 3: Portal Generates SAML Assertion

• After the authentication, the portal generates a SAML authentication response that contains assertions identifying the user and including user attributes.
• You can also use the Configuration options like setting a SessionDuration attribute for console session validity.
• Additionally, the IdP can be configured to pass attributes as session tags. Finally, it sends this response to the client’s browser.

Step 4: Portal Redirects Client For SSO

• After the SAML assertion is generated, the portal redirects the client browser to the SSO end-point of the AWS.

Step 5: Request for Temporary Security Credentials

• At the AWS SSO endpoint, a request is made for temporary security credentials on behalf of the user.
• These credentials are used in creating a console sign-in URL. This URL is unique to the user.

Step 6: AWS Sign-in URL Sent to Client

• AWS responds by sending the generated sign-in URL back to the client’s browser.
• This exchange is facilitated through a redirect, seamlessly integrating AWS into the authentication flow.

Step 7: Client’s redirection to AWS Management Console

• At the end, the user’s browser follows this special link and takes them to the AWS Management Console.
• If the user has different roles (like different job responsibilities), they might be asked to choose which role they want before entering the console.
• This helps ensure they only have access to what they should.

SAML in AWS allows us to securely access cloud resources by exchanging authentication and authorization data. It works by generating the SAML Assertion after verifying the user that contains the user’s information. It enhances both the security posture and user experience within AWS environments. Understanding the SAML in AWS helps us to clearly understand the process of identity verification and access control in the cloud services. Now, you have gained a clear understanding of the SAML in AWS to enhance your cloud experience.

Can SAML Be Used For Multi-Factor Authentication In AWS?

SAML supports the multi-factor authentication (MFA) in AWS. It means that the end-user has to face an additional verification beyond the initial username and password while using SAML

What Happens If A SAML Assertion Expires During An AWS Session?

When a SAML assertion expires, AWS may ask the user to renew the session or re-authenticate to generate a new valid assertion. However, the specific behavior can be modified using the configured settings in the identity provider.

What Is The Difference Between IAM And Identity Provider?

IAM is a broader category that includes various identity management solutions. Its subcategories include the including the IdP, Identity-as-a-Service (IDaaS), Privileged Identity/Access Management (PIM/PAM), Multi-factor/Two-factor Authentication (MFA/2FA), etc. On the other hand, IdP is a subcategory of the IAM that focuses on managing core user identities.

What Is The Difference Between The SAML And SSO?

SAML is the XML-based standard using which the service providers and identity providers exchange the authentication and authorization information with each other. And, SSO is the authentication process in which the user can access the service with single credentials.