Today, we’re pleased to announce support for attribute-based access control (ABAC) a new integration with AWS Single Sign-On. ABAC builds upon our existing collaboration and IDaaS solutions for AWS. The new integration enables enterprises to achieve ABAC for secure authentication and authorization to multiple AWS accounts when using AWS SSO.
Every day, thousands of customers leverage OneLogin as an identity provider (IdP) to federate users from a directory source to AWS, using industry standards like SAML and OIDC. OneLogin customers already benefit from multi-role single sign-on (SSO) automation within AWS environments. Now, additional user permissions can be added and asserted with tags, expanding the number and type of directory attributes that gate access to AWS resources. This OneLogin and AWS SSO integration will:
- Help mutual customers enable fine-grained authorization
- Scale more efficiently
- Reduce administrative costs to manage their AWS SSO deployments
Customers can now configure OneLogin to share user attributes in AWS and pass them as session tags during user federation and use these attributes in policies to determine access to AWS resources
What are Session Tags?
Session Tags are a granular access control solution based on user attributes, or commonly, attribute-based access control (ABAC). The integration supports administrators who want to achieve security at scale by streamlining identity management for AWS resources. Combining OneLogin’s rich access management capabilities with granular tags improves security by extending OneLogin’s policy and access permissions across an organization’s entire AWS infrastructure.
How does the Integration Work?
Now with session tags supported in AWS SSO, customers can use attributes from their corporate directories to build permissions and simplify fine-grained access to AWS resources. OneLogin customers with AWS environments can assert tags based on directory attributes to determine a user’s permissions as they access AWS resources using AWS SSO. Session Tags extend AWS SSO permission sets by enabling admins to assign specific access and tags that dictate permissions in AWS. For instance, a user may authenticate with a permission set that gives access to EC2, but can also assert a tag that also gives access to S3. Learn more about how it all works with our AWS SSO connector and see for yourself!