OneLogin/AWS - ABAC Integration via AWS SSO

Today, we’re pleased to announce support for attribute-based access control (ABAC) a new integration with AWS Identity and Access Management. ABAC builds upon our existing collaboration and IDaaS solutions for AWS. The new integration enables enterprises to achieve ABAC for secure authentication and authorization to multiple AWS accounts when using AWS IAM.

Every day, thousands of customers leverage OneLogin as an identity provider (IdP) to federate users from a directory source to AWS, using industry standards like SAML and OIDC. OneLogin customers already benefit from multi-role single sign-on (SSO) automation within AWS environments. Now, additional user permissions can be added and asserted with tags, expanding the number and type of directory attributes that gate access to AWS resources. This OneLogin and AWS IAM integration will:

  • Help mutual customers enable fine-grained authorization
  • Scale more efficiently
  • Reduce administrative costs to manage their AWS IAM deployments

Customers can now configure OneLogin to share user attributes in AWS and pass them as session tags during user federation and use these attributes in policies to determine access to AWS resources

What are Session Tags?

Session Tags are a granular access control solution based on user attributes, or commonly, attribute-based access control (ABAC). The integration supports administrators who want to achieve security at scale by streamlining identity management for AWS resources. Combining OneLogin’s rich access management capabilities with granular tags improves security by extending OneLogin’s policy and access permissions across an organization’s entire AWS infrastructure.

How does the Integration Work?

Now with session tags supported in AWS IAM, customers can use attributes from their corporate directories to build permissions and simplify fine-grained access to AWS resources. OneLogin customers with AWS environments can assert tags based on directory attributes to determine a user’s permissions as they access AWS resources using AWS IAM. Session Tags extend AWS IAM permission sets by enabling admins to assign specific access and tags that dictate permissions in AWS. For instance, a user may authenticate with a permission set that gives access to EC2, but can also assert a tag that also gives access to S3. Learn more about how it all works with our AWS IAM connector and see for yourself!

About the Author

Michael Tsai

Michael is passionate about connecting people and ideas, while creating value-add solutions and delightful experiences for all users. As a seasoned product manager at OneLogin, he primarily focuses on securing access and authentication across mobile and desktop devices, and application provisioning. Prior to joining OneLogin, he held multiple roles in automotive and medical device companies, working on both hardware and software products.

Related Articles