OneLogin and Session Tags: Attribute-Based Access Control for AWS Resources

Today, we’re pleased to announce support for Session Tags, a new integration with Amazon Web Services (AWS). Session Tags builds upon our existing partnership and IDaaS solutions for AWS. The new integration enables enterprises to achieve Attribute Based Access Control (ABAC) for secure authentication and authorization to multiple AWS accounts.

Every day, thousands of customers leverage OneLogin as an identity provider (IdP) to federate users from a directory source to AWS, using industry standards like SAML and OpenIDConnect. OneLogin customers already benefit from multi-role single sign-on (SSO) automation within AWS environments. Now, additional user permissions can be added and asserted with tags, expanding the number and type of directory attributes that gate access to AWS resources.

The OneLogin and Session Tags integration will help joint customers enable fine-grained authorization, scale more efficiently and reduce administrative costs to manage AWS IAM. Customers can now configure OneLogin to share user attributes in AWS sessions during user federation and use these attributes in IAM policies to determine access to AWS resources.

What are Session Tags?

Session Tags are a granular access control solution. The integration supports administrators who want to achieve security at scale by streamlining identity management for AWS resources. Combining OneLogin’s rich access management capabilities with granular tags improves security by extending OneLogin’s policy and access permissions across an organization’s entire AWS infrastructure.

How does the Integration Work?

Session Tags enables customers to use attributes from their corporate directories to build permissions and simplify fine-grained access to AWS resources. OneLogin customers with AWS environments can assert tags based on directory attributes to determine a user’s permissions as they access AWS resources. Session Tags extend AWS IAM roles by enabling admins to assign specific access and tags that dictate permissions in AWS. For instance, a user may authenticate with a role that gives access to EC2, but can also assert a tag that also gives access to S3.

See for yourself!

OneLogin is pleased to announce support for Session Tags, the newly launched granular Access Control from Amazon, to enhance its existing capabilities for customers to achieve access security at scale and streamline identity management for AWS resources.

Want more information on how you can scale identity management to your AWS users? Review our documentation, or contact your account manager to discuss enabling in your OneLogin environment.

About the Author

Ehud Amiri

Ehud Amiri is a Senior Director for Product Management at OneLogin. Ehud is passionate about making the world safer by embracing new ways to trust people, devices & applications so that security becomes both effective and frictionless. Prior to joining OneLogin, Ehud served in various product management and engineering roles at CA Technologies, Netegrity, and Business Layers.

Related Articles