OneLogin Streamlines AWS User Management

April 18th, 2016   /     /   product and technology

OneLogin’s enhanced AWS integration ensures optimized workflow for infrastructure administrators

For the last few years, anyone working on the cloud (pretty much everyone) has to have been living under a rock to not have come across Amazon Web Services (AWS). And even folks who might choose other ways to host their cloud-based offerings often find themselves relying on the convenience of AWS for everything from file hosting to development systems.

Company growth = migration to cloud-hosted IaaS and IDaaS solutions

As a company expands and broadens its need for a global infrastructure, it quickly runs into the challenge of scaling the development and management of a growing environment of users and sites. More applications are required for multiple lines of business to help them be productive and efficient, and these teams need those new apps and related features yesterday. Not only must companies build out the tools, they must also roll them out quickly, seamlessly, and with security best practices in place. Attempting to manage this process in-house is not only time consuming and inefficient, but also error prone, opening up security vulnerabilities. After all, one of the most common threats is a single malicious user who can potentially take down a company’s entire environment! This is why organizations are turning to IaaS (Infrastructure as a Service) and IDaas (Identity as a Service) - battle tested and proven.

Streamlining user management with SAML helps

Migration to the cloud is a given, but how does a business efficiently manage users across its environment during the migration and beyond? SAML is one of the best ways to automate user management once a company’s infrastructure has migrated. The SAML protocol allows organizations to eliminate the need for individual user passwords attached to each AWS account.

In most cases, SAML is a pretty straightforward conversation between an identity provider (IdP) and an application (“Hi. I’m your identity provider, I say this is Bob and I’ve got a signed assertion to prove it’s Bob.”).

When AWS gets a SAML assertion, it looks for two things - a user’s name for audit purposes and a signed assertion of what Role the user is allowed to access (“Here’s what Bob’s doing”).

Any old SAML provider can create an AWS authenticator that says “assert the user’s name and the one Role in AWS they can use.”

But what if the AWS users need access rights to dozens (or more!) Roles across many accounts? Traditionally, this means adding a new application in the IdP for each new Role that gets added to AWS and then assigning access rights to users over that new Role/Authenticator combo.

The end result is tons of applications for each user in their Identity Provider portal, each letting the user sign in with different permissions to their environment.

We’ve seen companies get creative, attempting to address this by manually coding a bunch of mapping rules to construct a custom, per-user attribute in their directories that represented the assertion of all the Roles AWS needed to give users appropriate access.

This partially solved the problem, but there was still an unaddressed challenge - there was no simple way to keep track of what any given user was actually getting in terms of role assignments and access (due to the fact that these attributes were made up of Amazon Resource Names (ARNs) e.g.


OneLogin Multi-Role for AWS – with Entitlements! - gives you the power

At OneLogin we’d already enabled a powerful tool to manage permissions in other applications: Entitlements (a catch-all term we use for “something the user can access, like a group, a role, or a license”).

We’d also already built a really nice rules engine that could let folks define easy-to-understand rules for Entitlements like “Anyone named Bob can access the Bob group” or “Anyone in the Active Directory group Admins should be an Admin.”

We leveraged these same capabilities with AWS to offer a clean, elegant end-user and admin experience that offers the same back-end security we’ve delivered to other applications.

In a nutshell, we set up our AWS connector to retrieve all the possible Roles a user can have in AWS.

OneLogin then feeds those Roles into our rules engine, with the friendly names shown in the UI and the ARNs hidden in the back-end.

With all this in place, the OneLogin admin only needs to make a single AWS application.

They can then use the OneLogin rules engine to create simple, easy to understand rules like “Anyone in the Development Team should have the Edit AWS S3 Buckets Role ” that gets tied to the corresponding SAML ARN assertion.

More importantly, these Rules and Roles can be layered on top of each other so an AWS user will be presented with all the Roles the admin has granted them when logging in.

The end result is a powerful administrative engine providing a seamless experience for end users.

We’re very excited to introduce this feature and can’t wait to see how you use it in your organization!

If you’re an existing OneLogin customer, please check out our new documentation on AWS configuration.

If you’re not a customer, you can get a free OneLogin account for AWS here!

About the Author

Nathan is a Solution Architect at OneLogin focusing on partnerships with global systems integrators and software vendors. A Berkeley graduate and a New Yorker, he is also an avid fan of the New York Yankees.

View all posts by Nathan Chan