Using Oracle STS to connect to Amazon Web Services

Introduction 

While we do see fewer opportunities for Oracle STS than say traditional browser based identity federation or more recently OAuth for enterprises to securely connect to cloud hosted applications or services, Oracle STS still offers a compelling differentiation for several customers. In this post, I'll share a key use case for one of our marquee customers that is an ideal fit for Oracle STS.

Overview

The customer's application needs to securely access resources hosted by Amazon Web Service as outlined here in the graphic below from http://docs.aws.amazon.com/STS/latest/UsingSTS/CreatingSAML.html

Essentially with AWS, the client application that needs to access AWS hosted resources for a user needs to first securely get user information from the enterprise identity store in the form of a SAML assertion. Users don't have direct access to AWS.  Also, the application then needs to exchange that SAML assertion with AWS for temporary security credentials with the appropriate authorization for the user so that it can access user specific resources from AWS.

How can we accomplish it with OSTS

- A  App executed by the client sends a WS-Trust request to the OSTS with

o username/password in SOAP headers

o AppliesTo set to https://signin.aws.amazon.com/saml

- O  OSTS would be configured to

o Validate credentials against LDAP user store

o Have a Relying Party partner representing the AWS STS, with a mapping URL set to https://signin.aws.amazon.com/saml

- O  OSTS validates the creds, creates Assertion based on user LDAP record (specified in the OSTS SAML Issuance template)

o NameID format is set to persistent

o NameID value is set to an LDAP User ID (it cannot be random string, as this is not supported in STS use cases, only in Federation SSO)

o SAML Attributes include https://aws.amazon.com/SAML/Attributes/Role and https://aws.amazon.com/SAML/Attributes/RoleSessionName

- T   AWS STS would need to be configured to trust OSTS based on:

o The OSTS issuerID/providerID (specified in the OSTS SAML Issuance template)

o The OSTS signing key (see http://docs.oracle.com/cd/E27559_01/admin.1112/e27239/osts_key.htm#BGBCDGBC, section 33.3.3.1)


Comments:

Post a Comment:
Comments are closed for this entry.
About

Kanishk Mahajan is a Principal Product Manager in Oracle Identity Management with product responsibility within the Oracle Access Management suite

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today