Amazon AWS Certified Security Specialty – Domain 4 – Identity & Access Management part 11

27. Choosing a right IdP

Hey everyone and welcome to the KP Labs again. Now, in today we’ll look into how we can select a right identity provider for our environment. Now, we have already seen that for a SSO to happen, we need two things we need the IDP and we need a service provider. Service Provider we are already logged in as AWS, so this is something that we cannot change. However, when we talk about IDP, there are a lot of IDPs that we can choose from. Although it looks one in a practice. There are two applications which are generally used as far as Windows is concerned. The first application would be the ad or active directory. So this is where the username and passwords will be stored. That is one thing. And the second thing would be the IDP or an identity provider and that would be ADFS, which is Active Directory Federation service.

So you have to install both Ad and ADFS for the complete identity provider to happen. So that is one way. Now, second ways online there are various providers which will help you achieve this. Like Okta is one of the very famous one. However, we have been using JumpCloud. So if you will see, JumpCloud is offering Directory as a service, so it has an Active Directory and LDAP. So JumpCloud also has Active Directory where the users and password will be stored and it also consists of the identity provider. Now, the reason why we selected JumpCloud for our demo is because of the pricing section. So if you will see there are multiple plans over here. The first plan which is free forever is free up to ten users. And the best part is you don’t really have to pay. Like for Okta there is a trial for one month and after one month you will have to pay.

In Jump Club you don’t really have to pay till the time you are within this specific limit. So we can use this for our personal testing for any amount of time that we need. So this is the reason why I selected Jump Club. Now, in order to go with Jump Club, what you have to do, you have to put in the email address. Now, one caveat here is that you cannot put the Gmail address. You have to put some personal email address. Like for me, I had put instructors at the ratelabs in, okay? So something similar to this, it will not accept generic email address like Gmail or Yahoo. And this is the reason why I always encourage every one of you that you should have some kind of a domain through which you can generate a private email address.

Because for many of the corporate applications, they will only and they’ll only accept the company email address and they will not accept the Gmail based address. Okay? This is one important thing to remember. So if you do not have, I would really encourage you go ahead and create the domain name. This cost around two to $3 if you go through a coupon. So quite inexpensive and I will really encourage you to get your own domain so that you can sign up for JumpCloud. Now, once you sign up for JumpCloud, what you have to do is you have to log in. So there are two types of logins which are available. You see one is the admin login and second is the user login. So admin login is where we can configure the applications like AWS or other applications through which the users will be able to do a single sign on.

So in our case I have two users one is instructors at the rate Kblabs in and second is test at the rate Kblabs in. So instructors is the admin login and test is the user login. So if I show you the interface, this is the administrator login over here. So if you go to the applications this is where you can configure your own application. So if I just click on the plus sign you see there are list of applications around 138 applications that we can configure as a part of single sign on so quite a lot of them. So depending on what applications that your organization is using you can go ahead and add them in this specific list.

So this is one aspect. The second aspect is that if you want to implement the SSO you have to go ahead and create a user. Creating user is quite simple, you just have to give the username the first name, last name, username and the email and just click on save user. So this is a very simple way of doing this. So this is the basic about JumpCloud. So as we already discussed, Jump club provides both the identity store as well as the identity provider. So both of them are part of the single JumpCloud based console. So this is it about this lecture, go ahead and sign up for JumpCloud, something that I would really encourage so that you can do the practical session related to the federation. Thanks for watching.

28. AWS Cognito

Hey everyone and welcome back. In today’s video we will be discussing about AWS Cognitive. Now, although Cognitive is a service which is specifically used by developers, one of the features of Cognitive is federation and this is one of the reasons why understanding the cognitive service is important as far as the exams are concerned. So let’s go ahead and understand the need of a cognitive service post which will understand various features. Now on the definitive terms, AWS Cognitive basically provides authentication authorization and user management service for the mobile as well as web application. So let’s understand this with a use case. So let’s assume Andrew is a mobile developer in a startup organization.

Now they have begun with a mobile wallet system and there are specific requirements which are listed as follows. Now the first requirement is users should be able to sign in with the social network platforms like Facebook, Twitter, Google Plus and others. The second requirement is there should be a post sign up verification process with the help of one time password for the verification. Third requirement is account recovery feature should be present. So if someone loses the email address, or I would say someone loses the password with certain kind of hints, users should be able to fetch those details. And there is one more requirement that a gift access must be allowed for the user to see the application.

So now implementing these things actually takes a lot of time and Andrew must be wondering whether he should spend his time developing this authentication authorization system or should he spend time in making sure that a wallet system that he’s building is top notch and it is stable. So this actually is a use case. However, hundreds of developers across lots of organization are facing this kind of issue. So you take any web application. Now one of the common things that you will find across most of the web application is the sign up sign in. There is a forgot password page, you might have an MFA and you might also have sign in through Facebook, Twitter and various social networking platforms.

So instead of developer building the same code again and again, copy pasting from various websites, instead of that, what AWS gave is AWS actually gave a feature which will implement all of these things with the help of Cognitive. So if you’ll see AWS, Cognitive provides authentication authorization as well as user management service for your mobile and web application. So now instead of Andrew developing all of these features, what he can do is he can simply reference to the Cognito SDK within his mobile application and Cognito will in turn take care of all of these requirements as well as many more. Now, at a very high level, Cognitive provides two major features. One is the cognitive user pools and second is the cognitive identity pools.

Now the cognitive user pools take care of the entire authentication authorization process and the cognitive identity pool provides the functionality of federation for the users which are part of the user pool. So let’s not confuse ourselves with the theory. Let’s go to the Cognitive page and look into both of these categories. So I’m in the AWS Cognitive page and if you’ll see over here I have two options. One is manage user pools and second is manage identity pools. So if I click on manage user pools so currently there are no user pools which are created. Let’s go ahead and look into what are the options when we create a user pool. Now first is you need to give the user pool name. Second is the username.

Now within the username attributes you have various options like allow a sign in with verified email address, allow sign in with verified phone numbers, ETCA. So this is username. You also can select an email address or phone number. Now within the attribute there are certain attributes which you can select which user will typically have to put during the sign up process. Now within the policies you have the password strength policy. So what would be the password policy that would require? So if it is a wallet system you might need a minimum of maybe twelve character password where you have required numbers, special character, upper cases, lower cases and others.

Now along with that you also have a facility where you can have a password expiry related details. Now on the third column, this is a pretty interesting one where you can enable the multifactor authentication now the verification. So if a user puts in phone number you might want to verify whether the phone number actually belongs to him. So you can select email as well as phone number for the verification. So Cognitive will take care of sending SMS as well as verifying whether the email address or the phone number actually belongs to the user. Now along with that there are a lot of other features like message customization. You have devices list where you want to remember a user’s list or not and various others.

So if you will see these are a lot of important attributes which are generally required during the authentication, the authorization and also during the sign up process. So coming back to the PowerPoint presentation, I hope in a high level overview you understood what the Cognitive user pools are all about. Now think about a developer building those entire functionality by himself. It is actually a pain taking task. So now what developer has to do, he just has to use the AWS SDK and reference to the cognitive and whatever policy associated with the user pool like MFA, the password policies, the expiration policies, all of those things will be taken by Cognitive. Now, the second feature of Cognitive is the identity pool and this is something that we must remember for the certification exams also.

So the cognitive identity pool which are also referred as the cognitive federated identities, allows developer to authorize the users of the application to access various AWS services. So we’ll understand this with a use case. So let’s assume that you have a quizzing based application in Android. Now, at the end of the quiz, when the user clicks on finish, what you want is that the result of those quiz should be stored within the DynamoDB table. Now, in order for the application to store the data in AWS service, there would be a need of certain access and secret keys. Now, very first question that comes is you can hard code the access and secret keys within the application. Now, the problem with that is if someone reverse engineer, reverse engineers the application, he’ll be able to get the access and secret key.

Now, the solution to this is the identity pool where AWS cognitive will give a federated access to the application, which is basically a temporary access secret keys which the application can then use to do various kind of operation, which for this example, it can be putting certain data in the DynamoDB table. So let’s quickly look the identity pool within the cognitive as well. So I’ll just click on cancel if you see over here, one is the user pool and second is the Federated identity. So this is what the identity pool is all about. So if we’ll click on Federated identity, you have to give the identity pool name. You also have the option for various authentication providers. One is the cognito. So if you are using cognitive, you can specify the cognitive ID. You can let me quickly just because you can also specify Amazon, Facebook, Google Plus, Twitter, Open, ID, Salmon and even custom types.

So let’s look into how identity pool really works. So, the overall working of identity pool is very similar to the web identity federation that we were discussing. So this is a user, the user signs into the mobile application. So this is a mobile application. Now he signs it with a provider like Facebook or Google. So now the mobile application will coordinate with the IDP of that authentication provider. The IDP will send an authentication response. Now this authenticated response will be sent to the Cognato federated identities. Now cognitive Federated identities will verify this and it will coordinate with the AWS STF service to generate temporary access, secret key and the token. Now this access key, secret key and token will be sent back to the mobile web application and then mobile application will use that access key, secret key and the session token to perform various operations.

 It may be on DynamoDB, it may be on S Three and various others. So all of those things can be configured. Now, one last point that we should remember is the difference between a user pool and the identity pool. So I do remember is that the cognitive identity pool can take the identities from custom sources, it can take identity from cognitive user pool and it can even take identity from Facebook, Twitter, Google and various other platforms. Now it takes the identities and it will contact the Sts service. It will give back the access key, secret key and token. Through them, the various identity can access the AWS resources depending upon the permissions.

29. Introduction to AWS Directory Service

Everyone and welcome back to the Knowledge Pull video series. Now, in the earlier lecture we were discussing the basics about the Active Directory and its use case. So continuing our journey today we will be speaking about the AWS Directory service. Now there are certain challenges when it comes to Active Directory. So for those who have been setting up Active Directory in their on premise organizations, I’m sure you know that there are a lot of challenges that you might have to face. And some of the challenges which includes and it starts with first is the provisioning, the infrastructure, then it comes to installing the directory software. So you have to install the Microsoft Windows Server and then go ahead and install and configure the Active Directory there.

Once you have configured all the settings and configuration parameters, then you also have to make sure that you have a proper replication setup between the domain controllers for high availability. So if the server goes down and you don’t really have a backup, then everything will stop there. So you have to make sure that you have a proper replication set up for High Availability. After that you have to make sure that you monitor and in case of new updates, you have to do patching and many more. So this is actually quite a big challenge. And specifically in the organization who uses Active Directory a lot, they have like a dedicated Windows admin guys who does the Active Directory only. So this is quite a challenging part and this is the reason why AWS actually decided to have a directory service in the cloud.

So AWS Directory service is a managed service based on the cloud that allows users to create directories. So now, as this is a managed service, lot of things related to high Availability monitoring, backups, recovery patching is managed by the AWS experts. And as the users I just have to go ahead and create a directory and whatever policies, users groups that I need and let AWS do the entire nifty grifty technical aspect. So this is what AWS Directory service is all about. Now, there are three important components of the Directory service. One is the active Directory service with Microsoft ad. So this is basically the Windows Server which has the Microsoft ad installed. Then you have the simple ad which is the Samba four compatible server. And third is the active directory connector.

So these are the three important components that we need to remember as far as the exams are concerned. So before we go ahead and understand about each of them, let me just show you on how exactly it might look. So, when you go to the Directory service in AWS, when you do a set up a directory, you see there are three important components that we have to remember. One is the Microsoft ad. So Microsoft ad is basically the AWS managed Microsoft Active Directory, which is powered by the Windows Server 2012 so this is the complete Microsoft Ad server. Second is the simple ad. So simple ad is the AWS hosted samba four directory. So samba four. So basically Samba Four is a great software which is the ad compatible and it can act as an Active Directory domain controller.

So you can consider this as the open source version, which does a lot of things which are Active Directory does. And third thing is the ad connector which allows us to basically connect the on premise ad with the applications which are there in the AWS. So these are the three important components that we need to remember. So let’s start with the first one where you have a directory service with Microsoft ad. So this is basically powered by an actual Microsoft Windows server which is Windows Server 2012 which has the Active Directory installed. Now again, this entire server is you can say managed, so you don’t have to worry about replication, about high availability. It is managed by the AWS.

Now within this there are two types. One is the standard edition, and second is the Enterprise addition. So Standard Edition is basically for small and mid size where you have up to 5000 users. So for small startups or for mid size organization this can be used. Now if you have a lot of more users then you have to go with Enterprise Edition which goes with the larger deployments. So this is the first one. Now let’s look into the Ad connector. So Ad connector is basically a proxy service that basically provides us an easy way to connect applications in cloud to your existing on premise ad. So this is the ad connector. So this acts as a proxy for the applications which are present in the cloud and it allows to connect to the on premise ad server.

So this ad server can be in your data center or even in your organization as well. So when the user logs into the application, ad connector forwards, basically it signs the request to the on premise Active Directory domain controller for authentication. So whatever request that application receives, ed connector will forward that request to the on premise Active Directory for authentication and for authorization. So this is what the ad connector does. And this is quite important because many of the organization they have already the Active Directory set up in their data center or even in on premise. And now if they want to have applications in the AWS cloud, which is Adaware, then you need a connectivity and Ad connector is one of the easiest way to achieve this.

Now one important thing to remember is that in order for the application in AWS to connect to the ad, you need to have a VPN tunnel in place. Like without VPN tunnel you cannot really do that in an idle scenario. So this is one important point to remember. And third is the simple ad. So simple ad is a Microsoft active Directory compatible directory from the AWS Directory service that is powered by the Samba Four. So this is not an actual Microsoft Active Directory, but it is a compatible Directory service. So again, this is like a free or free version which supports certain features of Active Directory. So Simple Ad supports basic Active Directory features like users, user accounts, group membership, joining a Linux domain or Windows like Carboros, SSO, group policies, et cetera.

So, as part of Simple Ad, AWS provides monitoring, daily snapshots and recovery as part of this service. Now, since this is not an Active Directory, there are certain features which are not yet available for Simple Ad. So Simple Ad does not support trust relationships, it does not support DNS, dynamic updates, schema extensions, multifactor authentication, communication over Ltapas and many more. So these are the things which are not supported by Simple Ad. So if you need these features, then you have to go with the first option that we have selected widget Directory service with Microsoft Ad. So let me just give you one of the simple example. You can actually connect or you see joining a Linux domain with Simple Ad. So I’ll show you one of the examples.

Over here I have a simple Ad which is already created and along with that I have an EC two instance. So what I have done is I have connected this EC two instance to my Simple Ad. So now if I want to log into the EC two instance, I can log in with the users which are present in this directory service and not the users which are present over here. So, let me just show you. So I’ll do a login. You see I am logging with the administrator at the rate the directory service followed by the IP address. Now I have to provide a password and now you see I am logged in over here. So if I do ID, it will basically give me the UID which is the administrator at the rate ad munu. com, followed by the GID, the group within the g ID.

You see it is part of the domain which is usereaderate admu. com. So if I create more users within this directory service, these users can log in to the EC to instance like I don’t have to manually create the user within this EC. To instance I can log in from the users which are part of this Simple Ad. So, if I have 100 Linux servers which are connected to the directory service, I can easily create the users within that directory and that user will be able to log into all the 100 servers. Same goes with the deletion as well. If I delete the user from the directory service, the user will not be able it to log in to all the 100 user.