Choose Your Own SAML Adventure: A Self-Directed Journey to AWS Identity Federation Mastery

Update from January 17, 2018: The techniques demonstrated in this blog post relate to traditional SAML federation for AWS. These techniques are still valid and useful. However, AWS Single Sign-On (AWS SSO) provides analogous capabilities by way of a managed service. If you are just getting started with federating access to your AWS accounts, we recommend that you evaluate AWS SSO for this purpose.

AWS supports identity federation using SAML (Security Assertion Markup Language) 2.0. Using SAML, you can configure your AWS accounts to integrate with your identity provider (IdP). Once configured, your federated users are authenticated and authorized by your organization's IdP, and then can use single sign-on (SSO) to access AWS.

In this workshop, we start by guiding you through deploying an IdP and configuring SAML federation for AWS, including federated CLI access. We then continue to walk you through how to implement some advanced SAML use cases. These include writing Amazon S3 bucket policies for specific federated users, using SAML attributes to enforce additional authorization requirements, and automating federation configurations across a large number of AWS accounts, among others. To top if off, we've assembled this workshop in such a way that you'll be able to choose your own path through the exercises, guiding your journey toward the technology and use cases that best fit your interests.

To get started, choose your desired technology stack

Open Source: Implements a Shibboleth 3.x IdP with an OpenLDAP backing identity store, hosted on Amazon Linux. Microsoft: Implements Active Directory Federation Services with an Active Directory domain identity store, hosted on Windows Server 2012R2.

Ask the experts

Ask the experts is your opportunity to tap into the collective federation knowledge of the Amazonians supporting the exercise.

To ask your question, send an email to Be sure to include your name, table number, and cc other workshop participants who are interested in receiving the answer. We will answer what we can in the room. We will follow up with an AWS Security Blog post before the end of December in which we address as many questions asked during the workshop as possible.

Update: Read the follow up blog post.

Continue your journey

After you complete the initial exercise, you are ready to advance your journey into the more advanced use cases. Complete these advanced use cases in the order and combination that you choose. To continue, choose the appropriate link from the following list to see a brief summary of each use case and continue with your own SAML adventure.

Clean up

After you have completed all of your desired use cases, complete the following clean up steps.

Introductory presentation

Review the introductory presentation on Slideshare.

Reference materials

For your convinience, the list of referenece materials from the introductory presentation follows.