Identity Providers & Federation (Part 1)

By Ashwin Venugopal -

 





To read part 2, please click here




About Web Identity Federation

If you want to create a mobile app that can access AWS resources, then, you have to make requests to their services that must be signed with an AWS access key, which is not recommended. Instead you can ask for temporary AWS security credentials dynamically when needed vie Web Identity Federation.

Web Identity Federation allows the users of your app to sign-in with the help of a well-known identity provider (IdP) like Amazon, Google, Facebook, etc. In this process, an authentication token is given, which can be exchanged for temporary security credentials in AWS that can map to an IAM role with permissions to use the resources in your account. Hence, IdP will help you keep your AWS account safe as you don't have to embed and distribute long-term security credentials with your application.

It's recommended to use Amazon Cognito, because it acts as an identity broker and does much of the federation work for you. Otherwise, you have to write a code that can easily interact with a web IdP, and then calls the AssumeRoleWithWebIdentity API to trade with the received identity token.

Using Amazon Cognito for Mobile Apps

As stated above, using Amazon Cognito is the most preferred way to use identity federation and the following figure simplifies the process, using Login with Amazon as the IdP. However, Facebook, Google, etc. can also be used instead:


  • Firstly, a customer starts your app on a mobile device, and it asks to sign-in.

  • The app uses Login with Amazon resources to accept the user's credentials.

  • Now, the app will use Amazon Cognito API operations GetID and GetCredentialsForIdentity to exchange the Login with Amazon ID token for an Amazon Cognito Token.

  • After that, the app will get temporary security credentials from Amazon Cognito.

  • The temporary security credentials can be used by the app to access any AWS resources required by the app to operate.

Now, in order to configure your app using Amazon Cognito, use the following process:

  • Firstly, you have to sign-up as a developer with login with Amazon, Google, Facebook, or any other OpenID Connect (OIDC) and configure one or more apps with the provider. However, this step is optional as Amazon Cognito also supports unauthenticated access for your users.

  • Now use the Amazon Cognito wizard (in the AWS Management Console) to create an identity pool that can keep your end user identities organized for your apps.

  • Integrate AWS Amplify with your app, and import the files required to use Amazon Cognito.

  • After that, you have to create an instance of the Amazon Cognito credentials provider, passing the identity pool ID, your AWS account number, and the Amazon Resource Name (ARN) of the roles that you associate with the identity pool.

  • After your apps' successful access of an AWS resource, you can pass the credential provider instance to the client object, that can pass temporary security credentials to the client whose permissions are based on the roles or role defined earlier.








To read part 2, please click here








Comments

Post a Comment

Popular posts from this blog

Query, Visualize, & Monitor Data in Azure Sentinel

By Ashwin Venugopal -
Image
  Azure Sentinel Workbooks Several ready for use templates are provided by the Azure Sentinel that can be used to create your own workbook and then modify them as needed for Contoso. Most of the data connectors it uses to ingest data come with their own workbooks, but better insight can be obtained by simply looking into the data that is being ingested by using tables and visualizations, including bar and pie charts. You can also make your own workbook easily by using this data from the beginning instead of using the predefined templates. Workbook Page You can easily access the workbook page from the Azure Sentinel from the navigation pane which consists of the: Workbook header- You can add a new workbook and review the saved workbooks as well as templates that are available on the workbook page. Templates section- You can access existing workbook templates on the Templates tab. You can save some of the workbooks for quick access and they will appear on the My Workbooks tab.  From the
Read more

Work with String Data Using KQL Statements

By Ashwin Venugopal -
Image
  Extract Data from Unstructured String Fields Unstructured string fields often contains the Security log data and requires parsing to extract data. There are multiple ways of pulling information from string fields in KQL and the two primary operators used are extract and parse.  Extract It gets a match for a regular expression from a text string. You can convert the extracted substring to the indicated type.  Arguments regex- A regular expression. captureGroup- A positive int constant indicating the capture group to extract. 0 stands for the entire match, 1 for the value matched by the first '('parenthesis')' in the regular expression, 2 or more for subsequent parenthesis.  text- A string to search. typeLiteral- An optional type literal. If provided, the extracted substring is converted to this type.  Returns If regex finds a match in text- the substring matched against the indicated capture group captureGroup, optionally converted to typeLiteral. If there's no mat
Read more

Threat Hunting in Microsoft Sentinel (part 1)

By Ashwin Venugopal -
Image
  To read part 2, please click  here To read part 3, please click  here Introducing the Microsoft Sentinel Hunting Page Threat hunting is a series activities performed while investigating and as there are no guidelines to perform it, the available tools on the Microsoft Sentinel can be introduced to perform better in your investigations. Firstly, you have to choose the Hunting link in the Microsoft Sentinel navigation menu to get to the Hunting page which is divided into the following sections: The header bar- It is located at the top of the page as usual and contains Refresh as well as timespan drop down menu. The New Query button can help you with creating a new query and the Run all queries button can run all the hunting queries in the background while also updating the hunting query list section with the number of results found.  The summary bar- Here, you can view the total number of queries available to run, the total number of bookmarks, the number of results from running live
Read more