Use G-suite as an External ID Provider for AWS SSO

Use G-suite as an External ID Provider for AWS SSO

One of the most pressing challenges of implementing Identity and Access management is to ensure ease of use while providing robust security. It entails balancing competing priorities such as reducing cost, enhancing user experience, efficiency, effectiveness and minimize risks with secure practices.

For organizations who have multiple AWS accounts IAM enables administrators to provide granular access to resources based on roles, projects and to accomplish specific tasks. But it is an administrative challenge keeping track of employees who no longer need access to those resources and disable access to employees when they exit the organization.

On the other side, users are hassled remembering multiple passwords to access different AWS accounts for multiple applications and environments and often faced with account lockouts, forced password resets, and regular password rotations all of which get in the way of employee efficiency. And it’s not just employee efficiency, IT personnel waste significant time in managing password related issues. According to a research, IT teams spend an average of four hours per week on password management related issues alone. Worse, it promotes poor practices such as password reuse, documenting passwords in a spreadsheet or note on a phone, and emailing or sharing passwords.

In the AWS Cloud, these challenges can be effectively addressed by configuring G-suite as the external identity provider with AWS SSO, and understanding how federated identity works is essential to appreciate the benefits of this approach.

Federated Identity Comes to the Rescue

Given the imperatives of a modern enterprise in which mobile workforce use numerous devices to work in a collaborative environment and users require access into corporate, partner and third-party networks, identity management technologies must be flexible to facilitate access across security domains.

Identity federation is a process whereby user authentication is delegated to an external third party called the Identity provider (IdP) who then enables access to different domains with a single identity. Using SAML authentication—which is an open standard for authentication and authorization without exposing users’ credentials—the IdP links identities across multiple security domains, each supporting its own identity management system. When the two domains are federated, the user is authenticated in one domain and can access resources in other domains without performing separate logins.

Federated identity has several advantages, chief amongst which are:

  • Ease of use for employees as a single set of credentials enables access to multiple domains.
  • Increased security as there is a single database of user credentials.
  • Higher compliance as only required information is shared for authentication, and reduces employee burden of managing passwords.
  • Reduces the burden on IT to facilitate employee access across domains and administrative challenges related to password management.

Federated identity and Single Sign on (SSO) are closely related but not the same. SSO allows access to multiple services and applications with a single login within the same organization while federated identity management allows much more access to applications and systems across organizations. As a result, Federated ID can provide SSO but not necessarily the other way round.

G-Suite facilitates easy access to resources within AWS organization

Customers have different AWS accounts for administrative purposes—budgeting needs, financial discipline and better hygiene, but users within the organization need to access all or some of these accounts.

Instead of signing separately into different accounts, customers can use AWS Organization and subscribe to AWS SSO to centrally manage access for users across multiple AWS accounts under the AWS organization. Customer can integrate AWS SSO with their G-Suite to enable users to use their G-Suite credentials and access AWS accounts.

As an ID provider G Suite is responsible for creation, authentication and management of user access to AWS Organization and AWS SSO will provide access to all AWS resources based upon their role(s) in the organization.

In addition to simplifying access for users, using G-Suite as external ID provider also automatically denies permission with email deactivation when user leaves the organization.

G Suite Authentication Flow with AWS SSO

Following diagram depicts that how G-Suite federation works with AWS SSO

  1. G Suite account holder opens the link to AWS SSO user portal of AWS Organizations
  2. User will be redirected to the G Suite account login for authentication, enabling the user to log in using G Suite credentials
  3. If login is successful, G Suite creates a response and sends to AWS SSO containing three different types of SAML assertions: authentication, authorization, and user attributes.
  4. Only when AWS SSO receives the response, user is allowed access to the AWS SSO user portal and accessible AWS accounts are made available.
  5. User then selects the permitted accounts and is redirected to the AWS Management Console.