1
00:00:00,290 --> 00:00:03,730
Let's talk about AWS Single Sign-On or SSO.

2
00:00:03,730 --> 00:00:05,780
It let's you centrally manage Single Sign-On

3
00:00:05,780 --> 00:00:07,300
to access multiple accounts

4
00:00:07,300 --> 00:00:09,380
and third-party business applications.

5
00:00:09,380 --> 00:00:11,130
So you're going to go your portal

6
00:00:11,130 --> 00:00:13,550
and once you're logged in to that Single Sign-On portal,

7
00:00:13,550 --> 00:00:16,480
you can log in to any of your AWS accounts,

8
00:00:16,480 --> 00:00:21,010
Dropbox, Office 365, Slack, without reentering your login.

9
00:00:21,010 --> 00:00:22,610
That's why it's called Single Sign-On.

10
00:00:22,610 --> 00:00:25,400
So you can log in once and you have access to all the things

11
00:00:25,400 --> 00:00:28,740
that Single Sign-On is configured to access.

12
00:00:28,740 --> 00:00:30,670
So the really cool thing is that it is integrated

13
00:00:30,670 --> 00:00:33,290
with AWS organizations so if you have a tons

14
00:00:33,290 --> 00:00:35,270
of accounts within your organization,

15
00:00:35,270 --> 00:00:38,940
you just set up AWS Single Sign-On and you will have access

16
00:00:38,940 --> 00:00:42,760
to log in to all the accounts within that organization.

17
00:00:42,760 --> 00:00:45,210
So, one login for all the accounts.

18
00:00:45,210 --> 00:00:47,330
It supports SAML 2.0 markup,

19
00:00:47,330 --> 00:00:48,910
so it has integration with SAML,

20
00:00:48,910 --> 00:00:52,140
and deep integration with on-premise Active Directory.

21
00:00:52,140 --> 00:00:53,610
It's centralized permission management

22
00:00:53,610 --> 00:00:55,530
so you can manage all the permissions of users

23
00:00:55,530 --> 00:00:58,690
within Single Sign-On and you get centralized auditing

24
00:00:58,690 --> 00:01:00,540
with CloudTrail for the logins.

25
00:01:00,540 --> 00:01:01,790
So it's awesome.

26
00:01:01,790 --> 00:01:05,430
So anytime you see a use case talking about doing a sign-on

27
00:01:05,430 --> 00:01:08,230
to multiple AWS accounts or to business applications

28
00:01:08,230 --> 00:01:12,160
that require SAML 2.0, think Single Sign-On.

29
00:01:12,160 --> 00:01:13,570
Okay, so here's another graph.

30
00:01:13,570 --> 00:01:16,220
So, in the center we have Single Sign-On,

31
00:01:16,220 --> 00:01:19,090
so SSO, and we set up a connection

32
00:01:19,090 --> 00:01:21,030
to maybe our on-premise Active Directory,

33
00:01:21,030 --> 00:01:23,230
so we'll have an Active Directory on-premise,

34
00:01:23,230 --> 00:01:25,060
but we could also use Managed Services by AWS

35
00:01:25,060 --> 00:01:29,010
or we can use Microsoft Managed AD by AWS

36
00:01:29,010 --> 00:01:31,410
to also manage our users from there.

37
00:01:31,410 --> 00:01:33,460
So we set up that trust and then,

38
00:01:33,460 --> 00:01:36,760
Single Sign-Ons know how to get the users from there.

39
00:01:36,760 --> 00:01:39,340
Then the users can connect to Single Sign-On

40
00:01:39,340 --> 00:01:41,180
and from Single Sign-On, we can integrate it

41
00:01:41,180 --> 00:01:44,050
with different OUs and accounts within our organization.

42
00:01:44,050 --> 00:01:45,557
So, once we log in to Single Sign-On,

43
00:01:45,557 --> 00:01:49,030
we can access any organization accounts in here,

44
00:01:49,030 --> 00:01:50,990
but also we can access business cloud application

45
00:01:50,990 --> 00:01:52,710
that have deep integration with SSO

46
00:01:52,710 --> 00:01:55,540
such as Office 365, Dropbox and Slack,

47
00:01:55,540 --> 00:01:57,300
or we can even configure our own

48
00:01:57,300 --> 00:02:00,620
custom 2.0 compliance application, okay?

49
00:02:00,620 --> 00:02:02,590
And with these SAML applications,

50
00:02:02,590 --> 00:02:05,510
we can enable it to work with SSO.

51
00:02:05,510 --> 00:02:07,760
So the idea is that we log in once with SSO,

52
00:02:07,760 --> 00:02:11,220
it checks our login with our on-premise AD or our managed AD

53
00:02:11,220 --> 00:02:12,890
and then, we have access to AWS,

54
00:02:12,890 --> 00:02:16,220
business cloud applications and custom SAML application.

55
00:02:16,220 --> 00:02:17,340
So it's really cool but I want you

56
00:02:17,340 --> 00:02:20,550
to notice exactly the difference between using SSO

57
00:02:20,550 --> 00:02:23,140
and using the AssumeRoleWithSAML API

58
00:02:23,140 --> 00:02:24,700
that I told you from before.

59
00:02:24,700 --> 00:02:26,760
So if you use AssumeRoleWithSAML,

60
00:02:26,760 --> 00:02:30,090
we have to set up our third-party IDP login portal

61
00:02:30,090 --> 00:02:32,850
that will check our identity with the identity store,

62
00:02:32,850 --> 00:02:35,770
that will return to us a SAML 2.0 assertion,

63
00:02:35,770 --> 00:02:38,020
and then we have to send that SAML assertions

64
00:02:38,020 --> 00:02:40,920
to STS to use the right AssumeRoleWithSAML,

65
00:02:40,920 --> 00:02:43,040
and we get back security credentials

66
00:02:43,040 --> 00:02:45,370
and we are connected to AWS.

67
00:02:45,370 --> 00:02:47,660
But so, if you have multiple accounts on AWS,

68
00:02:47,660 --> 00:02:49,960
we need to set up this process

69
00:02:49,960 --> 00:02:52,280
for each and every single accounts.

70
00:02:52,280 --> 00:02:55,070
On top of it, we have to manage this login portal and it's

71
00:02:55,070 --> 00:02:58,650
not a thing that may be available in your company just yet.

72
00:02:58,650 --> 00:03:02,160
But with SSO, a browser interface will log in

73
00:03:02,160 --> 00:03:05,030
through the login portal of SSO so we don't have to set up

74
00:03:05,030 --> 00:03:07,620
that login portal ourselves, this is the SSO service,

75
00:03:07,620 --> 00:03:11,700
and SSO is already integrated with your identity store

76
00:03:11,700 --> 00:03:13,520
so we don't have to run anything here.

77
00:03:13,520 --> 00:03:14,810
They just talk to each other,

78
00:03:14,810 --> 00:03:16,350
they generate credentials for you,

79
00:03:16,350 --> 00:03:18,110
and you get credentials back right away,

80
00:03:18,110 --> 00:03:20,320
so it's one less piece of integration to do.

81
00:03:20,320 --> 00:03:22,660
The really cool thing is that this SSO portal

82
00:03:22,660 --> 00:03:25,210
can give us credentials for one AWS account,

83
00:03:25,210 --> 00:03:26,620
but also many others.

84
00:03:26,620 --> 00:03:28,040
So, as soon as you wanna scale

85
00:03:28,040 --> 00:03:30,870
with a number of multiple accounts you wanna connect to,

86
00:03:30,870 --> 00:03:33,380
then SSO becomes an obvious choice.

87
00:03:33,380 --> 00:03:34,400
So that's it for this lecture,

88
00:03:34,400 --> 00:03:35,700
and then let's go quickly into the hands-on

89
00:03:35,700 --> 00:03:37,030
to see how that works, but hopefully,

90
00:03:37,030 --> 00:03:38,600
you get a better idea of what SSO is

91
00:03:38,600 --> 00:03:40,300
and how it's used in your company.