Paula Wong
asked on
AWS and SAML
Has anyone implemented AWS and SAML with the goal of hiding hash keys?
Yes, for example Bitium SSO
ASKER
ok, do you have examples?
ASKER
Is there anything within AWS that can be done without using a third party tool?
if the key is encrypted there is no really need to go extend of hiding it - security via obscurity is lower par compared to security by default. Instead HMAC-SHA256 the key (making up the id and others params) then encrypted by the recipient pub key and does the SAML token exchange...this is a simpler basic approach. It is like:
- Users "logs in" by in any way which you cater for it to be challenge (or fitting your environment common access means).
- Upon such login, the server sends a cookie value, to be sent back with each subsequent request.
- The cookie contains the user ID, the date issued, and a value "KEY" = HMAC(K, userID || date || IP).
- When the server receives a request, it validates the cookie: the userID and date are from the cookie itself, the source IP (obtained from Web server), and the server recompute "KEY" to check and match against what is stored and what is in cookie.
We can further encrypt the "KEY" for the exchanges of secure cookies...Pardon me for not being mapping to aws or saml but the principle stands in today use case for exchanges. Even for SSO to reuse or "replay" the same token across federated identity environment (kind of kerberos scheme)
Unless the "hiding" is via the scheme of going out of band instead via other mean of channel out of the session to receive a common sync-ed secret key (or authorisation code or PIN). The key threat that I foresee for "hiding" plain key is to deter and detect MitM - not sure if I understand it correctly http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html#condition-keys-saml
- Users "logs in" by in any way which you cater for it to be challenge (or fitting your environment common access means).
- Upon such login, the server sends a cookie value, to be sent back with each subsequent request.
- The cookie contains the user ID, the date issued, and a value "KEY" = HMAC(K, userID || date || IP).
- When the server receives a request, it validates the cookie: the userID and date are from the cookie itself, the source IP (obtained from Web server), and the server recompute "KEY" to check and match against what is stored and what is in cookie.
We can further encrypt the "KEY" for the exchanges of secure cookies...Pardon me for not being mapping to aws or saml but the principle stands in today use case for exchanges. Even for SSO to reuse or "replay" the same token across federated identity environment (kind of kerberos scheme)
Unless the "hiding" is via the scheme of going out of band instead via other mean of channel out of the session to receive a common sync-ed secret key (or authorisation code or PIN). The key threat that I foresee for "hiding" plain key is to deter and detect MitM - not sure if I understand it correctly http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html#condition-keys-saml
Qustion is YES/NO question if somebody implemented it.
Answer is YES, because Bitium has.
Their examples are mostly vendor-neutral, so I dont see any need for more
Answer is YES, because Bitium has.
Their examples are mostly vendor-neutral, so I dont see any need for more
ASKER
I think Enhanced identity privacy is what I am looking for, see the URL here:
https://technet.microsoft.com/pt-pt/library/cc773244(v=ws.10).aspx
As a follow up question -
Just wondering if anyone has some URL posts that can help me to assessment the AWS environment? Say if I have to document the current set up that AWS has for high level executives as the person who deployed it is no longer there and I am pretty new to AWS, how would I start this assessment to get more familiar on how AWS is setup for their corporate environment.
https://technet.microsoft.com/pt-pt/library/cc773244(v=ws.10).aspx
As a follow up question -
Just wondering if anyone has some URL posts that can help me to assessment the AWS environment? Say if I have to document the current set up that AWS has for high level executives as the person who deployed it is no longer there and I am pretty new to AWS, how would I start this assessment to get more familiar on how AWS is setup for their corporate environment.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.