AWS and SAML

Has anyone implemented AWS and SAML with the goal of hiding hash keys?
LateNaiteCEO and FounderAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

gheistCommented:
Yes, for example Bitium SSO
LateNaiteCEO and FounderAuthor Commented:
ok, do you have examples?
LateNaiteCEO and FounderAuthor Commented:
Is there anything within AWS that can be done without using a third party tool?
Webinar: Cyber Crime Becomes Big Business

The rising threat of malware-as-a-service is not one to be overlooked. Malware-as-a-service is growing and easily purchased from a full-service cyber-criminal store in a “Virus Depot” fashion. Join us in our upcoming webinar as we discuss how to best defend against these attacks!

btanExec ConsultantCommented:
if the key is encrypted there is no really need to go extend of hiding it - security via obscurity is lower par compared to security by default. Instead HMAC-SHA256 the key (making up the id and others params) then encrypted by the recipient pub key and does the SAML token exchange...this is a simpler basic approach.  It is like:

- Users "logs in" by in any way which you cater for it to be challenge (or fitting your environment common access means).
- Upon such login, the server sends a cookie value, to be sent back with each subsequent request.
- The cookie contains the user ID, the date issued, and a value "KEY" = HMAC(K, userID || date || IP).
- When the server receives a request, it validates the cookie: the userID and date are from the cookie itself, the source IP (obtained from Web server), and the server recompute "KEY" to check and match against what is stored and what is in cookie.

We can further encrypt the "KEY" for the exchanges of secure cookies...Pardon me for not being mapping to aws or saml but the principle stands in today use case for exchanges. Even for SSO to reuse or "replay" the same token across federated identity environment (kind of kerberos scheme)

Unless the "hiding" is via the scheme of going out of band instead via other mean of channel out of the session to receive a common sync-ed secret key (or authorisation code or PIN). The key threat that I foresee for "hiding" plain key is to deter and detect MitM - not sure if I understand it correctly http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html#condition-keys-saml
gheistCommented:
Qustion is YES/NO question if somebody implemented it.
Answer is YES, because Bitium has.
Their examples are mostly vendor-neutral, so I dont see any need for more
LateNaiteCEO and FounderAuthor Commented:
I think Enhanced identity privacy is what I am looking for, see the URL here:

https://technet.microsoft.com/pt-pt/library/cc773244(v=ws.10).aspx

As a follow up question -

Just wondering if anyone has some URL posts that can help me to assessment the AWS environment?  Say if I have to document the current set up that AWS has for high level executives as the person who deployed it is no longer there and I am pretty new to AWS, how would I start this assessment to get more familiar on how AWS is setup for their corporate environment.
btanExec ConsultantCommented:
Indeed and I am thinking of cognito from aws which may help in linking identity with backend
Http://mobile.awsblog.com/post/Tx1YVAQ4NZKBWF5/Amazon-Cognito-Announcing-Developer-Authenticated-Identities

Also for aws discovery, aws config may ne useful area to explore further
https://aws.amazon.com/blogs/aws/track-aws-with-config/

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
AWS

From novice to tech pro — start learning today.