Identity federation and single sign-on - AWS Prescriptive Guidance

Identity federation and single sign-on

Ensuring consistent identity management across core systems is key to successfully and securely adopting any technology. Educational institutions are increasingly adopting cloud-based identity and single sign-on solutions such as AWS IAM Identity Center, Microsoft Entra ID (formerly Azure Active Directory), Okta, JumpCloud, OneLogin, Ping Identity, and CyberArk to simplify identity management, lower operational burden, and centrally enforce best practices such as multi-factor authentication and least privilege access.

Many of these institutions still maintain identity management and directory services such as Active Directory and Shibboleth for their on-premises environments. These can be integrated with cloud-based solutions to enable centralized identity management and single sign-on for your students, faculty, and staff. Cloud solution providers should have robust, easy-to-integrate identity management platforms that allow you to federate identities through cloud identity providers to your existing applications, your SaaS solutions, and cloud services. The following diagram shows an example architecture.

Identity management flow from on-premises systems to AWS services via cloud identity providers.

This architecture follows these recommendations:

  • Select a primary, strategic cloud provider. This architecture uses AWS as the primary cloud provider. By integrating with a cloud identity provider and existing identity management and directory services on premises, this architecture supports automated provisioning and management of access both to the primary cloud provider's services and to other applications and SaaS solutions. This ensures that security and governance requirements are met in a consistent, easy to manage way as more applications and services are added to the institution's technology portfolio.

  • Differentiate between SaaS applications and foundational cloud services. This architecture integrates multiple types of cloud-based, SaaS, and on-premises identity systems to provide access to AWS Cloud services and other applications. Many cloud-based identity provider and single sign-on solutions are also SaaS applications, and they can use native integrations and standard protocols such as SAML to work across environments.

  • Establish security and governance requirements for each cloud service provider. This architecture adheres to guidance on identity and access management issued by numerous security frameworks, including National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), NIST 800-171, and NIST 800-53. Integrations with AWS Organizations, AWS Identity and Access Management (IAM), and other AWS security, identity, and compliance services help provide secure, granular access controls based on group permissions.

  • Adopt cloud-native, managed services wherever possible and practical. This architecture uses cloud-based, managed services for identity management and single sign-on. This decreases the time and energy spent on infrastructure management and makes it easier to maintain these critical systems.

  • Implement hybrid architectures when existing, on-premises investments incentivize continued use. This architecture integrates existing, on-premises investments in infrastructure for hosting Active Directory, Lightweight Directory Access Control (LDAP), and Shibboleth workloads, and provides a path to eventually move core identity services into cloud-based infrastructure. Additionally, if your on-premises workloads need certificate-based access to AWS resources, you can use AWS Identity and Access Management Roles Anywhere.