Profile picture
, 10 tweets, 2 min read
My Authors
Read all threads
AWS SSO has a naming problem. It’s going to quickly be the best way to enable access into AWS *using your own Single sign on identity provider for authentication.* Its capability to be an IdP or single sign on provider to other apps is not where its value lies for most people 1/
Today, you need your IdP to understand everything about access into AWS—the mapping of people to accounts and roles, because that information needs to get packaged up in a SAML assertion. Size limits on the SAML assertion make sensible multi-account setups hard. 2/
AWS SSO moves those mappings into AWS. Authentication uses your IdP—you sign into your own single sign on system, but the SAML that gets sent over is just your identity; the access you’re granted is maintained in AWS SSO. 3/
All the things related to you, attributes and groups, are separately sync’d via SCIM from your IdP. And that process is scalable, so we’ve left SAML size limit problems behind. 4/
Inside AWS SSO, with all the identity and membership pushed over from your IdP, you maintain assignments of users and groups to particular permissions on particular accounts. This is AWS-specific information, and it makes sense to me to maintain it here rather than in the IdP 5/
This *isn’t* about changing how you users authenticate with your IdP, nor about changing applications already using your IdP for single sign on. It’s about changing the system that your users use to gain AWS credentials for a better, more easily maintained and integrated one 6/
Besides the management advantages, AWS SSO has an API to authenticate against it (using your IdP) using the OAuth Device Flow. This is how the CLI v2 is able to have `aws sso login` 7/
The same logic, using the AWS SDKs, will enable AWS access, authenticated with your IdP, in any application you want to build. I’m looking forward to enabling access to data in S3 for robotics GUI tools we’ve got written in C++ 8/
People hear “AWS SSO” and understandably think it means changing their whole internal SSO setup, when it’s really not changing much from a user perspective and doesn’t impact the admin side outside of the IdP-AWS connection. 9/
Replacing sts:AssumeRoleWithSAML with AWS SSO has a narrow scope for your org, and is going to enable significantly better management and governance, *and user experience,* without changing your IdP or how you do single sign on in your org 10/10
Missing some Tweet in this thread? You can try to force a refresh.

Enjoying this thread?

Keep Current with Ben Kehoe

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @ben11kehoe see all

Profile picture
Ben Kehoe
@ben11kehoe
AWS has been adding a lot of features to use OAuth directly with API Gateway, skipping Cognito Identity Pools and AWS IAM. I think this is regressive. A lot of useful functionality is coming out of it, but we should hope to get that IAM-side instead.
For example, using OAuth, you can define allowed scopes on a given route (resource+method). Now you've got attribute-based access control in your app. Great! Except all the excellent tooling around AWS IAM is no longer available to you.
Or, you can use a Lambda authorizer to create a policy based on the token contents. It's super flexible, you can accomplish complicated authorization scenarios. But now you own the authorization system, including all the security monitoring and operations associated with that.
Read 8 tweets
Profile picture
Ben Kehoe
@ben11kehoe
Extra excited about this now. sso:GetRoleCredentials takes account and role name parameters (weird that it's not a role ARN but whatever). This looks to me like the client is in control of what IAM principal the user will become. This is a good thing! ⏬1/9
A great enabling capability for an org is creating single page apps w/ serverless backends, and now with these APIs in JS those apps can use SSO. One of the difficulties with these apps is that there may be many copies of a given app, for dev or just in many different accts 2/9
You should be able to stand up a copy of an app, go to its front page, and log in with SSO. But most SSO flows assume well-known URLs that you give to the SSO system. But with these AWS SSO APIs/Device Flow, that's no longer a problem. 3/9
Read 10 tweets
Profile picture
Ben Kehoe
@ben11kehoe
The future of #serverless is not stateful compute. It's computeful state.
Instead of trying to shoehorn statefulness into our current stateless compute models, we should be thinking about how to bring our code closer to our data. Lambda with EBS attached is bad. Paradigms more like handing code directly to S3 to run on all your objects.
People saying “this is just stored procedures” are like the people saying “Lambda is just cgi-bin”. Sure, superficially they’ve got the same model, but the details result in very different characteristics.
Read 3 tweets

Related threads

Profile picture
Colby Serpa💡
@ColbySerpa
My complicated writings that require extensive decoding might mean I don’t understand those ideas well enough to communicate them in a simple way yet.

“Writing is the fastest way to understand you didn’t understand.” ~@orangebook_
Unconscious competence = Muscle memory for ideas ImageImage
Image
Read 18 tweets
Profile picture
anton
@atroyn
in state estimation problems you get to pick from one of two approaches, filtering or optimization. if x is your state and z are your measurements,

filtering states the problem as :

find p(x | z_{1:t}) i.e. a distribution over states given all observations so far
optimization states it as;

argmin_x (E(x, z_{1:t}) i.e. a state such that some energy E is minimized
filtering has the advantage that the distribution you get also encodes uncertainty about your estimate, which is useful

you can do something analogous by perturbing your argmin_x (gonna call it x* now) which tells you how sensitive your minima is in various dimensions
Read 12 tweets
Profile picture
Hilary Times. Best for GB+NI. Not the ERG
@atatimelikethis
Remainers, #FBPE, Bregretters. WE NEED HELP. PLEASE RT

I'm going to tell a story that is disturbing to YOUR world view

It is sufficiently annoying that some may prefer to block than read. I beg you to hear me out

We do not have very long.
YOU are being used to enable Brexit
3 years ago, even if you disagree, the EURef was won by 17.4m people. Some say it was unclear.

BULL SHIT
The promise was UNAMBIGUOUS

Take back control of our laws, money and borders. Same trade.

Now, deal or no deal, gives us all FAR LESS control of all 3 and trade Hell.
I'll take a risk. Understand this is a METAPHOR not a Recommendation, I don't wish you to unfollow. If you get it, please help those who don't
🙏OMM🙏

Today is #StopTheCoup but in a different world REMAINERS are on the streets demanding LEAVE VOTERS get what they were promised
Read 31 tweets
Profile picture
taylor kenkel
@TreeGeeKay
hi! digitization/IR librarian/archivist types! how have you dealt with arbitrary take down "request" (more like order) that go against best practice from uni admin? as in something like "all existence must be erased from the IR because we say so" & the reason is... not copyright.
i am keeping this extremely vague in public b/c i don't want to be identified publicly for raising a fuss b/c i don't want to be out of a job but this is really messing with me because the decision is... it's not even a best practice thing, it's... morally and ethically wrong.
this is really messing with me. i'm not the only one here mad/upset but we have no recourse here or room to protest, it's coming directly from the uni's president.
Read 92 tweets
Profile picture
blmohr
@blmohr
1/ [Thread]
Russian investors, Facebook Connect and Groupon’s sprint to a $1 billion valuation
2/ Two years ago, Russian oligarch Leonid Boguslavsky and Michael Angelakis invested $250 million in Groupon. Angelakis is the Chairman of the Board at the Federal Reserve Bank of Philadelphia and the former CFO of Comcast.
bit.ly/2M2qY6d
3/ That same month, Groupon sold its Groupon Russian subsidiary to Boguslavsky “without receiving any proceeds” from the sale.
bit.ly/2wz7K3c
Read 82 tweets
Profile picture
Linda Tirado
@KillerMartinis
OK today feels like a good day to reboot a thread I do sometimes called Let's Decide If We Can Say Fascism Yet

Today's version comes to you courtesy of Dr. Lawrence Britt's work!
So a fun thing about the last couple years is that there's been folk looking around kind of nervously saying "um, guys, this is kind of worrisome, that's a lot of pre-fascism happening" and other people have swooped in like Olympic runners to say "THE F WORD IS IRRESPONSIBLE!"
So let's check in on Democracy and Freedom now and see if it's time to say fascism yet!
Read 38 tweets

Trending hashtags

#regulation #MeToo #allLeaversnow #IDP #CloudComputing #devops #AWS #Nigeria #WAF #ML #ebs #Identity #Coding #aws #docker #Softcom #WorldBreastfeedingWeek #EMR #cloudcomputing #aspnet #security #Rails #enable #Education #Serverless

Embed code for your website

×
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!