Open menu
-->

Valid IAM Identity Providers

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: Medium (should be achieved)

Ensure that the IAM Identity Providers (IdPs) utilized within your AWS account are valid in order to manage securely your user identities outside of AWS and give these external identities permissions to use AWS resources in your account. This is useful if your organization has its own identity system or if you develop mobile applications that requires access to your AWS resources as you don't have to distribute or embed long-term security credentials such as AWS IAM access keys for secure access. Prior to running this conformity rule by the Cloud Conformity engine you need to specify the Identity Provider endpoint within the rule configuration settings so the URL can be used for validation.

This rule resolution is part of the Cloud Conformity Security Package

Using a valid Identity Providers (IdP) helps you keep your AWS account secure as you don't have to embed and distribute security credentials like IAM access keys with your application, instead your application users can sign in through a well-known Identity Provider that manages securely the user identities for you.

Audit

To determine if the Identity Providers (IdPs) used within your AWS account are valid, perform the following actions:
For SAML Identity Providers:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, choose Identity Providers.

04 Click on the IAM Identity Provider that you want to examine.

05 On the IAM user Summary page, click Download metadata button to download the XML metadata document that includes information about the selected Identity Provider.

06 Open the document downloaded at the previous step in your preferred XML editor and locate the IdP endpoint URL listed as value for the Location attribute within the <SingleSignOnService /> XML element (e.g. Location="https://mycompany.onelogin.com/trust/saml2/http-redirect/sso/994185").

07 Sign in to your Cloud Conformity console, access the conformity rule settings and compare the IdP endpoint returned at the previous step against each endpoint listed in the rule configuration section. If the IdP endpoint found at the previous step does not match any of the endpoints listed on your Cloud Conformity console, the selected AWS IAM Identity Provider is not valid.

08 Repeat steps no. 4 – 7 to verify other Amazon IAM Identity Providers available within your AWS account for validation.

Using AWS CLI

01 Run list-saml-providers command (OSX/Linux/UNIX) using custom query filters to list the Amazon Resource Names (ARNs) of all SAML Identity Providers currently available in your AWS account:

aws iam list-saml-providers
	--query 'SAMLProviderList[*].Arn'

02 The command output should return an array with the requested ARN(s):

[
   "arn:aws:iam::123456789012:saml-provider/one-login-identity-provider"
]

03 Run get-saml-provider command (OSX/Linux/UNIX) using the IdP ARN returned at the previous step to describe the Identity Provider metadocument that was uploaded when the IAM SAML IdP resource object was created or updated:

aws iam get-saml-provider
	--saml-provider-arn arn:aws:iam::123456789012:saml-provider/one-login-identity-provider
	--query 'SAMLMetadataDocument'

04 The command output should return the requested XML metadata document:

<?xml version="1.0"?>
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://app.onelogin.com/saml/metadata/994185">
  <IDPSSODescriptor xmlns:ds="http://www.w3.org/2000/09/xmldsig#" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate> ... </ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </KeyDescriptor>
    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://mycompany.onelogin.com/trust/saml2/http-redirect/slo/994185"/>
    <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://mycompany.onelogin.com/trust/saml2/http-redirect/sso/994185"/>
    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://mycompany.onelogin.com/trust/saml2/http-post/sso/994185"/>
    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://mycompany.onelogin.com/trust/saml2/soap/sso/994185"/>
  </IDPSSODescriptor>
</EntityDescriptor>

If the command output returns an upload date before April 1st 2014 (as shown in the example above), the selected server certificate is vulnerable to Heartbleed security bug, therefore the risk of stealing the information protected by the SSL/TLS encryption is high.

05 Analyze the XML document returned at the previous step and find the Identity Provider endpoint URL listed as value for the Location attribute within the <SingleSignOnService /> XML element (e.g. Location="https://mycompany.onelogin.com/trust/saml2/http-redirect/sso/994185").

06 Sign in to your Cloud Conformity console, access the conformity rule settings and compare the IdP endpoint returned at the previous step against each endpoint listed in the rule configuration section. If the IdP endpoint found at the previous step does not match any of the endpoints listed on your Cloud Conformity console, the selected AWS IAM Identity Provider is not valid.

07 Repeat steps no. 3 – 6 to verify other IAM Identity Providers (IdPs) available within your AWS account for validation.

For OpenID Connect (OIDC) Identity Providers:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, choose Identity Providers.

04 Click on the IAM Identity Provider that you want to examine.

05 On the IAM user Summary page, locate the IdP endpoint URL listed as value for the Provider URL attribute (e.g. mycompany-ebb5e.firebaseapp.com).

06 Sign in to your Cloud Conformity console, access the conformity rule settings and compare the IdP endpoint returned at the previous step against each endpoint listed in the rule configuration section. If the IdP endpoint found at the previous step does not match any of the endpoints listed on your Cloud Conformity console, the selected AWS IAM Identity Provider is not valid.

07 Repeat steps no. 4 – 7 to verify other Amazon IAM Identity Providers available within your AWS account for validation.

Using AWS CLI

01 Run list-open-id-connect-providers command (OSX/Linux/UNIX) using custom query filters to list the Amazon Resource Names (ARNs) of all OIDC Identity Providers currently available in your AWS account:

aws iam list-open-id-connect-providers
	--query 'OpenIDConnectProviderList[*].Arn'

02 The command output should return an array with the requested ARN(s):

[
 "arn:aws:iam::123456789012:oidc-provider/mycompany-ebb5e.firebaseapp.com"
]

03 Run get-open-id-connect-provider command (OSX/Linux/UNIX) using the IdP ARN returned at the previous step as identifier to expose the OIDC Identity Provider endpoint URL:

aws iam get-open-id-connect-provider
	--open-id-connect-provider-arn arn:aws:iam::123456789012:oidc-provider/mycompany-ebb5e.firebaseapp.com
	--query 'Url'

04 The command output should return the requested provider endpoint URL:

mycompany-ebb5e.firebaseapp.com"

05 Sign in to your Cloud Conformity console, access the conformity rule settings and compare the IdP endpoint URL returned at the previous step against each endpoint listed in the rule configuration section. If the IdP endpoint found at the previous step does not match any of the endpoints listed on your Cloud Conformity console, the selected AWS IAM Identity Provider is not valid.

06 Repeat steps no. 3 – 5 to verify other IAM Identity Providers (IdPs) available within your AWS account for validation.

Remediation / Resolution

To replace an invalid Identity Provider (IdP) available within your AWS account, perform the following:
For SAML Identity Providers:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, choose Identity Providers.

04 Click on the Identity Provider that you want to replace (see Audit section part I to identify the right IAM resource).

05 On the IAM user Summary page, click Upload metadata button to upload the new (valid) XML metadata document taken from your third-party Identity Provider (e.g. OneLogin, SecureAuth, Shibboleth, etc). By uploading a valid SAML metadata document you create a new SAML Identity Provider, basically replacing the invalid IdP with a valid one.

06 On the Upload Provider Metadata page, click Choose file and select the XML metadata document downloaded from your third-party provider.

07 Click Upload to replace the existing IdP metadata document. Once uploaded the invalid Identity Provider will be replaced.

08 Repeat steps no. 4 – 7 to replace any other invalid Identity Providers (IdPs) currently available in your AWS account.

Using AWS CLI

01 Run update-saml-provider command (OSX/Linux/UNIX) using the ARN of the Identity Provider that you want to replace as identifier (see Audit section part II to identify the right resource) and the XML metadata document taken from your third-party Identity Provider (e.g. OneLogin, SecureAuth, Shibboleth, etc) to update the selected Identity Provider configuration, which means replacing it with a valid one. The following command example updates the configuration of an IdP, identified by the ARN "arn:aws:iam::123456789012:saml-provider/one-login-identity-provider" with information downloaded from a third-party SAML provider available within "3rdparty_idp_metadata.xml" metadata document:

aws iam update-saml-provider
	--saml-provider-arn arn:aws:iam::123456789012:saml-provider/one-login-identity-provider
	--saml-metadata-document file://3rdparty_idp_metadata.xml

02 The command output should return the ARN of the replaced Identity Provider (IdP).

[
   "arn:aws:iam::123456789012:saml-provider/one-login-identity-provider"
]

03 Repeat step no. 1 and 2 to replace any other invalid Identity Providers currently available in your AWS account.

For OpenID Connect (OIDC) Identity Providers:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, choose Identity Providers.

04 Click on the Identity Provider that you want to replace (see Audit section part I to identify the right resource).

05 Click Delete Providers button from the dashboard top menu to remove the invalid Identity Providers selected.

06 In the Delete Provider dialog box, click Delete to confirm your action.

07 Before you create an OIDC Identity Provider in AWS IAM, you must register your application with your third-party IdP to receive a client ID (also known as audience), which is a unique identifier for your application and issued to you when you register your application with the IdP.

08 Now click Create Provider button from the dashboard top menu to create a new valid IdP.

09 On the Configure Provider page, select OpenID Connect from the Provider type dropdown list.

10 In the Provider URL box, enter the endpoint URL of your OpenID Connect (OIDC) Identity Provider. The URL is case-sensitive and must begin with https://.

11 In the Audience box, enter the client ID of the application that you registered with your IdP.

12 Click Next Step to continue the setup process.

13 On the Verify page, use the Thumbprint to verify the server certificate of your OIDC Identity Provider. To obtain the Thumbprint for an OpenID Connect Identity Provider use this AWS guide.

14 Within the confirmation message box, click Do this now to go to the Roles tab in order to create a role for the newly created Identity Provider. To skip this step and create the role later, click Close.

15 Repeat steps no. 4 – 14 to replace any other invalid OpenID Connect (OIDC) Identity Providers currently available in your AWS account.

Using AWS CLI

01 First, run delete-open-id-connect-provider command (OSX/Linux/UNIX) using the ARN of the invalid OIDC Identity Provider as identifier (see Audit section part II to identify the right resource), to remove it from your AWS account (the command does not return an output):

aws iam delete-open-id-connect-provider
	--open-id-connect-provider-arn arn:aws:iam::123456789012:oidc-provider/makewebfast-ebb5e.firebaseapp.com

02 Before you create an OIDC Identity Provider in IAM using AWS CLI, you must register your application with your IdP to receive a Client ID (also known as audience), which is a unique identifier for your application and issued to you when you register your application with the IdP and a Provider URL, where authentication requests are sent. Once you have the client ID and the Provider URL, you must obtain the Thumbprint for your OIDC Identity Provider by following the procedure described here.

03 Run create-open-id-connect-provider command (OSX/Linux/UNIX) using the OIDC IdP configuration information compiled at the previous step to create a new and valid OIDC Identity Provider. The following command example creates an OpenID Connect IdP with the Client ID set to "mycompany-ebb5e", the Provider URL set to https://mycompany-ebb5e.firebaseapp.com and the Thumbprint set to "6DF29A3B788E0C9A33F43974EB5CBCGD1841B42DMUS1":

aws iam create-open-id-connect-provider
	--url "https://mycompany-ebb5e.firebaseapp.com"
	--client-id-list "mycompany-ebb5e"
	--thumbprint-list "6DF29A3B788E0C9A33F43974EB5CBCGD1841B42DMUS1"

04 The command output should return the ARN of the valid Identity Provider (IdP).

{
  "OpenIDConnectProviderArn": "arn:aws:iam::123456789012:oidc-provider/mycompany-ebb5e.firebaseapp.com"
}

05 Repeat steps no. 1 – 4 to replace any other invalid OIDC Identity Providers currently available in your AWS account.

References

Publication date Jul 12, 2017