Move over, Alien vs. Predator: Signing into AWS with an Office 365 login is a real crossover
AWS SSO? AWS IAM? AWS Cognito? All is explained
re:Invent Just ahead of its big Las Vegas re:Invent knees-up, Amazon Web Services (AWS) has extended its Single Sign-on service to support Azure Active Directory – as used by Microsoft's Office 365.
"Today we announced the next evolution of AWS Single Sign-On, enabling enterprises that use Azure AD to leverage their existing identity store with AWS Single Sign-On," said the cloud giant. "Additionally, automatic synchronization of user identities, and groups, from Azure AD is also supported."
AWS Single Sign-on (SSO) was launched in December 2017 and mainly aimed at organisations using Microsoft Active Directory (AD) on-premises. You can manage users and groups in AD and via AWS SSO to assign them permissions to AWS resources. Using SAML (Security Assertion Markup Language) 2.0, you can also use that same login to access other cloud applications, including Atlassian, Box, Dropbox, GitHub, G Suite, Office 365 and Salesforce.
So if AWS SSO supported Office 365 at launch, what is new? The difference is that you can now use Azure AD as the directory that syncs with AWS SSO. This opens up AWS SSO to many small businesses who use Office 365 but do not have an on-premises AD – though there has always been an option to use the AWS Managed AD service at extra cost, or to use AWS SSO as a standalone directory.
The role of Azure AD for Microsoft customers has gradually increased. At one time it was just a directory behind the scenes of Office 365 and many were hardly aware of. Windows 10 added the ability to join a PC to Azure AD, so that you sign in with the same credentials. Larger businesses that need to retain on-premises AD use Azure AD Connect to synchronise AD with Azure AD.
Azure AD is also at the heart of Microsoft's drive towards multi-factor authentication and advanced security. There are now three Azure AD editions: Free, Premuim P1 and Premium P2, with the premium versions adding features like conditional access (based on group, location and device status) and identity protection.
Users currently using AD for AWS SSO who now want to move to Azure AD may find it painful. "Whether you switch from Azure AD to Microsoft AD, or from Microsoft AD to Azure AD, the conversion deletes all users, groups, and assignments (entitlements) in AWS SSO. No user or group information is affected in either Azure AD or Microsoft AD," state the docs.
Identity management is a confusing topic. One of the odd things about AWS SSO is that you cannot use it with AWS IAM (Identity and Access Management) as the identity provider, though you can assign AWS SSO users IAM roles.
"I am on the Amazon Cognito team. Amazon Cognito is our identity management solution for customers/developers building B2C or B2B apps for their customers — so a customer-targeted IAM and user directory solution. AWS SSO is focused on SSO for employees accessing AWS and business apps, initially with Microsoft AD as the underlying employee directory. We plan to integrate Cognito User Pools and AWS SSO as part of our roadmap."
AWS is in competition with Microsoft's cloud, though unlike Google, which has G Suite, AWS lacks a comprehensive cloud-based productivity platform. This means it has many customers using Office 365 for email and productivity, and AWS for infrastructure and application services. The ability to make Azure AD the primary identity provider will be helpful for these customers as it removes the dependence on old-style AD. ®