Identity federation sample application for an Active Directory use case

Identity federation sample application for an Active Directory use case

This sample is intended for developers who want to learn how to use the identity federation capabilities of AWS Identity and Access Management (IAM). It illustrates how to issue temporary security credentials for accessing Amazon S3 files/buckets, using permissions that are tied to an Active Directory user.

(Please refer to the Readme.html file included within the documentation of this package for detailed setup instructions.)

Prerequisites

To be able to run the sample code you need the following:

• Administrative access to an IIS server that is joined to an Active Directory domain. We have tested the application using Microsoft IIS version 7.5.
• A computer which is joined to the same Active Directory domain.
• A domain user account which can be used to run the command line interface (CLI) part of this sample application.
• A copy of the latest version of AWS SDK for .NET
• You must be signed up for Amazon S3 and have access to an Amazon S3 bucket with at least one file in it.
• Windows Communication Foundation should be registered on the running the IIS server. You can refer to MSDN to ensure this.

What does this sample do?

The sample package includes the following components:

SampleFederationProxy

This is a Microsoft Internet Information Services (IIS) hosted server-side application that issues temporary security credentials for accessing AWS APIs. The application administrator can configure permissions to control which Amazon S3 resources an Active Directory user can access, using fine-grained rules. The web service implements a GetToken interface that is called from the SampleConsoleApp/CLI. The sample implementation performs the following illustrative steps:

1. It determines the Windows user name from the web request.
2. It retrieves the AWS credentials (AWSAccesskey, AWSSecretkey) from the Web.config to authenticate itself.
3. It retrieves the Access Policy for the authenticated user from the user-to-policy mappings stored in the Web.config file.
   
4. It requests temporary security credentials by calling the AWS API GetFederationTokenRequest with a valid name (in our example of the form user@domain), an expiration time set to 8 hours and the policy retrieved in step 3.
   
   

   
   # Code snippet
       GetFederationTokenRequest request = new GetFederationTokenRequest
                   {
                   DurationSeconds = 3600 * 8,
                   Name = awsUsername
                   Policy = policy
                   };
   
   

5. The temporary security credential is returned as a JSON-serialized response which contains:
• AccessKeyID - the access key identifier for the temporary credentials.
• SecretAccessKey - the key used to sign requests.
• SessionToken - the security token.

# Code snippet
    GetFederationTokenResponse startSessionResponse = null;
    startSessionResponse.client.GetFederationToken(request);
    
    // Check the result returned i.e. Valid security credentials or null?
    if(startSessionResponse!= null)
    {
        GetFederationTokenResult startSessionResult = startSessionResponse.GetFederationTokenResult;
        sessionCredentials = startSessionResult.Credentials
        
        // Store all the returned keys and token to TemporarySecurityCreds
        temporaryCreds.AccessKeyId = sessionCredentials.AccessKeyId
        temporaryCreds.SecretAccessKey = sessionCredentials.SecretAccessKey
        temporaryCreds.Expiration = sessionCredentials.Expiration 
        temporaryCreds.Token = sessionCredentials.SessionToken
    }

This response is then returned to the SampleConsoleApp/CLI.

SampleConsoleApp

This is a CLI to be run by an Active Directory user. It interacts with the SampleFederationProxy to obtain temporary security credentials and uses them to access an Amazon S3 bucket. The sample implementation performs the following illustrative steps:

1. It posts a web request to the GetToken service provided by the SampleFederationProxy.
2. It uses Integrated Windows Authentication to enable the web proxy to authenticate and authorize the caller.
3. The SampleFederationProxy responds with a valid temporary security credential.
4. These credentials are used to access Amazon S3 files/buckets.
   
   

   
   # Code Snippet
   # Listing Amazon S3 bucket content using the returned temporary redentials
   
       // Add credentials to create a S3 client 
       SessionAWSCredentials sessionCredentials = new SessionAWSCredentials(
                                                   temporaryCreds.AccessKeyId,
                                                   temporaryCreds.SecretAccessKey,
                                                   temporaryCreds.Token);
   
       s3Client = new AmazonS3Client(sessionCredentials);
       ListObjectsRequest request = new ListObjectsRequest();
       request.BucketName = bucketName;
       ListObjectsResponse s3Response = s3Client.ListObjects(request);
   
   

Seeing the application in action

Login as the domain user to the computer that is joined to your Active Directory domain and run the SampleConsoleApp CLI.

Once the security credentials are successfully received, you can use the simple menu provided by the SampleConsoleApp to access Amazon S3 files/buckets.