The identity and access management (IAM) space is complicated. There’s conventional, on-prem directory services, cloud-based directory services, open source solutions like OpenLDAP™, and a cadre of SSO platforms. The number of combinations and approaches to IAM explode still further when you add in the complexity of Infrastructure-as-a-Service (IaaS), platforms such as AWS®. In this article, we’ll try to simplify the landscape and break down what you should know about AWS, LDAP, and SSO.
The Questions Facing Admins & Engineers
As more IT shops move their infrastructure to AWS and other cloud service providers, it is clear that there are some significant challenges related to identity and access management:
- Should IT admins and DevOps engineers use LDAP?
- How will they help their users achieve SSO (single sign-on) into their AWS cloud infrastructure and servers?
- How can one identity be connected to a variety of different login approaches such as username and password, SSH keys, 2FA/MFA, and more?
All of these are critical questions when considering how to integrate off-prem infrastructure with on-prem and your various users.
A Two-Part Model for Understanding AWS, LDAP, & SSO
In order to understand this problem, it’s probably best to break it up into two significant pieces. One is the back-end IAM infrastructure that can be used to connect users to their IT resources, and then the second would be how to make it easy for end users to securely log in to what they need.
For the first step – finding the right IAM infrastructure for both AWS and your IT resources – is a significant challenge. Historically, IT admins have leveraged Active Directory® on-prem, but extending that to AWS can be cumbersome. It is possible to use AWS Directory Services or stand-up your own LDAP server, but both of those create other problems, notably that there are now two identity providers which is challenging to manage and control. Ideally, there would be one IAM solution that would cut across on-prem, remote, and cloud-based resources regardless of platform, provider, and protocol.
The second facet of the problem is making it easy for end users. That means creating a seamless way for end users to login to whatever they need – a True Single Sign-On™ of sorts. Whether that is logging into AWS Linux servers via SSH key, AWS IAM console via SAML, database servers via LDAP, Windows® or macOS® desktops and laptops, web and on-prem applications, file servers, WiFi, and more, end users would leverage the same identity to connect. This approach reduces friction and frustration on the part of the user, while giving IT and DevOps increased control and security.
What Else You Should Know
The good news is that there is a comprehensive approach to both issues – providing centralized back-end IAM infrastructure while enabling easy, frictionless access for end users. The solution is our own Directory-as-a-Service® and it tightly connects to AWS and other cloud services, leverages protocols such as LDAP, RADIUS, SAML, and more, and provides True Single Sign-On for users.
To learn more about how JumpCloud can consolidate management of your apps and infrastructure via LDAP, SAML-based SSO, and integration with AWS, watch the video above or request a demo of our offering. We also have a robust Knowledge Base where you can read more about how to configure AWS SSO and how to use JumpCloud’s LDAP-as-a-Service.
If you’re a hands-on learner, consider signing up for a JumpCloud account. It’s free for the first ten users and you can have your hands on the full product in minutes.