The identity and access management (IAM) space is complicated. There’s conventional, on-prem directory services, cloud-based directory services, open source solutions like OpenLDAP™, and a cadre of SSO platforms. The number of combinations and approaches to IAM explode still further when you add in the complexity of Infrastructure-as-a-Service (IaaS), platforms such as AWS®. In this article, we’ll try to simplify the landscape and break down what you should know about AWS, LDAP, and SSO.
The Questions Facing Admins & Engineers
As more IT shops move their infrastructure to AWS and other cloud service providers, it is clear that there are some significant challenges related to identity and access management:
- Should IT admins and DevOps engineers use LDAP?
- How will they help their users achieve SSO (single sign-on) into their AWS cloud infrastructure and servers?
- How can one identity be connected to a variety of different login approaches such as username and password, SSH keys, 2FA/MFA, and more?
All of these are critical questions when considering how to integrate off-prem infrastructure with on-prem and your various users.
A Two-Part Model for Understanding AWS, LDAP, & SSO
In order to understand this problem, it’s probably best to break it up into two significant pieces. One is the back-end IAM infrastructure that can be used to connect users to their IT resources, and then the second would be how to make it easy for end users to securely log in to what they need.
For the first step – finding the right IAM infrastructure for both AWS and your IT resources – is a significant challenge. Historically, IT admins have leveraged Active Directory® on-prem, but extending that to AWS can be cumbersome. It is possible to use AWS Directory Services or stand-up your own LDAP server, but both of those create other problems, notably that there are now two identity providers which is challenging to manage and control. Ideally, there would be one IAM solution that would cut across on-prem, remote, and cloud-based resources regardless of platform, provider, and protocol.
The second facet of the problem is (Read more...)