学习目标
- 理解联合身份的概念和架构
- 配置SAML 2.0身份联合
- 实施OpenID Connect (OIDC) 集成
- 掌握AWS SSO (Identity Center) 配置
- 建立企业级单点登录解决方案
联合身份架构图
9.1 联合身份基础
9.1.1 联合身份概念和架构
import boto3
import json
import xml.etree.ElementTree as ET
from datetime import datetime, timedelta
import base64
import urllib.parse
def understand_identity_federation():
"""
理解联合身份的概念和架构
"""
federation_concepts = {
"identity_federation": {
"definition": "联合身份允许外部身份提供商的用户访问AWS资源,无需在AWS中创建IAM用户",
"benefits": [
"单点登录体验",
"集中的身份管理",
"减少密码管理复杂性",
"支持企业级身份提供商",
"临时凭证提高安全性"
],
"key_components": [
"身份提供商 (IdP)",
"服务提供商 (SP) - AWS",
"身份断言",
"信任关系",
"角色映射"
]
},
"federation_types": {
"saml_federation": {
"description": "基于SAML 2.0协议的企业级联合",
"use_cases": ["企业Active Directory", "ADFS", "第三方IdP"],
"workflow": [
"用户在企业IdP认证",
"IdP生成SAML断言",
"用户重定向到AWS SAML端点",
"AWS验证断言并提供临时凭证",
"用户使用临时凭证访问AWS资源"
]
},
"oidc_federation": {
"description": "基于OpenID Connect的Web身份联合",
"use_cases": ["移动应用", "Web应用", "第三方登录"],
"workflow": [
"用户通过OIDC提供商认证",
"获取身份令牌",
"使用令牌调用AWS STS",
"获取临时AWS凭证",
"访问AWS资源"
]
},
"web_identity_federation": {
"description": "直接与Web身份提供商集成",
"use_cases": ["Amazon Cognito", "Google", "Facebook登录"],
"workflow": [
"用户通过Web IdP登录",
"获取身份令牌",
"直接使用AssumeRoleWithWebIdentity",
"获取AWS临时凭证"
]
}
}
}
# 联合身份的信任模型
trust_model = {
"trust_establishment": {
"identity_provider_setup": "在AWS中配置身份提供商",
"trust_policy_creation": "创建信任策略允许IdP代入角色",
"attribute_mapping": "映射IdP属性到AWS角色",
"condition_validation": "验证联合条件和约束"
},
"security_considerations": [
"验证SAML断言的完整性和真实性",
"使用适当的条件限制角色访问",
"定期轮换加密密钥",
"监控和审计联合访问",
"实施最小权限原则"
]
}
print("📋 联合身份概念:")
print(f"定义: {federation_concepts['identity_federation']['definition']}")
print("\n优势:")
for benefit in federation_concepts['identity_federation']['benefits']:
print(f" • {benefit}")
print("\n关键组件:")
for component in federation_concepts['identity_federation']['key_components']:
print(f" • {component}")
print("\n📋 联合类型:")
for fed_type, details in federation_concepts['federation_types'].items():
print(f"\n{fed_type.replace('_', ' ').title()}:")
print(f" 描述: {details['description']}")
print(f" 用例: {', '.join(details['use_cases'])}")
return federation_concepts, trust_model
class IdentityFederationManager:
"""联合身份管理器"""
def __init__(self):
self.iam = boto3.client('iam')
self.sts = boto3.client('sts')
def create_saml_identity_provider(self, provider_name, metadata_document):
"""创建SAML身份提供商"""
try:
response = self.iam.create_saml_provider(
SAMLMetadataDocument=metadata_document,
Name=provider_name,
Tags=[
{'Key': 'Type', 'Value': 'SAML'},
{'Key': 'Purpose', 'Value': 'Federation'},
{'Key': 'CreatedDate', 'Value': datetime.now().strftime('%Y-%m-%d')}
]
)
provider_arn = response['SAMLProviderArn']
print(f"✅ SAML身份提供商创建成功: {provider_arn}")
return provider_arn
except Exception as e:
print(f"❌ 创建SAML身份提供商失败: {str(e)}")
return None
def create_oidc_identity_provider(self, provider_url, client_ids, thumbprints):
"""创建OIDC身份提供商"""
try:
response = self.iam.create_open_id_connect_provider(
Url=provider_url,
ClientIDList=client_ids,
ThumbprintList=thumbprints,
Tags=[
{'Key': 'Type', 'Value': 'OIDC'},
{'Key': 'Purpose', 'Value': 'WebIdentityFederation'}
]
)
provider_arn = response['OpenIDConnectProviderArn']
print(f"✅ OIDC身份提供商创建成功: {provider_arn}")
return provider_arn
except Exception as e:
print(f"❌ 创建OIDC身份提供商失败: {str(e)}")
return None
# 演示联合身份概念
federation_concepts, trust_model = understand_identity_federation()
federation_manager = IdentityFederationManager()
print("\n📋 信任模型组件:")
for component, description in trust_model['trust_establishment'].items():
print(f" {component.replace('_', ' ').title()}: {description}")9/1/25About 13 min