MemberFebruary 10, 2024 at 12:31 am
“Category: CSAP – Design Solutions for Organizational Complexity
A large software company has an on-premises LDAP server and a web application hosted on its VPC in AWS. The solutions architect has established an IPSec VPN connection between the AWS VPC and the company’s on-premises network. The company wants to enable employees to access the web application and other AWS resources using the same corporate account used inside the company network.
Which of the following actions should the solutions architect implement to achieve the company requirements? (SELECT TWO.)”
There are two problems here as I see it.
1) The proper solution would require creation of a custom broker that would be deployed on-premises. The custom broker would authenticate the user logging into the on-premises portal against on-premises LDAP, call STS to get temporary credentials and then supplying the temporary credentials redirect the call to invoke web application URL deployed in VPC. Yet, both “correct” answers imply that the web application deployed in VPC would call the custom broker which seems to be wrong. Now, I could understand if insufficient conditions were listed, or none of the answers were applicable, requiring a user to open a communication session with an examiner to clarify it (as I understand is a possibility on this exam). But providing completely wrong answers on purposes – that doesn’t make it a trick question, it just would subvert the user teaching him false knowledge.
2) The diagram for this question shows a SAML 2.0 compatible solution instead of a custom broker solution which is the case here. Was this done on purpose to make it a trick question?
I understand that showing correct diagram would give away the answer, but if you didn’t supply the incorrect diagram, it would be easier to zero down on the correct solution.
If so, is such trickery representative of what one can expect on the actual exam?
Please clarify both points. Thank you.
- This discussion was modified 2 weeks, 6 days ago by VitalyKr.
AdministratorFebruary 14, 2024 at 6:55 pm
Thank you for your feedback.
The options provided in the question are indeed based on different ways to implement identity federation between on-premises systems and AWS. The correct options describe scenarios where a broker service, either the web application itself or a separate identity broker, is used to authenticate against the on-premises LDAP server and then call AWS STS to get temporary credentials. These are valid scenarios, but I understand that the wording might have caused some confusion.
Regarding the diagram, it was not intended to be misleading or to make the question a trick one. The diagram provided is a broad representation of identity federation implementations, encompassing both SAML and non-SAML solutions. It’s designed to illustrate the general process rather than match every specific scenario.
We value your input and will make the necessary updates to improve the clarity of the question and its options. These changes should be reflected on the portal as soon as possible. Thank you again for helping us improve our service.
MemberFebruary 20, 2024 at 3:09 am
I appreciate your answer, but I still find it hard to visualize the actual flow in the light of everything I’ve read on custom broker identity federation. Could you please help me to see where I am erring?
The web application is deployed in VPC rather than on-premises and you are suggesting that the web application will be calling on-premises custom identity broker, which seems like an architectural antipattern for multiple reasons.
First, you are basically allowing an on-premises user to directly access a VPC resource before figuring out whether the user has this entitlement.
Second, you make the application deployed in VPC an authorization orchestrator in addition to providing its core business function which violates the basis of separation of concerns principle. Under your scenario the web application in VPC would first have to call a custom broker on-prem and than also be responsible for calling STS to get temporary credentials that it would later possibly use to make any AWS APIs calls. By extension, if you later developed a second application in your VPC, you would also have to include the authorization orchestrator logic in that app. Yes you could factor this logic out, but under your scenario, the factored out logic would also reside inside your VPC. This is contrary to AWS recommendation that if you use STS directly, rather than using it through Cognito, you would would call STS from on-premises-hosted authorization orchestrator (that would wrap an on-premises-hosted custom broker) and have the same orchestrator redirect to a VPC-hosted app with temporary credentials supplied from a previous call to STS.
AdministratorFebruary 26, 2024 at 12:33 pm
The flow you described does not necessarily mean that an on-premises user is directly accessing a VPC resource. The web application in the VPC is the one making the call to the on-premises custom identity broker, not the user directly. The user’s request is being forwarded through the web application, which acts as a proxy. This doesn’t violate the principle of separation of concerns as the web application isn’t handling the authorization itself, but rather coordinating with the on-premises broker.
As for the STS calls, they are made by the on-premises broker, not the web application. The broker is responsible for authenticating the user against the LDAP server, calling STS to get temporary credentials, and then providing these credentials to the web application.
If you have multiple applications in your VPC, you wouldn’t need to include the authorization logic in each app. Instead, the custom identity broker would handle the authorization for all applications, ensuring a separation of concerns. AWS does recommend using STS directly if you’re not using Cognito, but this doesn’t mean that the call to STS has to originate from an on-premises-hosted authorization orchestrator. It’s possible to securely call STS from a VPC-hosted application as long as you’re following best practices for securing the credentials used to make the STS call.
I hope this helps! Let me know if you have any more questions.
Log in to reply.