简体繁体 English

如何将AWS服务限制为由Google Suite维护的组织用户？

[英]How to limit an AWS service to an organisation's users maintained by the Google Suite?

原文 2017-08-21 08:17:29 8 1 amazon-web-services/ authentication/ saml/ aws-cognito

I'm confused how to simply authenticate an @example.com employee, in order to allow access to an internal service https://stage.example.com . 我很困惑如何简单地认证@ example.com员工，以允许访问内部服务https://stage.example.com 。 The user experience I want; 我想要的用户体验； is for the employee to click a "Login with Google" button (preferably it would just automatically log the user in) and instantly have access based on his/her login email. 是为了让员工单击“使用Google登录”按钮（最好是它会自动将用户登录），并根据他/她的登录电子邮件立即获得访问权限。

What do I need to implement? 我需要执行什么？

Something with SAML? 有SAML吗？ https://admin.google.com/AdminHome#AppsList:serviceType=SAML_APPS https://admin.google.com/AdminHome#AppsList:serviceType=SAML_APPS
Something with API credentials? 有API凭证的东西吗？ https://console.developers.google.com/apis/credentials https://console.developers.google.com/apis/credentials
Something with AWS Cognito? AWS Cognito有什么用？ https://ap-southeast-1.console.aws.amazon.com/cognito https://ap-southeast-1.console.aws.amazon.com/cognito
Something to do with provider IDs? 与提供者ID有关？ https://github.com/laardee/serverless-authentication-boilerplate https://github.com/laardee/serverless-authentication-boilerplate
Something to do with https://apis.google.com/js/platform.js & GAPI.auth2's hosted_domain ? 与https://apis.google.com/js/platform.js和GAPI.auth2的hosted_domain有关 ？

Basically I want to get away from having duplicated users in AWS IAM. 基本上，我想避免在AWS IAM中拥有重复的用户。 We want the canonical source of users in the company as https://admin.google.com/AdminHome#UserList 我们希望公司中的规范用户来源为https://admin.google.com/AdminHome#UserList

The idea being, when the employee leaves the company, the ex-employee is removed and access to https://stage.spuul.com & such internal services are withdrawn. 想法是，当雇员离开公司时，前雇员被撤职，并撤回对https://stage.spuul.com的访问，并且此类内部服务也被撤回。