Working with custom identity providers
To authenticate your users, you can use your existing identity provider with AWS Transfer Family. You integrate your identity provider using an AWS Lambda function, which authenticates and authorizes your users for access to Amazon S3 or Amazon Elastic File System (Amazon EFS). For details, see Using AWS Lambda to integrate your identity provider. You can also access CloudWatch graphs for metrics such as number of files and bytes transferred in the AWS Transfer Family Management Console, giving you a single pane of glass to monitor file transfers using a centralized dashboard.
Alternatively, you can provide a RESTful interface with a single Amazon API Gateway method. Transfer Family calls this method to connect to your identity provider, which authenticates and authorizes your users for access to Amazon S3 or Amazon EFS. Use this option if you need a RESTful API to integrate your identity provider or if you want to use AWS WAF to leverage its capabilities for geo-blocking or rate-limiting requests. For details, see Using Amazon API Gateway to integrate your identity provider.
In either case, you can create a new server using the AWS Transfer Family console
Note
We have a workshop that you can attend, in which you can build a file transfer
solution. This solution leverages AWS Transfer Family for managed SFTP/FTPS endpoints and
Amazon Cognito and DynamoDB for user management. You can view the details for this workshop
here
AWS Transfer Family provides the following options for working with custom identity providers.
-
Use AWS Lambda to connect your identity provider – You can use an existing identity provider, backed by a Lambda function. You provide the name of the Lambda function. For more information, see Using AWS Lambda to integrate your identity provider.
-
Use Amazon API Gateway to connect your identity provider – You can create an API Gateway method backed by a Lambda function for use as an identity provider. You provide an Amazon API Gateway URL and an invocation role. For more information, see Using Amazon API Gateway to integrate your identity provider.
For either option, you can also specify how to authenticate.
-
Password OR Key – users can authenticate with either their password or their key. This is the default value.
-
Password ONLY – users must provide their password to connect.
-
Key ONLY – users must provide their private key to connect.
-
Password AND Key – users must provide both their private key and their password to connect. The server checks the key first, and then if the key is valid, the system prompts for a password. If the private key provided does not match the public key that is stored, authentication fails.
Using multiple authentication methods to authenticate with your custom identity provider
The Transfer Family server controls the AND logic when you use multiple authentication methods. Transfer Family treats this as two separate requests to your custom identity provider: however, their effect is combined.
Both requests must return successfully with the correct response to allow the authentication to complete. Transfer Family requires the two responses to be complete, meaning they contain all of the required elements (role, home directory, policy and the POSIX profile if you're using Amazon EFS for storage). Transfer Family also requires that the password response must not include public keys.
The public key request must have a separate response from the identity provider. That behavior is unchanged when using Password OR Key or Password AND Key.
The SSH/SFTP protocol challenges the software client first with a public key authentication, then requests a password authentication. This operation mandates both are successful before the user is allowed to complete the authentication.
Topics
