Shib with Multiple AWS Accounts

Jason Rotunno jrotunno at
Wed Oct 4 11:51:43 EDT 2017


I've integrated our AWS account with our Shib 3.3.1 instance for SSO
access. The awsRoles attribute, which is required by AWS, is defined in
attribute-resolver.xml as follows (111111111111 is the AWS account number):

    <resolver:AttributeDefinition id="awsRoles" xsi:type="ad:Mapped"
        <resolver:Dependency ref="myLDAP"/>
        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="" friendlyName="Role" />

            <ad:SourceValue ignoreCase="true">.*CN=Dept-1.*</ad:SourceValue>

If a user is in the Dept-1 AD group, browses to
and authenticates, the awsRole is populated with the value
It's pretty straightforward and works well.

We have some other AWS accounts that I'd like to integrate with Shib as
well, and I'm trying to figure out how to populate the awsRoles attribute
with different account numbers based on which AWS account is being accessed.

For example, if a user authenticates at
(and is in the Dept-1 AD group), the awsRole value would be

If the same user instead authenticates at
the awsRole value would be

Any suggestions on how I might do this? Or perhaps there's a better
approach? I did find,
but that sets the account number based on AD membership. That wouldn't work
for us since some users will need access to more than one AWS account.



Jason Rotunno
System & Security Administrator
Swarthmore College
500 College Ave
Swarthmore, PA 19081

Think BEFORE You Click!! Emails from Swarthmore College ITS won't be in your
Quarantine or Spam folder. We won't threaten you either! If you
receive any phishing emails, please forward them to phishing at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list