Shib with Multiple AWS Accounts

Jason Rotunno jrotunno at swarthmore.edu
Wed Oct 4 11:51:43 EDT 2017 

Hi,

I've integrated our AWS account with our Shib 3.3.1 instance for SSO
access. The awsRoles attribute, which is required by AWS, is defined in
attribute-resolver.xml as follows (111111111111 is the AWS account number):

    <resolver:AttributeDefinition id="awsRoles" xsi:type="ad:Mapped"
sourceAttributeID="memberOf">
        <resolver:Dependency ref="myLDAP"/>
        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="
https://aws.amazon.com/SAML/Attributes/Role" friendlyName="Role" />
        <ad:ValueMap>
            <ad:ReturnValue>

arn:aws:iam::111111111111:role/Dept-1,arn:aws:iam::111111111111:saml-provider/shib.tld
            </ad:ReturnValue>
            <ad:SourceValue ignoreCase="true">.*CN=Dept-1.*</ad:SourceValue>
        </ad:ValueMap>
    </resolver:AttributeDefinition>

If a user is in the Dept-1 AD group, browses to
https://shib.tld/idp/profile/SAML2/Unsolicited/SSO?providerId=urn:amazon:webservices
and authenticates, the awsRole is populated with the value
arn:aws:iam::111111111111:role/Dept-1,arn:aws:iam::111111111111:saml-provider/shib.tld.
It's pretty straightforward and works well.

We have some other AWS accounts that I'd like to integrate with Shib as
well, and I'm trying to figure out how to populate the awsRoles attribute
with different account numbers based on which AWS account is being accessed.

For example, if a user authenticates at
https://shib.tld/idp/profile/SAML2/Unsolicited/SSO?providerId=urn:amazon:webservices
(and is in the Dept-1 AD group), the awsRole value would be
arn:aws:iam::111111111111:role/Dept-1,arn:aws:iam::111111111111:saml-provider/shib.tld.

If the same user instead authenticates at
https://shib.tld/idp/profile/SAML2/Unsolicited/SSO?providerId=urn:amazon:webservices:test,
the awsRole value would be
arn:aws:iam::222222222222:role/Dept-1,arn:aws:iam::222222222222:saml-provider/shib.tld.

Any suggestions on how I might do this? Or perhaps there's a better
approach? I did find https://gist.github.com/zircote/488b1d8096c9d888e5ea,
but that sets the account number based on AD membership. That wouldn't work
for us since some users will need access to more than one AWS account.

Thanks,
Jason

-- 

Jason Rotunno
System & Security Administrator
Swarthmore College
500 College Ave
Swarthmore, PA 19081
610.328.8505

Think BEFORE You Click!! Emails from Swarthmore College ITS won't be in your
Quarantine or Spam folder. We won't threaten you either! If you
receive any phishing emails, please forward them to phishing at swarthmore.edu.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20171004/031894d2/attachment-0001.html>

More information about the users mailing list