Shib with Multiple AWS Accounts
cantor.2 at osu.edu
Wed Oct 4 11:57:16 EDT 2017
On 10/4/17, 11:52 AM, "users on behalf of Jason Rotunno" <users-bounces at shibboleth.net on behalf of jrotunno at swarthmore.edu> wrote:
> We have some other AWS accounts that I'd like to integrate with Shib as well, and I'm trying to figure out how to populate the
> awsRoles attribute with different account numbers based on which AWS account is being accessed.
Amazon has one entityID for the entire platform and a standard request is not going to differentiate accounts. I suppose you could bake in something proprietary into the system to signal this but that's heavy work that would have involve webflow customization if not even deeper manipulation of the system.
The Amazon design is that you send everything in all cases, all accounts, and all roles. It's their limitation. I haven't seen any compelling reason to waste my time on it. What exactly are you trying to avoid doing? Do you really expect a given user to be accessing hundreds of accounts?
More information about the users