Shib with Multiple AWS Accounts

Cantor, Scott cantor.2 at
Wed Oct 4 12:00:16 EDT 2017

Actually there probably is a quick hack that would do it. If your trigger links include "target" as a parameter, that will end up buried in the inbound SAML context tree under RelayState and that could be accessed in the resolver. It will also be sent back to Amazon, but I doubt they'd notice or care.

The only big win I guess is that you'd limit the roles sent over which would limit the size of the page Amazon shows to the user to pick a role from. Apart from a small number of central staff here acting as general admins for the whole service, we don't see that as being a likely concern.

-- Scott

On 10/4/17, 11:57 AM, "users on behalf of Cantor, Scott" <users-bounces at on behalf of cantor.2 at> wrote:

On 10/4/17, 11:52 AM, "users on behalf of Jason Rotunno" <users-bounces at on behalf of jrotunno at> wrote:

> We have some other AWS accounts that I'd like to integrate with Shib as well, and I'm trying to figure out how to populate the
> awsRoles attribute with different account numbers based on which AWS account is being accessed.

Amazon has one entityID for the entire platform and a standard request is not going to differentiate accounts. I suppose you could bake in something proprietary into the system to signal this but that's heavy work that would have involve webflow customization if not even deeper manipulation of the system.

The Amazon design is that you send everything in all cases, all accounts, and all roles. It's their limitation. I haven't seen any compelling reason to waste my time on it. What exactly are you trying to avoid doing? Do you really expect a given user to be accessing hundreds of accounts?

-- Scott

To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list