Shib with Multiple AWS Accounts

Wessel, Keith kwessel at
Wed Oct 4 12:01:08 EDT 2017

We've just baked the account number into the group name in our directory. We can then map users to different, or in some cases, multiple accounts with our attribute definition. If the user is in multiple accounts and/or roles, AWS lets them choose upon login. I can't see a reason to have separate login links.


-----Original Message-----
From: users [mailto:users-bounces at] On Behalf Of Cantor, Scott
Sent: Wednesday, October 04, 2017 10:57 AM
To: Shib Users <users at>
Subject: Re: Shib with Multiple AWS Accounts

On 10/4/17, 11:52 AM, "users on behalf of Jason Rotunno" <users-bounces at on behalf of jrotunno at> wrote:

> We have some other AWS accounts that I'd like to integrate with Shib as well, and I'm trying to figure out how to populate the
> awsRoles attribute with different account numbers based on which AWS account is being accessed.

Amazon has one entityID for the entire platform and a standard request is not going to differentiate accounts. I suppose you could bake in something proprietary into the system to signal this but that's heavy work that would have involve webflow customization if not even deeper manipulation of the system.

The Amazon design is that you send everything in all cases, all accounts, and all roles. It's their limitation. I haven't seen any compelling reason to waste my time on it. What exactly are you trying to avoid doing? Do you really expect a given user to be accessing hundreds of accounts?

-- Scott

To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list