Shib with Multiple AWS Accounts

Matt Brennan brennanma at gmail.com
Wed Oct 4 12:02:58 EDT 2017 

I ran into the same problem as we have 10 distinct AWS accounts that users
have access to. I did this by creating multiple instances of the Role
attribute with the different account numbers.

i.e.
<resolver:AttributeDefinition id="awsRolesAcct1" xsi:type="ad:Mapped"
sourceAttributeID="memberOf">
  <resolver:Dependency ref="myLDAP"/>
  <resolver:AttributeEncoder
    xsi:type="enc:SAML2String"
    name="https://aws.amazon.com/SAML/Attributes/Role" friendlyName="Role"
/>
  <ad:ValueMap>

<ad:ReturnValue>arn:aws:iam::111111111111:saml-provider/Shibboleth,arn:aws:iam::111111111111:role/$1</ad:ReturnValue>
    <ad:SourceValue>CN=AWS-([^,]*),.*</ad:SourceValue>
  </ad:ValueMap>
</resolver:AttributeDefinition>

<resolver:AttributeDefinition id="awsRolesAcct2" xsi:type="ad:Mapped"
sourceAttributeID="memberOf">
  <resolver:Dependency ref="myLDAP"/>
  <resolver:AttributeEncoder
    xsi:type="enc:SAML2String"
    name="https://aws.amazon.com/SAML/Attributes/Role" friendlyName="Role"
/>
  <ad:ValueMap>

<ad:ReturnValue>arn:aws:iam::222222222222:saml-provider/Shibboleth,arn:aws:iam::222222222222:role/$1</ad:ReturnValue>
    <ad:SourceValue>CN=AWS-([^,]*),.*</ad:SourceValue>
  </ad:ValueMap>
</resolver:AttributeDefinition>

I listed all the custom attributes in the attribute filter for AWS. I then
have users do an IdP initiated sign on, and AWS presents the user with a
list of roles / accounts they have access to.

HTH,
-Matt


On Wed, Oct 4, 2017 at 11:57 AM, Cantor, Scott <cantor.2 at osu.edu> wrote:

> On 10/4/17, 11:52 AM, "users on behalf of Jason Rotunno" <
> users-bounces at shibboleth.net on behalf of jrotunno at swarthmore.edu> wrote:
>
> > We have some other AWS accounts that I'd like to integrate with Shib as
> well, and I'm trying to figure out how to populate the
> > awsRoles attribute with different account numbers based on which AWS
> account is being accessed.
>
> Amazon has one entityID for the entire platform and a standard request is
> not going to differentiate accounts. I suppose you could bake in something
> proprietary into the system to signal this but that's heavy work that would
> have involve webflow customization if not even deeper manipulation of the
> system.
>
> The Amazon design is that you send everything in all cases, all accounts,
> and all roles. It's their limitation. I haven't seen any compelling reason
> to waste my time on it. What exactly are you trying to avoid doing? Do you
> really expect a given user to be accessing hundreds of accounts?
>
> -- Scott
>
>
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20171004/fd8aa606/attachment-0001.html>

More information about the users mailing list