Shib with Multiple AWS Accounts

Jim Fox fox at washington.edu
Wed Oct 4 12:09:45 EDT 2017 

We do this as well.  We use groups named (grouper syntax) 
"u:weblogin:aws:<account-number>:<role-name>" 
Then we send all the accounts and roles where a user is a member of the corresponding group.

Jim


On Wed, 4 Oct 2017, Wessel, Keith wrote:

> Date: Wed, 4 Oct 2017 09:01:08
> From: "Wessel, Keith" <kwessel at illinois.edu>
> To: Shib Users <users at shibboleth.net>
> Reply-To: Shib Users <users at shibboleth.net>
> Subject: RE: Shib with Multiple AWS Accounts
> 
> We've just baked the account number into the group name in our directory. We can then map users to different, or in some cases, multiple accounts with our attribute definition. If the user is in multiple accounts and/or roles, AWS lets them choose upon login. I can't see a reason to have separate login links.
>
> Keith
>
>
> -----Original Message-----
> From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Cantor, Scott
> Sent: Wednesday, October 04, 2017 10:57 AM
> To: Shib Users <users at shibboleth.net>
> Subject: Re: Shib with Multiple AWS Accounts
>
> On 10/4/17, 11:52 AM, "users on behalf of Jason Rotunno" <users-bounces at shibboleth.net on behalf of jrotunno at swarthmore.edu> wrote:
>
>> We have some other AWS accounts that I'd like to integrate with Shib as well, and I'm trying to figure out how to populate the
>> awsRoles attribute with different account numbers based on which AWS account is being accessed.
>
> Amazon has one entityID for the entire platform and a standard request is not going to differentiate accounts. I suppose you could bake in something proprietary into the system to signal this but that's heavy work that would have involve webflow customization if not even deeper manipulation of the system.
>
> The Amazon design is that you send everything in all cases, all accounts, and all roles. It's their limitation. I haven't seen any compelling reason to waste my time on it. What exactly are you trying to avoid doing? Do you really expect a given user to be accessing hundreds of accounts?
>
> -- Scott
>
>
> -- 
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
> -- 
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
>

More information about the users mailing list