Shib with Multiple AWS Accounts

Andrew Morgan morgan at orst.edu
Wed Oct 4 13:17:23 EDT 2017 

Our AWS roles configuration in attribute-resolver.xml:

     <!-- aws attributes -->
     <AttributeDefinition xsi:type="Mapped" id="awsRoles" sourceAttributeID="ismemberof">
         <Dependency ref="ONIDLDAP" />
         <AttributeEncoder xsi:type="SAML2String" name="https://aws.amazon.com/SAML/Attributes/Role" friendlyName="Role" />
         <ValueMap>
             <ReturnValue>arn:aws:iam::$2:saml-provider/Shibboleth,arn:aws:iam::$2:role/Shibboleth-$1</ReturnValue>
             <SourceValue ignoreCase="true">cn=([^,]+),ou=(\d+),ou=aws,ou=app,ou=is,ou=org,ou=osu,ou=grouper,ou=groups,o=orst.edu</SourceValue>
         </ValueMap>
     </AttributeDefinition>

Users will get a selection screen from AWS to decide which role to assume.

 	Andy

On Wed, 4 Oct 2017, Jim Fox wrote:

>
> We do this as well.  We use groups named (grouper syntax) 
> "u:weblogin:aws:<account-number>:<role-name>" Then we send all the accounts 
> and roles where a user is a member of the corresponding group.
>
> Jim
>
>
> On Wed, 4 Oct 2017, Wessel, Keith wrote:
>
>> Date: Wed, 4 Oct 2017 09:01:08
>> From: "Wessel, Keith" <kwessel at illinois.edu>
>> To: Shib Users <users at shibboleth.net>
>> Reply-To: Shib Users <users at shibboleth.net>
>> Subject: RE: Shib with Multiple AWS Accounts
>> 
>> We've just baked the account number into the group name in our directory. 
>> We can then map users to different, or in some cases, multiple accounts 
>> with our attribute definition. If the user is in multiple accounts and/or 
>> roles, AWS lets them choose upon login. I can't see a reason to have 
>> separate login links.
>> 
>> Keith
>> 
>> 
>> -----Original Message-----
>> From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Cantor, 
>> Scott
>> Sent: Wednesday, October 04, 2017 10:57 AM
>> To: Shib Users <users at shibboleth.net>
>> Subject: Re: Shib with Multiple AWS Accounts
>> 
>> On 10/4/17, 11:52 AM, "users on behalf of Jason Rotunno" 
>> <users-bounces at shibboleth.net on behalf of jrotunno at swarthmore.edu> wrote:
>> 
>>> We have some other AWS accounts that I'd like to integrate with Shib as 
>>> well, and I'm trying to figure out how to populate the
>>> awsRoles attribute with different account numbers based on which AWS 
>>> account is being accessed.
>> 
>> Amazon has one entityID for the entire platform and a standard request is 
>> not going to differentiate accounts. I suppose you could bake in something 
>> proprietary into the system to signal this but that's heavy work that would 
>> have involve webflow customization if not even deeper manipulation of the 
>> system.
>> 
>> The Amazon design is that you send everything in all cases, all accounts, 
>> and all roles. It's their limitation. I haven't seen any compelling reason 
>> to waste my time on it. What exactly are you trying to avoid doing? Do you 
>> really expect a given user to be accessing hundreds of accounts?
>> 
>> -- Scott
>> 
>> 
>> -- 
>> To unsubscribe from this list send an email to 
>> users-unsubscribe at shibboleth.net
>> -- 
>> To unsubscribe from this list send an email to 
>> users-unsubscribe at shibboleth.net
>> 
> -- 
> To unsubscribe from this list send an email to 
> users-unsubscribe at shibboleth.net
>

More information about the users mailing list