Shib with Multiple AWS Accounts
Yavor Yanakiev
yavor at nyu.edu
Wed Oct 4 13:30:44 EDT 2017
In your isMemberOf you need to include the account number
cn=AWS-role,ou=accountid,ou=aws,ou=app,ou=nyu,ou=Groups,o= ....
and then
<AttributeDefinition id="awsRoles" xsi:type="Mapped"
sourceAttributeID="isMemberOf">
<Dependency ref="NYU_LDAP" />
<AttributeEncoder xsi:type="SAML2String"
name="https://aws.amazon.com/SAML/Attributes/Role"
friendlyName="Role" />
<ValueMap>
<ReturnValue>arn:aws:iam::$2:saml-provider/shibboleth.nyu.edu
,arn:aws:iam::$2:role/SSO-$1
</ReturnValue>
<SourceValue>^cn=AWS-([^,]*),ou=(\d+),ou=aws,ou=app,ou=nyu,ou=Groups,.+</SourceValue>
</ValueMap>
</AttributeDefinition>
On Wed, Oct 4, 2017 at 11:51 AM, Jason Rotunno <jrotunno at swarthmore.edu>
wrote:
> Hi,
>
> I've integrated our AWS account with our Shib 3.3.1 instance for SSO
> access. The awsRoles attribute, which is required by AWS, is defined in
> attribute-resolver.xml as follows (111111111111 is the AWS account number):
>
> <resolver:AttributeDefinition id="awsRoles" xsi:type="ad:Mapped"
> sourceAttributeID="memberOf">
> <resolver:Dependency ref="myLDAP"/>
> <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="
> https://aws.amazon.com/SAML/Attributes/Role" friendlyName="Role" />
> <ad:ValueMap>
> <ad:ReturnValue>
> arn:aws:iam::111111111111:role/Dept-1,arn:aws:iam::
> 111111111111:saml-provider/shib.tld
> </ad:ReturnValue>
> <ad:SourceValue ignoreCase="true">.*CN=Dept-1.
> *</ad:SourceValue>
> </ad:ValueMap>
> </resolver:AttributeDefinition>
>
> If a user is in the Dept-1 AD group, browses to
> https://shib.tld/idp/profile/SAML2/Unsolicited/SSO?providerId=urn:amazon:
> webservices and authenticates, the awsRole is populated with the value
> arn:aws:iam::111111111111:role/Dept-1,arn:aws:iam::
> 111111111111:saml-provider/shib.tld. It's pretty straightforward and
> works well.
>
> We have some other AWS accounts that I'd like to integrate with Shib as
> well, and I'm trying to figure out how to populate the awsRoles attribute
> with different account numbers based on which AWS account is being accessed.
>
> For example, if a user authenticates at https://shib.tld/idp/profile/
> SAML2/Unsolicited/SSO?providerId=urn:amazon:webservices (and is in the
> Dept-1 AD group), the awsRole value would be arn:aws:iam::111111111111:
> role/Dept-1,arn:aws:iam::111111111111:saml-provider/shib.tld.
>
> If the same user instead authenticates at https://shib.tld/idp/profile/
> SAML2/Unsolicited/SSO?providerId=urn:amazon:webservices:test, the awsRole
> value would be arn:aws:iam::222222222222:role/Dept-1,arn:aws:iam::
> 222222222222:saml-provider/shib.tld.
>
> Any suggestions on how I might do this? Or perhaps there's a better
> approach? I did find https://gist.github.com/zircote/488b1d8096c9d888e5ea,
> but that sets the account number based on AD membership. That wouldn't work
> for us since some users will need access to more than one AWS account.
>
> Thanks,
> Jason
>
> --
>
> Jason Rotunno
> System & Security Administrator
> Swarthmore College
> 500 College Ave
> Swarthmore, PA 19081610.328.8505 <(610)%20328-8505>
>
> Think BEFORE You Click!! Emails from Swarthmore College ITS won't be in your
> Quarantine or Spam folder. We won't threaten you either! If you
> receive any phishing emails, please forward them to phishing at swarthmore.edu.
>
>
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
--
Yavor Yanakiev
Systems Developer for Identity Services
212-992-7585
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20171004/8f518f6e/attachment.html>
More information about the users
mailing list