Shib with Multiple AWS Accounts
yavor at nyu.edu
Wed Oct 4 13:30:44 EDT 2017
In your isMemberOf you need to include the account number
<AttributeDefinition id="awsRoles" xsi:type="Mapped"
<Dependency ref="NYU_LDAP" />
On Wed, Oct 4, 2017 at 11:51 AM, Jason Rotunno <jrotunno at swarthmore.edu>
> I've integrated our AWS account with our Shib 3.3.1 instance for SSO
> access. The awsRoles attribute, which is required by AWS, is defined in
> attribute-resolver.xml as follows (111111111111 is the AWS account number):
> <resolver:AttributeDefinition id="awsRoles" xsi:type="ad:Mapped"
> <resolver:Dependency ref="myLDAP"/>
> <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="
> https://aws.amazon.com/SAML/Attributes/Role" friendlyName="Role" />
> <ad:SourceValue ignoreCase="true">.*CN=Dept-1.
> If a user is in the Dept-1 AD group, browses to
> webservices and authenticates, the awsRole is populated with the value
> 111111111111:saml-provider/shib.tld. It's pretty straightforward and
> works well.
> We have some other AWS accounts that I'd like to integrate with Shib as
> well, and I'm trying to figure out how to populate the awsRoles attribute
> with different account numbers based on which AWS account is being accessed.
> For example, if a user authenticates at https://shib.tld/idp/profile/
> SAML2/Unsolicited/SSO?providerId=urn:amazon:webservices (and is in the
> Dept-1 AD group), the awsRole value would be arn:aws:iam::111111111111:
> If the same user instead authenticates at https://shib.tld/idp/profile/
> SAML2/Unsolicited/SSO?providerId=urn:amazon:webservices:test, the awsRole
> value would be arn:aws:iam::222222222222:role/Dept-1,arn:aws:iam::
> Any suggestions on how I might do this? Or perhaps there's a better
> approach? I did find https://gist.github.com/zircote/488b1d8096c9d888e5ea,
> but that sets the account number based on AD membership. That wouldn't work
> for us since some users will need access to more than one AWS account.
> Jason Rotunno
> System & Security Administrator
> Swarthmore College
> 500 College Ave
> Swarthmore, PA 19081610.328.8505 <(610)%20328-8505>
> Think BEFORE You Click!! Emails from Swarthmore College ITS won't be in your
> Quarantine or Spam folder. We won't threaten you either! If you
> receive any phishing emails, please forward them to phishing at swarthmore.edu.
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
Systems Developer for Identity Services
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the users