Shib with Multiple AWS Accounts

Jason Rotunno jrotunno at swarthmore.edu
Wed Oct 4 13:44:27 EDT 2017 

Excellent. I didn't realize Amazon lets you choose which account/role to
use upon login. This works perfectly.

Thanks, all, for the responses.

Jason


On Wed, Oct 4, 2017 at 12:01 PM, Wessel, Keith <kwessel at illinois.edu> wrote:

> We've just baked the account number into the group name in our directory.
> We can then map users to different, or in some cases, multiple accounts
> with our attribute definition. If the user is in multiple accounts and/or
> roles, AWS lets them choose upon login. I can't see a reason to have
> separate login links.
>
> Keith
>
>
> -----Original Message-----
> From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Cantor,
> Scott
> Sent: Wednesday, October 04, 2017 10:57 AM
> To: Shib Users <users at shibboleth.net>
> Subject: Re: Shib with Multiple AWS Accounts
>
> On 10/4/17, 11:52 AM, "users on behalf of Jason Rotunno" <
> users-bounces at shibboleth.net on behalf of jrotunno at swarthmore.edu> wrote:
>
> > We have some other AWS accounts that I'd like to integrate with Shib as
> well, and I'm trying to figure out how to populate the
> > awsRoles attribute with different account numbers based on which AWS
> account is being accessed.
>
> Amazon has one entityID for the entire platform and a standard request is
> not going to differentiate accounts. I suppose you could bake in something
> proprietary into the system to signal this but that's heavy work that would
> have involve webflow customization if not even deeper manipulation of the
> system.
>
> The Amazon design is that you send everything in all cases, all accounts,
> and all roles. It's their limitation. I haven't seen any compelling reason
> to waste my time on it. What exactly are you trying to avoid doing? Do you
> really expect a given user to be accessing hundreds of accounts?
>
> -- Scott
>
>
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>



-- 

Jason Rotunno
System & Security Administrator
Swarthmore College
500 College Ave
Swarthmore, PA 19081
610.328.8505

Think BEFORE You Click!! Emails from Swarthmore College ITS won't be in your
Quarantine or Spam folder. We won't threaten you either! If you
receive any phishing emails, please forward them to phishing at swarthmore.edu.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20171004/91ec7c4f/attachment-0001.html>

More information about the users mailing list