Help with NameID

Robert Bradley robert.bradley at it.ox.ac.uk
Fri Aug 7 08:40:51 UTC 2020


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 07/08/2020 08:33, Peter Schober wrote:
> * Amit Dongaonkar <amitd at nitssolutions.com> [2020-08-07 02:36]:
>> I am using Shibboleth IdP 3.4 and am trying to provide an
>> assertion to AWS services. They need the nameID as email ,
>> however they do not want the email attribute coming in the
>> assertion.
>
> That's just stilly, insisting that an attribute be NOT present, and
> I doubt that's a requirement for AWS -- otherwise I guess we'd
> heard about it here? I.e., you can't be the first person to
> integrate your Shib IDP with AWS?
>

AWS doesn't care about standard attributes at all in my experience,
but uses its own instead:

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_crea
te_saml_assertions.html

The only essential attributes I saw were:

* https://aws.amazon.com/SAML/Attributes/RoleSessionName

Effectively the username for the session, but can be anything (we use
eppn for this).

* https://aws.amazon.com/SAML/Attributes/Role

A list of AWS IAM roles.  To generate these, you need the account
number, SAML provider name (as set in AWS) and the role name (again,
as set in AWS).

AWS doesn't do assertion encryption or signed responses, but does
require signed assertions.  I'm open to anyone trying to persuade them
to fix this.

It may be that you're talking about AWS SSO instead, in which case it
wouldn't surprise me if this didn't apply.

- -- 
Dr Robert Bradley
Identity and Access Management Team, IT Services, University of Oxford
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEgF3NFfO9FqlA+ME+lGGnynav474FAl8tE3YACgkQlGGnynav
474GzQ/7B5bZWkZCTGRq/ZLxM6Jf5V8WhDMDn0RYOXc/80WtCCbO0oBJy9cUWRSZ
ARrDWi8LLFubSAIi3xml6hQPsk+f7YD/RJPY3JchvfT2qT18KNxKXhv5oiNl5DEY
zWe4pTbt9xpZhf1KOS7YldIZqUCVk58wfZVAh7YruTQ0Xw2H06TwORwjkipwxgNq
qm0W6/vDAMrI2EfAMZZDOx9NanvbFRVfKuJkmBVquFg5qpDcZS40TrNgbYQFit/m
ebxBn/g1UEP4inAv61ALIarfzXl+4AOkkNbnCmjXCftPJ+M5nsNBcz85zs7QR//O
OqKImdP8wKd5XFTUzP3IwB1ZfcLPIFcfoh+Qtip/SYXdLAmKBG4YRFszs2HaDNjm
WD4y46nJWy8GvWo046UDLIQA3gDeIoGpnr/d+sAfp/DwcboCIl0TsZrPmW3yOIPf
duL/fKrJj1afAG8/CsbJDI6mReEd9GVsrfMlgfH/fS/kRrX1mZeYMXU7QD1PA5JU
PsnpUba1Sa9ZQrNG66+Ixd7SUoUTynxMT1QWZ40drU/XzRmdk180n9urnvelMQZm
OxED9BPcw0piwQZtQwe7vNy8wGl4BDFscwm45xGeIAljxyyb4dqVhD8AjynD7fB9
FxDpNjUBh5sx+OrlCfrrRFYny3RlE/E2cl+LpU7yT+T5R7qFmeM=
=R9tW
-----END PGP SIGNATURE-----


More information about the users mailing list