Help with NameID
robert.bradley at it.ox.ac.uk
Fri Aug 7 08:40:51 UTC 2020
-----BEGIN PGP SIGNED MESSAGE-----
On 07/08/2020 08:33, Peter Schober wrote:
> * Amit Dongaonkar <amitd at nitssolutions.com> [2020-08-07 02:36]:
>> I am using Shibboleth IdP 3.4 and am trying to provide an
>> assertion to AWS services. They need the nameID as email ,
>> however they do not want the email attribute coming in the
> That's just stilly, insisting that an attribute be NOT present, and
> I doubt that's a requirement for AWS -- otherwise I guess we'd
> heard about it here? I.e., you can't be the first person to
> integrate your Shib IDP with AWS?
AWS doesn't care about standard attributes at all in my experience,
but uses its own instead:
The only essential attributes I saw were:
Effectively the username for the session, but can be anything (we use
eppn for this).
A list of AWS IAM roles. To generate these, you need the account
number, SAML provider name (as set in AWS) and the role name (again,
as set in AWS).
AWS doesn't do assertion encryption or signed responses, but does
require signed assertions. I'm open to anyone trying to persuade them
to fix this.
It may be that you're talking about AWS SSO instead, in which case it
wouldn't surprise me if this didn't apply.
Dr Robert Bradley
Identity and Access Management Team, IT Services, University of Oxford
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
More information about the users