AWS ECP with awscli-login

Morgan, Andrew Jason morgan at oregonstate.edu
Thu Feb 20 14:00:56 EST 2020 

Keith,

Okay, I suspected it might be something like that.  🙂

I have awscli-login working in my test environment after making that change.

Next question - Does anyone have this working with v2 of the aws cli?  I installed that first, but it uses an embedded Python interpreter.  When I ran "pip3 install awscli-login", it pulled v1.18.3 of the aws cli into pip (which is what I used for testing).

Thanks,
Andy

________________________________
From: users <users-bounces at shibboleth.net> on behalf of Wessel, Keith <kwessel at illinois.edu>
Sent: Thursday, February 20, 2020 10:29 AM
To: Shib Users <users at shibboleth.net>
Subject: RE: AWS ECP with awscli-login

Andy,

You've hit upon the dirty part of the implementation. I believe this is documented in the readme or the Github wiki for the project. If not, somebody please let me know so we can add it. The basic idea is:

Step 1: take Scott's advice and don't remotely consume Amazon's metadata. You can pull it down once, but then store it locally and don't refresh it.
Step 2: Add an ECP endpoint. The same ACS URL that you use to send web-based ACS responses to can be used. We added this:

    <AssertionConsumerService index="2" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="https://signin.aws.amazon.com/saml"/>

Note you'll need to mke the same modification to the AWS Gov metadata if you're using that separate AWS instance.

Keith



From: users <users-bounces at shibboleth.net> On Behalf Of Morgan, Andrew Jason
Sent: Thursday, February 20, 2020 11:55 AM
To: users at shibboleth.net
Subject: AWS ECP with awscli-login

I'm running into an issue with Illinois' awscli-login module.  When I run "aws login" to perform the ECP authentication, awscli-login sends a SAMLRequest to my IDP's ECP endpoint.  This generates the following error in my IDP logs:

WARN [net.shibboleth.idp.saml.profile.impl.PopulateBindingAndEndpointContexts:410] - Profile Action PopulateBindingAndEndpointContexts: Unable to resolve outbound message endpoint for relying party 'urn:amazon:webservices': EndpointCriterion [type={urn:oasis:names:tc:SAML:2.0:metadata}AssertionConsumerService, Binding=urn:oasis:names:tc:SAML:2.0:bindings:PAOS, Location=https://urldefense.proofpoint.com/v2/url?u=https-3A__signin.aws.amazon.com_saml&d=DwQFAw&c=OCIEmEwdEq_aNlsP4fF3gFqSN-E3mlr2t9JcDdfOZag&r=2ERBnv_hmATkLrFo9IGgSTIJkkZL1ljF18WCoTc8nrI&m=P_VC6cUV3M9VyJ3Prd26_vbeli35MjsnLANmoYUUlPg&s=c7QkMF1uINQ4RhxCgcxQnokX1aVqckNC1lWPd4ZszPY&e=, trusted=false]
WARN [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event occurred while processing the request: EndpointResolutionFailed
WARN [net.shibboleth.idp.saml.profile.impl.SpringAwareMessageEncoderFactory:96] - Binding URI was not available, unable to lookup message encoder
ERROR [org.opensaml.profile.action.impl.EncodeMessage:122] - Profile Action EncodeMessage: Unable to locate an outbound message encoder

The metadata loaded dynamically from Amazon (https://urldefense.proofpoint.com/v2/url?u=https-3A__signin.aws.amazon.com_static_saml-2Dmetadata.xml&d=DwMFAw&c=OCIEmEwdEq_aNlsP4fF3gFqSN-E3mlr2t9JcDdfOZag&r=2ERBnv_hmATkLrFo9IGgSTIJkkZL1ljF18WCoTc8nrI&m=P_VC6cUV3M9VyJ3Prd26_vbeli35MjsnLANmoYUUlPg&s=TT6r-rHsQmXhSh1hCYAVSUL5HJIB5Cc2mh9jvOgzJhc&e=) has just 1 ACS entry:

<AssertionConsumerService index="1" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://urldefense.proofpoint.com/v2/url?u=https-3A__signin.aws.amazon.com_saml-2522_-253E&d=DwQFAw&c=OCIEmEwdEq_aNlsP4fF3gFqSN-E3mlr2t9JcDdfOZag&r=2ERBnv_hmATkLrFo9IGgSTIJkkZL1ljF18WCoTc8nrI&m=P_VC6cUV3M9VyJ3Prd26_vbeli35MjsnLANmoYUUlPg&s=VtKpP2gHvn4ScdbzFDEOEy863VlKE15_lv8OMHTQ9wo&e=

So, Shibboleth is definitely correct that there is no PAOS binding for this SP.

Am I doing something wrong?  How have other awscli-login users solved this issue?

Thanks,
Andy Morgan
Identity & Access Management
Oregon State University
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200220/d5b9cde8/attachment.html>

More information about the users mailing list