Hi, Alex. Please share all docs involved in your project so we could correctly evaluate and reproduce your issue.

Alex, you can add a custom attribute. We are currently updating the doc on how to do this. But in a nutshell. 1. Create digitFlakPerson in OpenLDAP with this custom attribute "role". See OpenLDAP docs for instructions on how to do this. 2. Make sure digiFlakPerson is added to the JSON config for oxTrust (and maybe oxAuth too). 3. "Register" the role attribute in the oxTrust admin UI in the attributes section. BTW, Amazon also support OpenID Connect. But you still may need to create a custom attribute (and even a custom scope).

Hi, Aliaksandr! Thank you for your reply! At first for AWS the main doc is here [http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-saml.html](http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-saml.html) This is the source of another related docs about configuring AWS. As described in these docs I created a SAML provider and the role for SAML access in AWS IAM. Now I try to configure Gluu. Because the SAML engine in Gluu is Shibboleth I use docs about configuring Shibboleth with AWS. For exampl: - [http://d0.awsstatic.com/whitepapers/aws-whitepaper-single-sign-on-integrating-aws-open-ldap-and-shibboleth.pdf](http://d0.awsstatic.com/whitepapers/aws-whitepaper-single-sign-on-integrating-aws-open-ldap-and-shibboleth.pdf) - [https://community.jisc.ac.uk/system/files/222/experiences-aws-shibboleth.pdf](https://community.jisc.ac.uk/system/files/222/experiences-aws-shibboleth.pdf) - [https://community.jisc.ac.uk/system/files/1654/AWS-Shib%20%28v1.0%29.pdf](https://community.jisc.ac.uk/system/files/1654/AWS-Shib%20%28v1.0%29.pdf) Using these docs and Gluu docs I created Trust Relationship for AWS by Gluu Configuration GUI. Also I created custom Attribute (that is named awsRoles) by Gluu Configuration GUI and configure it to be as Realesed Attribute with previously created Relationship. Also I tried to assign the value for this attribute by changing of _/opt/apache-tomcat-7.0.65/conf/shibboleth2/idp/attribute-resolver.xml.vm_ where I added the following lines: ``` #if( ! ($attribute.name.equals('transientId') or $attribute.name.equals('awsRoles') ) ... <resolver:AttributeDefinition id="awsRoles" xsi:type="ad:Mapped" sourceAttributeID="mail"> <resolver:Dependency ref="siteLDAP"></resolver:Dependency> <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="https://aws.amazon.com/SAML/Attributes/Role" friendlyName="Role" ></resolver:AttributeEncoder> <ad:ValueMap> <ad:ReturnValue>arn:aws:iam::XXXXXXXXXXXX:saml-provider/myGluu,arn:aws:iam::XXXXXXXXXXXX:role/RoleForMyGluuUsers</ad:ReturnValue> <ad:SourceValue>cn=AWS ([^,]*),.*</ad:SourceValue> </ad:ValueMap> </resolver:AttributeDefinition> ``` XXXXXXXXXXXX is replaced by my AWS ID. I used mail as source of value and I'm not sure that it is correct. But the value is hardcoded and I think that source value is unnecessary. And I try to use the URL like this _https://MyIdP/idp/profile/SAML2/Unsolicited/SSO?providerId=urn:amazon:webservices_ but I see error message from AWS: _**Error: Your request included an invalid SAML response.**_ Error messages are described here [http://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_saml.html](http://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_saml.html) Using Browser's SAML Tools I captured SAML assertions from my Gluu and I don't see Subjects with awsRoles.

Michael, thank you! I will try to follow your advices with OpenLDAP attributes and oxTrust. And also I will try to use OpenID Connect.

Thanks. Please note that Michael's suggestions seems to be intended for Gluu CE 3.0.1, which is the latest package and uses OpenLDAP internally. And in your first post you specified Gluu CE 2.4.3 as your current package (which is not even the most recent 2.4.x package, and using 2.4.x in new setups is not recommended by itself). 2.4.3 packages use OpenDJ as internal LDAP directory by default. If possible, you should switch to using 3.0.1 by reinstalling from scratch before you invested too much effort in configuring it.

I resolved my problems. Just want to clarify what I did. May be it will help to somebody in the future. The main problem was in Shibboleth attribute resolving. It was impossible to map _mail_ to _awsRoles_. I added _DefaultValue_ tag with desired value: ``` <resolver:AttributeDefinition id="awsRoles" xsi:type="ad:Mapped" sourceAttributeID="mail"> <resolver:Dependency ref="siteLDAP"></resolver:Dependency> <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="https://aws.amazon.com/SAML/Attributes/Role" friendlyName="Role" ></resolver:AttributeEncoder> <ad:DefaultValue>arn:aws:iam::XXXXXXXXXXXX:saml-provider/myGluu,arn:aws:iam::XXXXXXXXXXXX:role/RoleForMyGluuUsers</ad:DefaultValue> <ad:ValueMap> <ad:ReturnValue>arn:aws:iam::XXXXXXXXXXXX:saml-provider/myGluu,arn:aws:iam::XXXXXXXXXXXX:role/RoleForMyGluuUsers</ad:ReturnValue> <ad:SourceValue>cn=AWS ([^,]*),.*</ad:SourceValue> </ad:ValueMap> </resolver:AttributeDefinition> ``` Also I added attribute _awsRoleSessionName_ to identify the user in AWS: ``` if( ! ($attribute.name.equals('transientId') or $attribute.name.equals('awsRoles') or $attribute.name.equals('awsRoleSessionName')) ) ... <resolver:AttributeDefinition id="awsRoleSessionName" xsi:type="ad:Simple" sourceAttributeID="mail"> <resolver:Dependency ref="mail"/> <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="https://aws.amazon.com/SAML/Attributes/RoleSessionName" friendlyName="RoleSessionName" /> </resolver:AttributeDefinition> ``` And I created the same attribute in oxTrust console and linked it with Trust Relationship for AWS. Also I linked _TransientId_ with this Trust Relationship. And next steps will be cocerned to make roles mapping more flexible. Thanks for help anyway!

Thanks for the heads-up, Alex. One question so far: >It was impossible to map mail to awsRoles. What was the problem? Why couldn't you use something simple like ``` <resolver:Dependency ref="mail"/> ``` ...which you used for your second `awsRoleSessionName` attribute?