SSO to AWS

By: Mark Haskins user 08 Jul 2017 at 8:07 a.m. CDT

10 Responses
Mark Haskins gravatar
Hi, I'm attempting to setup SSO to AWS using the SAML functionality in Gluu. This ticket in some regards mirrors this ticket, https://support.gluu.org/single-sign-on/3887/sso-to-aws/, the only difference is that I don't want to hard code a Default value for the awsRole attribute, I want to return it dynamically. So in the attribute-resolver file I have this: <resolver:AttributeDefinition id="awsRoles" xsi:type="ad:Mapped" sourceAttributeID="displayName"> <resolver:Dependency ref="siteLDAP2"/> <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="https://aws.amazon.com/SAML/Attributes/Role" friendlyName="Role" /> <ad:ValueMap> <ad:ReturnValue>arn:aws:iam::<>:role/SSO-admin,arn:aws:iam::<>:saml-provider/DevOpsSSO</ad:ReturnValue> <ad:SourceValue>awsdev-admin</ad:SourceValue> </ad:ValueMap> <ad:ValueMap> <ad:ReturnValue>arn:aws:iam::<>:role/SSO-admin,arn:aws:iam::<>:saml-provider/DevOpsSSO</ad:ReturnValue> <ad:SourceValue>awsprd-admin</ad:SourceValue> </ad:ValueMap> <ad:ValueMap> <ad:ReturnValue>arn:aws:iam::<>:role/SSO-admin,arn:aws:iam::<>:saml-provider/DevOpsSSO</ad:ReturnValue> <ad:SourceValue>awsops-admin</ad:SourceValue> </ad:ValueMap> </resolver:AttributeDefinition> What I am trying to achieve here is to take the displayName from a group defined in Gluu, and return some information depending on whether the user is a member of the group. To do this I have created a new DataConnector that has a reference to the default one. The default one has been configured to return cn, and inum. What I'm trying to do in this connector is return all the groups that the inum (the user) belongs too, so I can filter in the AttributeDefinition. <resolver:DataConnector id="siteLDAP" xsi:type="dc:LDAPDirectory" ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}" baseDN="%{idp.attribute.resolver.LDAP.baseDN}" principal="%{idp.attribute.resolver.LDAP.bindDN}" principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}" useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:true}"> <dc:Dependency ref="siteLDAP" /> <dc:FilterTemplate> <![CDATA[ (&(objectClass=gluuGroup)(member=inum=${siteLDAP.get(2)})) ]]> </dc:FilterTemplate> <dc:StartTLSTrustCredential id="LDAPtoIdPCredential" xsi:type="sec:X509ResourceBacked"> <sec:Certificate>%{idp.attribute.resolver.LDAP.trustCertificates}</sec:Certificate> </dc:StartTLSTrustCredential> </resolver:DataConnector> I have had something similar working before in a stand-alone instance of shibboleth by creating a 2nd DataConnector and using the this CDATA (&(objectClass=groupOfNames)(member=uid=${requestContext.principalName},ou=people,dc=a,dc=b,dc=c)) Am I going about this the correct way? Is there a better way of doing this? Regards, Mark
OS Version : N/A
closed

Answers

By Mohib Zico Account Admin 08 Jul 2017 at 8:43 a.m. CDT

Copy
Mohib Zico gravatar
AWS SSO is actually pretty easy, we are going to publish a doc soon. There you don't have to touch any configuration file for manual editing.

By Mark Haskins user 08 Jul 2017 at 10:09 a.m. CDT

Copy
Mark Haskins gravatar
Hi, thanks for the response. That sounds great. Any idea when that would be available? I'd be happy to 'beta test' the docs for you. Will this process allow me to provide multiple strings for different roles based on what groups a user is a member of? Thanks, Mark

By Mohib Zico Account Admin 08 Jul 2017 at 10:10 a.m. CDT

Copy
Mohib Zico gravatar
By next week; we will inform you here when doc is ready publicly.

By Mark Haskins user 08 Jul 2017 at 10:10 a.m. CDT

Copy
Mark Haskins gravatar
thanks

By William Lowe user 10 Jul 2017 at 4:53 p.m. CDT

Copy
William Lowe gravatar
Hi Mark, You can view the [aws how to doc here](https://github.com/GluuFederation/docs-ce-prod/blob/3.0.2/3.0.2/source/integration/saas/aws.md). Will be live on our docs site later this afternoon or tomorrow. Let us know how it goes for you. Thanks, Will

By Mark Haskins user 11 Jul 2017 at 2:05 a.m. CDT

Copy
Mark Haskins gravatar
Hi William, thanks for the response. I've had a quick look over the document and it does look simple. I am however not sure that it meets my requirements. I have multiple AWS accounts which I want to allow a user to SSO into. Your instructions looks to only provide access to a single account. In my original request I was trying to dynamically create the RoleEntitlement attribute based on the groups a user was a member of. Each group was for a different AWS account. Looking at the instructions, what would happen if I set Multivalued as an attribute option? Would I be able to define multiple Entitlements for a user? Do you think would be accepted by AWS? Thanks, Mark

By Mohib Zico Account Admin 11 Jul 2017 at 2:10 a.m. CDT

Copy
Mohib Zico gravatar
Hi Mark, >> Your instructions looks to only provide access to a single account. Yes, the purpose of this public doc is to give a guideline and/or provide a starter key. >> Looking at the instructions, what would happen if I set Multivalued as an attribute option? Would I be able to define multiple Entitlements for a user? Do you think would be accepted by AWS? I think Amazon can answer that best; we haven't tried it.

By Mark Haskins user 11 Jul 2017 at 6:01 a.m. CDT

Copy
Mark Haskins gravatar
Hi Mohib Thanks for the response, I guess I need to return to my original idea. Using a dataconnector how can I return the groups that a user is a member of? As I said above I've managed to do this with shibboleth but your schematic is different. Mark

By Mark Haskins user 12 Jul 2017 at 2:27 p.m. CDT

Copy
Mark Haskins gravatar
Closing

By William Lowe user 12 Jul 2017 at 2:29 p.m. CDT

Copy
William Lowe gravatar
Thanks, Mark. We would be interested to hear how it goes, and if you think it makes sense, we could potentially host a doc about your use case as well. Thanks, Will

Post an answer