Changes between Version 1 and Version 2 of AmazonWebServices


Ignore:
Timestamp:
08/06/14 11:22:43 (6 years ago)
Author:
dabantz@…
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • AmazonWebServices

    v1 v2  
    33 
    44http://blogs.aws.amazon.com/security/post/TxRTTT5PLUE6B5/How-to-use-Shibboleth-for-single-sign-on-to-the-AWS-Management-Console 
     5 
     6Following this documentation, the following has been done as of 2014-08-06: 
     7 
     81.  AWS metadata from  https://signin.aws.amazon.com/static/saml-metadata.xml added directly to sp-metadata.xml in the metadata directory of the IdP home (/opt/shibboleth-idp/metadata/). 
     9 
     10 Note that this metadata includes a certificate with indicated use of signing, but not encryption. 
     11{{{ 
     12<?xml version="1.0"?> 
     13<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="urn:amazon:webservices" validUntil="2015-03-24T20:30:16Z"> 
     14  <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" WantAssertionsSigned="true"> 
     15    <KeyDescriptor use="signing"> 
     16      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> 
     17        <ds:X509Data> 
     18          <ds:X509Certificate>MIIEHjCCAwagAwIBAgIJAIjJINkOERkDMA0GCSqGSIb3DQEBBQUAMGcxCzAJBgNV 
     19BAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMSIwIAYDVQQKExlBbWF6b24gV2Vi 
     20IFNlcnZpY2VzLCBJbmMuMR8wHQYDVQQDExZ1cm46YW1hem9uOndlYnNlcnZpY2Vz 
     21MB4XDTE0MDMyNDIwMzAxNloXDTI0MDMyMTIwMzAxNlowZzELMAkGA1UEBhMCVVMx 
     22EzARBgNVBAgTCldhc2hpbmd0b24xIjAgBgNVBAoTGUFtYXpvbiBXZWIgU2Vydmlj 
     23ZXMsIEluYy4xHzAdBgNVBAMTFnVybjphbWF6b246d2Vic2VydmljZXMwggEiMA0G 
     24CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCwIwOsH62akokz5AM/RU4GtjHCYiDV 
     25QY5KVGk7E3zhiYzOcZ/7T71eSqwzrqwDBg2W+N5TFpFPKcEj5ADmoSlJX2y+nCcP 
     26SpnFWycn57fnw3kv4oAQZ9iH+BhxGmcs2fsnNgX7RNXm+b1P6ZQTVF0MMR/N1VBm 
     27gUD1fixTFFQ5JxXfd9mSmG+CvwVmi2RE8Y4Jn4c2X8IBa436iHqtpRknEcWM6rhB 
     28zh6/qKXoyhHe8ffbRHM2GHkhCXKobckFIIxpWzJV2WxlhZLAp0j9tmsGbdbnV1j+ 
     29ZU3Eu0JAm1hJLGJRj+v7CM2W0oHalhVDlMjH6twxi9uQuVlRHUwAk2cXAgMBAAGj 
     30gcwwgckwHQYDVR0OBBYEFNhl+SOtTnyOnX+HifYhgheCi9CcMIGZBgNVHSMEgZEw 
     31gY6AFNhl+SOtTnyOnX+HifYhgheCi9CcoWukaTBnMQswCQYDVQQGEwJVUzETMBEG 
     32A1UECBMKV2FzaGluZ3RvbjEiMCAGA1UEChMZQW1hem9uIFdlYiBTZXJ2aWNlcywg 
     33SW5jLjEfMB0GA1UEAxMWdXJuOmFtYXpvbjp3ZWJzZXJ2aWNlc4IJAIjJINkOERkD 
     34MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBADvw37bqUJKZWp5mG+sA 
     35MHWj4tJHlTOyj4WZN5osNq06pTFupRPZ/Rsq/p2VEiemcawNXsKc1uIqECFEQacB 
     36w9eySLjBbhYYSB3YMwKdCBlztcgqtftbXCuD8X1uCigf19BdE+Pe2bWDKdCfRs8B 
     37CSRd1dS6HNGOVWE7k2F7ji91qQFS24MUxsjowGUAiqmF77TpmWCEVki9oZ7yVQya 
     38Z0BeLBnb2cplXake+tD/Vi1drc8E4rgJZjNAbTkoKEw0puVe5bq9Zm9SZrfzk6d3 
     39k7oa2zm4ccDLF3KR0WM9slt/aaHNce/rCtGhGkdCRlpmoceE1sBsYDFQEAIlrBnH 
     40TmE=</ds:X509Certificate> 
     41        </ds:X509Data> 
     42      </ds:KeyInfo> 
     43    </KeyDescriptor> 
     44    <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat> 
     45    <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat> 
     46    <AssertionConsumerService index="1" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://signin.aws.amazon.com/saml"/> 
     47    <AttributeConsumingService index="1"> 
     48      <ServiceName xml:lang="en">AWS Management Console Single Sign-On</ServiceName> 
     49      <RequestedAttribute isRequired="true" Name="https://aws.amazon.com/SAML/Attributes/Role" FriendlyName="RoleEntitlement"/> 
     50      <RequestedAttribute isRequired="true" Name="https://aws.amazon.com/SAML/Attributes/RoleSessionName" FriendlyName="RoleSessionName"/> 
     51      <RequestedAttribute isRequired="false" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" FriendlyName="eduPersonAffiliation"/> 
     52      <RequestedAttribute isRequired="false" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.2" FriendlyName="eduPersonNickname"/> 
     53      <RequestedAttribute isRequired="false" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.3" FriendlyName="eduPersonOrgDN"/> 
     54      <RequestedAttribute isRequired="false" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.4" FriendlyName="eduPersonOrgUnitDN"/> 
     55      <RequestedAttribute isRequired="false" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.5" FriendlyName="eduPersonPrimaryAffiliation"/> 
     56      <RequestedAttribute isRequired="false" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" FriendlyName="eduPersonPrincipalName"/> 
     57      <RequestedAttribute isRequired="false" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" FriendlyName="eduPersonEntitlement"/> 
     58      <RequestedAttribute isRequired="false" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.8" FriendlyName="eduPersonPrimaryOrgUnitDN"/> 
     59      <RequestedAttribute isRequired="false" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" FriendlyName="eduPersonScopedAffiliation"/> 
     60      <RequestedAttribute isRequired="false" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" FriendlyName="eduPersonTargetedID"/> 
     61      <RequestedAttribute isRequired="false" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.11" FriendlyName="eduPersonAssurance"/> 
     62      <RequestedAttribute isRequired="false" Name="urn:oid:1.3.6.1.4.1.5923.1.2.1.2" FriendlyName="eduOrgHomePageURI"/> 
     63      <RequestedAttribute isRequired="false" Name="urn:oid:1.3.6.1.4.1.5923.1.2.1.3" FriendlyName="eduOrgIdentityAuthNPolicyURI"/> 
     64      <RequestedAttribute isRequired="false" Name="urn:oid:1.3.6.1.4.1.5923.1.2.1.4" FriendlyName="eduOrgLegalName"/> 
     65      <RequestedAttribute isRequired="false" Name="urn:oid:1.3.6.1.4.1.5923.1.2.1.5" FriendlyName="eduOrgSuperiorURI"/> 
     66      <RequestedAttribute isRequired="false" Name="urn:oid:1.3.6.1.4.1.5923.1.2.1.6" FriendlyName="eduOrgWhitePagesURI"/> 
     67      <RequestedAttribute isRequired="false" Name="urn:oid:2.5.4.3" FriendlyName="cn"/> 
     68    </AttributeConsumingService> 
     69  </SPSSODescriptor> 
     70  <Organization> 
     71    <OrganizationName xml:lang="en">Amazon Web Services, Inc.</OrganizationName> 
     72    <OrganizationDisplayName xml:lang="en">AWS</OrganizationDisplayName> 
     73    <OrganizationURL xml:lang="en">https://aws.amazon.com</OrganizationURL> 
     74  </Organization> 
     75</EntityDescriptor> 
     76 
     77}}} 
     78 
     792.  Custom relying party configuration was added to relying-party.xml to enable unencrypted SAML responses. 
     80{{{ 
     81<!-- Amazon Web Services (AWS) provides no encryption cert, so diable encryption --> 
     82   <RelyingParty id="urn:amazon:webservices" 
     83       provider="urn:mace:incommon:alaska.edu" 
     84       defaultSigningCredentialRef="IdPCredential" 
     85       defaultAuthenticationMethod="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"> 
     86      <ProfileConfiguration xsi:type="saml:SAML2SSOProfile" encryptAssertions="never" encryptNameIds="never" /> 
     87   </RelyingParty> 
     88 
     89}}} 
     90 
     913. New attributes created in attribute-resolver.xml with names required by AWS.   
     92 
     93  The AWSrole is mapped from group membership in LDAP; initially only a single mapping is included, so additional roles will have to be mapped and added to this attribute definition as they are deployed.  Of course the assignment of roles requires adding the group corresponding to the role and adding individual people to those groups. 
     94 
     95{{{ 
     96 <!-- AWS requires each authorized user to have one or more roles matching a role names created in AWS. 
     97     We use of group memberships reflected as values in the "eduIsMemberOf" LDAP attribute 
     98      
     99     This attribute will remain with a null value if the user hasn't been explicitly put into any such applicable group,  
     100     meaning they will not be authorized in AWS and may receive an error from AWS  
     101     --> 
     102    <resolver:AttributeDefinition xsi:type="Mapped" xmlns="urn:mace:shibboleth:2.0:resolver:ad" 
     103                           id="AWSrole" 
     104                           sourceAttributeID="isMemberOf"> 
     105        <resolver:Dependency ref="myLDAP" /> 
     106        <resolver:Dependency ref="isMemberOf" /> 
     107 
     108        <!-- SAML 2 (only) encoder for the attribute --> 
     109         <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" 
     110                       name="https://aws.amazon.com/SAML/Attributes/Role" 
     111                               friendlyName="AWSrole" /> 
     112 
     113        <!-- Note we don't want to have any default value for this mapping, as there 
     114          will be many group memberships that don't have any applicability to AWS. 
     115        --> 
     116 
     117        <!-- map group 'cn=aws:role:role-name' to defined AWSrole attribute format --> 
     118        <ValueMap> 
     119          <ReturnValue>arn:aws:iam::688521806680:role/oit-admin,arn:aws:iam::688521806680:saml-provider/urn:mace:incommon:alaska.edu</ReturnValue> 
     120          <SourceValue ignoreCase="true">cn=aws:688521806680:role:oit-admin,ou=group,dc=alaska,dc=edu</SourceValue> 
     121        </ValueMap> 
     122 
     123    </resolver:AttributeDefinition> 
     124}}} 
     125 The AWSsessionID appears to be intended to link activity to a user; we agreed to use the scoped version of the user's BannerID as it is unchanging. 
     126 
     127{{{ 
     128<!-- AWS "Role Session Name" is an identifier for the session; AWS docs suggest individual identifier like username or email --> 
     129<!-- We'll use the persistent uakPersonID or eduPersonUniqueID to facilitate persistence of name for audit --> 
     130<resolver:AttributeDefinition id="AWSsessionID" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad" sourceAttributeID="eduPersonUniqueId"> 
     131<resolver:Dependency ref="eduPersonUniqueId" /> 
     132<resolver:AttributeEncoder xsi:type="SAML2ScopedString" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="https://aws.amazon.com/SAML/Attributes/RoleSessionName" friendlyName="AWSsessionID" /> 
     133</resolver:AttributeDefinition> 
     134 
     135    <resolver:AttributeDefinition id="ADmemberOf" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad" sourceAttributeID="memberOf"> 
     136        <resolver:Dependency ref="uaADLDAP" /> 
     137        <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:oid:1.2.840.113556.1.2.102" friendlyName="ADmemberOf" /> 
     138    </resolver:AttributeDefinition> 
     139 
     140}}} 
     141 
     1424. An attribute release policy currently releases ONLY these required custom attributes. 
     143 
     1445. AWS apparently cannot initiate a request to the IdP, so we use "unsolicited" SSO.  The following URL initiates such a request and relays the SAML to the appropriate end point specified in the AWS metadata. 
     145 
     146{{{ 
     147https://idp.alaska.edu/idp/profile/SAML2/Unsolicited/SSO?providerId=urn%3Aamazon%3Awebservices 
     148}}} 
     149 
     150As of 2014-08-06, this URL and IdP configuration generate a SAML assertion to the AWS signin page.  The AWS responds with a "500" internal server error.  DJD is working with AWS to diagnose.