Changes between Version 2 and Version 3 of AmazonWebServices

Timestamp:

08/12/14 09:13:19 (10 years ago)

Author:

dabantz@…

Comment:

--

AmazonWebServices

@@ -117 +117 @@
         <!-- map group 'cn=aws:role:role-name' to defined AWSrole attribute format -->
         <ValueMap>
-          <ReturnValue>arn:aws:iam::688521806680:role/oit-admin,arn:aws:iam::688521806680:saml-provider/urn:mace:incommon:alaska.edu</ReturnValue>
-          <SourceValue ignoreCase="true">cn=aws:688521806680:role:oit-admin,ou=group,dc=alaska,dc=edu</SourceValue>
+           <ReturnValue>arn:aws:iam::688521806680:role/$1,arn:aws:iam::688521806680:saml-provider/OITshibb</ReturnValue>
+          <SourceValue ignoreCase="true">cn=aws:688521806680:role:(.*?),ou=group,dc=alaska,dc=edu</SourceValue>
         </ValueMap>
 
@@ -140 +140 @@
 }}}
 
-4. An attribute release policy currently releases ONLY these required custom attributes.
+4. An attribute release policy currently releases ONLY these required custom attributes plus the opaque transientId used for the NameID in the subject portion of the SAML assertion.
 
 5. AWS apparently cannot initiate a request to the IdP, so we use "unsolicited" SSO.  The following URL initiates such a request and relays the SAML to the appropriate end point specified in the AWS metadata.
@@ -148 +148 @@
 }}}
 
-As of 2014-08-06, this URL and IdP configuration generate a SAML assertion to the AWS signin page.  The AWS responds with a "500" internal server error.  DJD is working with AWS to diagnose. 
+As of 2014-08-12, this URL and IdP configuration logs UA users into AWS and presents roles corresponding to their group memberships.